lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081209010830.GK25309@outflux.net>
Date: Mon, 8 Dec 2008 17:08:30 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-688-1] Compiz vulnerability

===========================================================
Ubuntu Security Notice USN-688-1          December 09, 2008
compiz-fusion-plugins-main vulnerability
https://launchpad.net/bugs/247088
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  compiz-fusion-plugins-main      0.5.2+git20070928-0ubuntu2.2

Ubuntu 8.04 LTS:
  compiz-fusion-plugins-main      0.7.4-0ubuntu6.2

Ubuntu 8.10:
  compiz-fusion-plugins-main      0.7.8-0ubuntu2.2

After a standard system upgrade you need to restart your session to effect
the necessary changes.

Details follow:

It was discovered that the Expo plugin for Compiz did not correctly
restrict the screensaver window from being moved with the mouse.  A local
attacker could use the mouse to move the screensaver off the screen and
gain access to the locked desktop session underneath. Default installs
of Ubuntu were not vulnerable as Expo does not come pre-configured with
mouse bindings.


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2.diff.gz
      Size/MD5:     6940 908f18f70e5e5ce25a80a24ee382c2cf
    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2.dsc
      Size/MD5:     1076 c77f41e2604af5b9c2178f5143ab43ba
    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928.orig.tar.gz
      Size/MD5:  1169880 c9d2d0a79772b0cd5f2e8d0d7ecb0b42

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2_amd64.deb
      Size/MD5:   684974 67fb6d639643a507a93112bda52d6d1c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2_i386.deb
      Size/MD5:   605018 39d081428f3eef55fd210f334f3195a1

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2_lpia.deb
      Size/MD5:   595446 e4c85be6fdcb507ee48b4372230ab882

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2_powerpc.deb
      Size/MD5:   748366 99e7275d0f9c1ca83dc88912dea66cc4

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.5.2+git20070928-0ubuntu2.2_sparc.deb
      Size/MD5:   658196 955f0a6ceed04e7794d68079cc2cd1ae

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2.diff.gz
      Size/MD5:     9677 eaa5a32ecaef533e03bfb19470be292f
    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2.dsc
      Size/MD5:     1015 867855f7a87dbcf33826f8f5e8d4bc22
    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4.orig.tar.gz
      Size/MD5:  1946360 5f08c81a9fa665b64567a1315a687639

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2_amd64.deb
      Size/MD5:  1312844 a41bce12c2767fa2fd27be7c52bd9255

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2_i386.deb
      Size/MD5:  1216920 bf2589ca5e96e3064aa5211e8b2ec0f8

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2_lpia.deb
      Size/MD5:  1208602 ac6c37f851120b25ed2d89454afc866b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2_powerpc.deb
      Size/MD5:  1384120 7e0e2f1742eb455761d98b176a186d0c

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.4-0ubuntu6.2_sparc.deb
      Size/MD5:  1275232 ba4ad36e09250b0f6bebf3331760eada

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2.diff.gz
      Size/MD5:     7976 d3bf2dd3e2abe665670f12e25cedd36b
    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2.dsc
      Size/MD5:     1484 0da7380d4a7fa563f1c65f860aba9e6a
    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8.orig.tar.gz
      Size/MD5:  1598127 f609893d1b6e8c3e1dde7582ee9819c6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2_amd64.deb
      Size/MD5:  1354870 5ad3f60ac31294789753e1711f700c2d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2_i386.deb
      Size/MD5:  1269372 16fa80ab73703d309d8ccbd0a1c2a857

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2_lpia.deb
      Size/MD5:  1256944 6e67cf095f86f4849afc7858e89ffe96

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2_powerpc.deb
      Size/MD5:  1414088 5cc96fa4a0ba8377a972789c9c9b95a3

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/compiz-fusion-plugins-main/compiz-fusion-plugins-main_0.7.8-0ubuntu2.2_sparc.deb
      Size/MD5:  1308828 81858602a24a309a5d8084a5311aa44d


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ