[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050804172718.GA27392@piware.de>
Date: Thu Aug 4 18:27:22 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-161-1] bzip2 utility vulnerability
===========================================================
Ubuntu Security Notice USN-161-1 August 04, 2005
bzip2 vulnerability
CAN-2005-0758
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
bzip2
The problem can be corrected by upgrading the affected package to
version 1.0.2-1ubuntu0.2 (for Ubuntu 4.10), or 1.0.2-2ubuntu0.2 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.
Details follow:
USN-158-1 fixed a command injection vulnerability in the "zgrep"
utility. It was determined that the "bzgrep" counterpart in the bzip2
package is vulnerable to the same flaw.
bzgrep did not handle shell metacharacters like '|' and '&' properly
when they occurred in input file names. This could be exploited to
execute arbitrary commands with user privileges if bzgrep was run in
an untrusted directory with specially crafted file names.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2.diff.gz
Size/MD5: 11735 3d9a5ae13b16a5dd9020e57beac79c74
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2.dsc
Size/MD5: 582 a489f79813ba7da1e62bbda3c235ccbc
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2.orig.tar.gz
Size/MD5: 665198 ee76864958d568677f03db8afad92beb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2_amd64.deb
Size/MD5: 231752 ee54b95496fe4c6a1313e3179ea765cd
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-1ubuntu0.2_amd64.deb
Size/MD5: 36382 078310a7316287142bce4b063be16e86
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-1ubuntu0.2_amd64.deb
Size/MD5: 29904 7204b4c261a55e95aaf011dabb287f9e
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2_i386.deb
Size/MD5: 229128 ec416f0b001b14295fc301d79d19a9f2
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-1ubuntu0.2_i386.deb
Size/MD5: 37272 3591a3038d53686d76d085cbe4097e68
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-1ubuntu0.2_i386.deb
Size/MD5: 29254 a7520ab570bd81d17d48f2beafb384ce
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2_powerpc.deb
Size/MD5: 232308 da79f11ca562eabae59a39ea1af6fb55
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-1ubuntu0.2_powerpc.deb
Size/MD5: 41522 8b009f607553df1e5819290f932f7799
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-1ubuntu0.2_powerpc.deb
Size/MD5: 33608 881c09f2a5a1e4489832daf480679e71
Updated packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2.diff.gz
Size/MD5: 11920 878237573cd883fa7a5d60ccfe7b0622
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2.dsc
Size/MD5: 605 a26e3733c18d2c2ca4d69c147ff3767b
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2.orig.tar.gz
Size/MD5: 665198 ee76864958d568677f03db8afad92beb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2_amd64.deb
Size/MD5: 232126 9fa0d2d4357982cb6e1724d72e2688a6
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-2ubuntu0.2_amd64.deb
Size/MD5: 36928 ca8e86a00ffcb01a36c9522b25a0f6c5
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-2ubuntu0.2_amd64.deb
Size/MD5: 30270 dd1c9cf3094e4f473e34df06ae9a6802
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2_i386.deb
Size/MD5: 229310 ca982f58fe86f2db0d59ad16fbacca12
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-2ubuntu0.2_i386.deb
Size/MD5: 37800 db46c02fd95f3f7677bb74f69b265d5f
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-2ubuntu0.2_i386.deb
Size/MD5: 29618 7a26241a9f0ae036f3382e0d81ef90fc
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2_powerpc.deb
Size/MD5: 232654 16fe2e3ea9e354e2ad8ed70d39aa43ac
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-2ubuntu0.2_powerpc.deb
Size/MD5: 42082 f409f7820a9e60aa705c509e9cf5265a
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-2ubuntu0.2_powerpc.deb
Size/MD5: 33974 c5da4019a28953a92625e1e02d4c3a27
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050804/9cf0031f/attachment.bin
Powered by blists - more mailing lists