lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050627161452.GA6029@piware.de>
Date: Mon Jun 27 17:15:02 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-144-1] dbus vulnerability

===========================================================
Ubuntu Security Notice USN-144-1	      June 27, 2005
dbus vulnerability
CAN-2005-0201
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

dbus-1

The problem can be corrected by upgrading the affected package to
version 0.22-1ubuntu2.1.  You have to restart your Gnome session (i.e.
log out and back in) after doing a standard system upgrade to effect
the necessary changes.

Details follow:

Besides providing the global system-wide communication bus, dbus also
offers per-user "session" buses which applications in an user's
session can create and use to communicate with each other.  Daniel
Reed discovered that the default configuration of the session dbus
allowed a local user to connect to another user's session bus if its
address was known. The fixed packages restrict the default permissions
to the user who owns the session dbus instance.

Please note that a standard Ubuntu installation does not use the
session bus for anything, so this can only be exploited if you are
using custom software which uses it.


  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.22-1ubuntu2.1.diff.gz
      Size/MD5:    15995 6f8b07a03ee133e67607985210dcaa21
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.22-1ubuntu2.1.dsc
      Size/MD5:      909 d47c88f0d2cc14da7bab054bb2923ea6
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.22.orig.tar.gz
      Size/MD5:  1248780 6b1c2476ea8b82dd9fb7f29ef857cb9f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_0.22-1ubuntu2.1_all.deb
      Size/MD5:   817462 2942d675de295f743ebdceff28edc3eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-dev_0.22-1ubuntu2.1_amd64.deb
      Size/MD5:   233840 ddfcaa03766658123d982a891a5ae5fe
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.22-1ubuntu2.1_amd64.deb
      Size/MD5:   100612 d8defb47c253b5475ea40d005782c040
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1_0.22-1ubuntu2.1_amd64.deb
      Size/MD5:   332330 a821776783887a74227da54fb2c8cfc0
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1-dev_0.22-1ubuntu2.1_amd64.deb
      Size/MD5:   105656 817e67b68bad8cc21dbdd6d824aa8dd2
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1_0.22-1ubuntu2.1_amd64.deb
      Size/MD5:   103222 19d76a1c5b2dfdcd993d4d8b1004a84f
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.3-dbus_0.22-1ubuntu2.1_amd64.deb
      Size/MD5:   142524 5f2bc9aaa7aaa062ea4c66a45dab389a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-dev_0.22-1ubuntu2.1_i386.deb
      Size/MD5:   207320 f9f955179ef745de5587cdb4a22e0d8c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.22-1ubuntu2.1_i386.deb
      Size/MD5:    99146 e409ea2bf9ed72101b59e8a1616a9c5b
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1_0.22-1ubuntu2.1_i386.deb
      Size/MD5:   297298 10b6a50dc30819935b24ca337c85c31a
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1-dev_0.22-1ubuntu2.1_i386.deb
      Size/MD5:   101542 565fe12a77c4cea1ade70977d3672a62
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1_0.22-1ubuntu2.1_i386.deb
      Size/MD5:   100526 8bab20aafd035e1ed7c940225bda277c
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.3-dbus_0.22-1ubuntu2.1_i386.deb
      Size/MD5:   130754 e8676c7a4157e15a236fdaa38e080691

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-dev_0.22-1ubuntu2.1_powerpc.deb
      Size/MD5:   235306 83ae5fee85566f19262a4548575c0ec1
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.22-1ubuntu2.1_powerpc.deb
      Size/MD5:   100766 2a138c9f8fa460abc9c34cb9d21d2070
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1_0.22-1ubuntu2.1_powerpc.deb
      Size/MD5:   312850 27ea75fa2dd9a40a1dc84724def7c4e4
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1-dev_0.22-1ubuntu2.1_powerpc.deb
      Size/MD5:   107106 4b176bc6c2a42bdb0e05b2e28b40d49d
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1_0.22-1ubuntu2.1_powerpc.deb
      Size/MD5:   100502 e0316f200a0ab7829d0c5478b288e9cb
    http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.3-dbus_0.22-1ubuntu2.1_powerpc.deb
      Size/MD5:   143508 3d2a2015e906ebdd217cba8791002edc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050627/73018461/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ