lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070124013000.GJ17546@outflux.net>
Date: Tue, 23 Jan 2007 17:30:00 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-412-1] GeoIP vulnerability

=========================================================== 
Ubuntu Security Notice USN-412-1           January 23, 2007
geoip vulnerability
CVE-2007-0159
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  geoip-bin                                1.3.10-1ubuntu0.1

Ubuntu 6.06 LTS:
  geoip-bin                                1.3.14-2ubuntu0.1

Ubuntu 6.10:
  geoip-bin                                1.3.17-1ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Dean Gaudet discovered that the GeoIP update tool did not validate the 
filename responses from the update server.  A malicious server, or 
man-in-the-middle system posing as a server, could write to arbitrary 
files with user privileges.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10-1ubuntu0.1.diff.gz
      Size/MD5:    19361 1577a4756cbfcbc08fee1d6ab88df63c
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10-1ubuntu0.1.dsc
      Size/MD5:      619 718ec1b30033bf8c552d0dec546cae84
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10.orig.tar.gz
      Size/MD5:   623578 617adbadc30525ed1b76bd85d2df0848

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_amd64.deb
      Size/MD5:    21740 d82e390d020ae7f038972d1e93c7770b
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_amd64.deb
      Size/MD5:    46110 39942b4693519b7e8163726f06938fa4
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_amd64.deb
      Size/MD5:   442618 a5347051848d76f56f60cac3160d4133

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_i386.deb
      Size/MD5:    20480 5b54a91e89477e3c0b1c360235ce35ec
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_i386.deb
      Size/MD5:    44040 49d5b66ff34b12e0c927e64467878cbb
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_i386.deb
      Size/MD5:   439838 fcc414ff57cd78588d02f6a7c24b666f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_powerpc.deb
      Size/MD5:    24108 3a17f77d1d50e6d8cb8ab04d094fcea9
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_powerpc.deb
      Size/MD5:    44786 8db0863a597193c3b8e0455fe38c1cd6
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_powerpc.deb
      Size/MD5:   444540 9769bd03d33543296cbd721bd3fd758b

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_sparc.deb
      Size/MD5:    20914 aa9e3b039820f95c96555710223b1088
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_sparc.deb
      Size/MD5:    44958 5aa013e81f5f505f2fb5acae3138e75b
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_sparc.deb
      Size/MD5:   440072 c331d12a7f45e1f2467b8dccd13e70dc

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14-2ubuntu0.1.diff.gz
      Size/MD5:    37644 fffce27f110b11f57ac1180483672245
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14-2ubuntu0.1.dsc
      Size/MD5:      621 b27f07aad2bc0bc6249d345cf57a1b97
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14.orig.tar.gz
      Size/MD5:   676699 b0bb68858586e44b30539751c1c2eb72

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_amd64.deb
      Size/MD5:    17250 25a504fbc7a804c6b2c9e9bb031d11fe
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_amd64.deb
      Size/MD5:    48244 6540d56fa4091c3f5f0e097315e60068
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_amd64.deb
      Size/MD5:   457716 60c072459d9c964acd028521e28a749d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_i386.deb
      Size/MD5:    16696 a1d3b8d0a16b5d9fea8531232c41c8ee
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_i386.deb
      Size/MD5:    46362 b7312b4899edffba1b05c7845ba7175b
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_i386.deb
      Size/MD5:   455014 c1de51f98c8840450505d9955d2136cd

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_powerpc.deb
      Size/MD5:    19610 b259e96b0f7b6875771b4c4b513dc331
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_powerpc.deb
      Size/MD5:    47086 0789205be3acaf2f679116e413134fc0
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_powerpc.deb
      Size/MD5:   458658 39d545b4555018fb6cfcc00c2c30405c

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_sparc.deb
      Size/MD5:    16890 b73477c481d785d917dff731a9039371
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_sparc.deb
      Size/MD5:    47712 fdea5cabbd70f9af016514688b1a10f9
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_sparc.deb
      Size/MD5:   455872 3dae362b3c420556c1b30b7dc3dc5827

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17-1ubuntu0.1.diff.gz
      Size/MD5:    32292 88f5e421958604218e8fd28265f78ddc
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17-1ubuntu0.1.dsc
      Size/MD5:      621 a4ad466ec23c97646dee1ebd3ff0085f
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17.orig.tar.gz
      Size/MD5:   777923 513c0a2e93179790c465206e70ddda74

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_amd64.deb
      Size/MD5:    17652 2ee948b5c67f643f375431df37926db0
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_amd64.deb
      Size/MD5:    48162 ecc9d206bf9e0db424afeb84df18ced7
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_amd64.deb
      Size/MD5:   478240 6130b7c288bb9bf2a04d3a8f7d694b9e

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_i386.deb
      Size/MD5:    17106 a95144d6b85f7e494f772d35e44ffee3
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_i386.deb
      Size/MD5:    47452 fec7b87ac2baef74654373ffb54cc9e0
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_i386.deb
      Size/MD5:   476192 af001d792625ff40d7ea51e2bf688c88

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_powerpc.deb
      Size/MD5:    20126 5b336326b1754e61765f6b9b53647178
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_powerpc.deb
      Size/MD5:    47766 e3a67bbaae13a8d0f04a860c0526d775
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_powerpc.deb
      Size/MD5:   479884 e3c1da145ec64ebcb30f31864dfd7a2d

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_sparc.deb
      Size/MD5:    17308 d0719e919c096d850e8e46cc8f6f6c61
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_sparc.deb
      Size/MD5:    47464 14bc103daa37d153c931d2a005ad5d45
    http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_sparc.deb
      Size/MD5:   475804 db29457bd10e259c16ff020c49513cab


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ