[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20091008214730.GB3892@severus.strandboge.com>
Date: Thu, 8 Oct 2009 16:47:30 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-847-1] Devscripts vulnerability
===========================================================
Ubuntu Security Notice USN-847-1 October 08, 2009
devscripts vulnerability
CVE-2009-2946
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
devscripts 2.10.11ubuntu5.8.04.4
Ubuntu 8.10:
devscripts 2.10.26ubuntu15.2
Ubuntu 9.04:
devscripts 2.10.39ubuntu7.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Raphael Geissert discovered that uscan, a part of devscripts, did not
properly sanitize its input when processing pathnames. If uscan processed a
crafted filename for a file on a remote server, an attacker could execute
arbitrary code with the privileges of the user invoking the program.
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4.dsc
Size/MD5: 1255 e77cd75293868dce15bda87381699c60
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4.tar.gz
Size/MD5: 494661 b9836cd30eaab24a4ae677caa501a3c3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_amd64.deb
Size/MD5: 415752 5e481014f7449d48747173827c6112f8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_i386.deb
Size/MD5: 415498 c91b58be71303331b753843b3f65e238
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_lpia.deb
Size/MD5: 415424 a3ffe0b548091da9a06b6540e2e81931
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_powerpc.deb
Size/MD5: 418916 9b0821303a4e38f70de0bdc46e6defec
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_sparc.deb
Size/MD5: 415792 f1a09efc55c39effc8e6cd01f4d49758
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2.dsc
Size/MD5: 1530 a2f1aebd332918e92060980ac76011fa
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2.tar.gz
Size/MD5: 561023 0c73fe1803a03333866299cf4909985c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_amd64.deb
Size/MD5: 471866 f89e7cd144b853bc99baf4c966e0c3e3
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_i386.deb
Size/MD5: 471522 042a41e7c54ef83ed3b44d5191c15a07
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_lpia.deb
Size/MD5: 471450 2ece0a60ad5ab0b2c3404d450a36eb16
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_powerpc.deb
Size/MD5: 474890 c6efa6fb38fb77446566abd5cdb05d28
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_sparc.deb
Size/MD5: 472200 90da98a2ea045bf27c456f652b9f9b6b
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1.dsc
Size/MD5: 1537 3f5d345bb069e0796433b96dae26d9d0
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1.tar.gz
Size/MD5: 624181 ecc8f7705c920f415f0db16ac5e1d5cb
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_amd64.deb
Size/MD5: 529182 2a19ee9baffa132f6c56268c893d9a1e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_i386.deb
Size/MD5: 528806 2adb86a60d3e11a3ca2a076a0736148e
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_lpia.deb
Size/MD5: 528698 e519f930ed469db24073db51e3586bcb
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_powerpc.deb
Size/MD5: 532576 623f2380e8276dbc6facbff757f43554
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_sparc.deb
Size/MD5: 529380 5e32ebcc85a7bcadf98d27853d940b16
Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists