lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1236704090.10482.7.camel@mdlinux.technorage.com>
Date: Tue, 10 Mar 2009 12:54:50 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [USN-732-1] dash vulnerability

===========================================================
Ubuntu Security Notice USN-732-1             March 10, 2009
dash vulnerability
CVE-2009-0854
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  dash                            0.5.4-8ubuntu1.1

Ubuntu 8.10:
  dash                            0.5.4-9ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Wolfgang M. Reimer discovered that dash, when invoked as a login shell, would
source .profile files from the current directory. Local users may be able to
bypass security restrictions and gain root privileges by placing specially
crafted .profile files where they might get sourced by other dash users.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1.diff.gz
      Size/MD5:   171656 5f74e0a922546193a9e6279ad8680c76
    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1.dsc
      Size/MD5:      697 e78236937fea17c0c7a43427321b1ce6
    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.gz
      Size/MD5:   212145 bc457e490a589d2f87f2333616b67931

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-8ubuntu1.1_all.deb
      Size/MD5:    22068 82557822348627c1b240069e431886e2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_amd64.deb
      Size/MD5:    96918 b8d43124e5353042c7fd93fcc5c19cc9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_i386.deb
      Size/MD5:    87952 6bc4578aea92450f8e00625fd7a7755a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_lpia.deb
      Size/MD5:    88194 a90de1a5dedb9cbaeb65537e8e933356

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_powerpc.deb
      Size/MD5:    97400 5e2187820648d980b4edaa4e4a71b6c5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_sparc.deb
      Size/MD5:    91072 dc5e22376445e185eacdaa049421c866

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1.diff.gz
      Size/MD5:   129759 b5363e9ff9550e89dec4be8ddc408607
    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1.dsc
      Size/MD5:     1083 dc87a11f64c53960ffb1f55dc42a253f
    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.gz
      Size/MD5:   212145 bc457e490a589d2f87f2333616b67931

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-9ubuntu1.1_all.deb
      Size/MD5:    22286 9a34d34a67d46b8fa42584a2a7d61f76

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_amd64.deb
      Size/MD5:    99406 8703819fce4bc25f65caa350de05763c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_i386.deb
      Size/MD5:    90266 9d8931f5ef08f4d649127db0ab644f8e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_lpia.deb
      Size/MD5:    90322 a0db897e7a7c5a7706d71674bad025ee

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_powerpc.deb
      Size/MD5:    99500 a583f4a7fc59a7495cb3615c4af54b05

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_sparc.deb
      Size/MD5:    93030 1bd3a8c0907e56cb2ed17c572e61842b



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@...ts.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ