lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20091008214730.GB3892@severus.strandboge.com>
Date: Thu, 8 Oct 2009 16:47:30 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-847-1] Devscripts vulnerability

===========================================================
Ubuntu Security Notice USN-847-1           October 08, 2009
devscripts vulnerability
CVE-2009-2946
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  devscripts                      2.10.11ubuntu5.8.04.4

Ubuntu 8.10:
  devscripts                      2.10.26ubuntu15.2

Ubuntu 9.04:
  devscripts                      2.10.39ubuntu7.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Raphael Geissert discovered that uscan, a part of devscripts, did not
properly sanitize its input when processing pathnames. If uscan processed a
crafted filename for a file on a remote server, an attacker could execute
arbitrary code with the privileges of the user invoking the program.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4.dsc
      Size/MD5:     1255 e77cd75293868dce15bda87381699c60
    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4.tar.gz
      Size/MD5:   494661 b9836cd30eaab24a4ae677caa501a3c3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_amd64.deb
      Size/MD5:   415752 5e481014f7449d48747173827c6112f8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_i386.deb
      Size/MD5:   415498 c91b58be71303331b753843b3f65e238

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_lpia.deb
      Size/MD5:   415424 a3ffe0b548091da9a06b6540e2e81931

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_powerpc.deb
      Size/MD5:   418916 9b0821303a4e38f70de0bdc46e6defec

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_sparc.deb
      Size/MD5:   415792 f1a09efc55c39effc8e6cd01f4d49758

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2.dsc
      Size/MD5:     1530 a2f1aebd332918e92060980ac76011fa
    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2.tar.gz
      Size/MD5:   561023 0c73fe1803a03333866299cf4909985c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_amd64.deb
      Size/MD5:   471866 f89e7cd144b853bc99baf4c966e0c3e3

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_i386.deb
      Size/MD5:   471522 042a41e7c54ef83ed3b44d5191c15a07

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_lpia.deb
      Size/MD5:   471450 2ece0a60ad5ab0b2c3404d450a36eb16

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_powerpc.deb
      Size/MD5:   474890 c6efa6fb38fb77446566abd5cdb05d28

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_sparc.deb
      Size/MD5:   472200 90da98a2ea045bf27c456f652b9f9b6b

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1.dsc
      Size/MD5:     1537 3f5d345bb069e0796433b96dae26d9d0
    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1.tar.gz
      Size/MD5:   624181 ecc8f7705c920f415f0db16ac5e1d5cb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_amd64.deb
      Size/MD5:   529182 2a19ee9baffa132f6c56268c893d9a1e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_i386.deb
      Size/MD5:   528806 2adb86a60d3e11a3ca2a076a0736148e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_lpia.deb
      Size/MD5:   528698 e519f930ed469db24073db51e3586bcb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_powerpc.deb
      Size/MD5:   532576 623f2380e8276dbc6facbff757f43554

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_sparc.deb
      Size/MD5:   529380 5e32ebcc85a7bcadf98d27853d940b16



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ