lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1264013147.2859.5.camel@mdlinux.technorage.com>
Date: Wed, 20 Jan 2010 13:45:47 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-889-1] gzip vulnerabilities

===========================================================
Ubuntu Security Notice USN-889-1           January 20, 2010
gzip vulnerabilities
CVE-2009-2624, CVE-2010-0001
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  gzip                            1.3.5-12ubuntu0.3

Ubuntu 8.04 LTS:
  gzip                            1.3.12-3.2ubuntu0.1

Ubuntu 8.10:
  gzip                            1.3.12-6ubuntu2.8.10.1

Ubuntu 9.04:
  gzip                            1.3.12-6ubuntu2.9.04.1

Ubuntu 9.10:
  gzip                            1.3.12-8ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that gzip incorrectly handled certain malformed
compressed files. If a user or automated system were tricked into opening a
specially crafted gzip file, an attacker could cause gzip to crash or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2009-2624)

Aki Helin discovered that gzip incorrectly handled certain malformed
files compressed with the Lempel–Ziv–Welch (LZW) algorithm. If a user or
automated system were tricked into opening a specially crafted gzip file,
an attacker could cause gzip to crash or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0001)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3.diff.gz
      Size/MD5:    60450 f776594c89517aee5199d730262c631a
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3.dsc
      Size/MD5:      580 57e2e736523ddca8eed471e37d95ba56
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
      Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_amd64.deb
      Size/MD5:    76784 382af29edab6956cb7e22d9038e7a0c6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_i386.deb
      Size/MD5:    71542 2dba95bc16563deca9cb2043716c0614

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_powerpc.deb
      Size/MD5:    78570 14fca9db29e847da26a96d1b7eacc987

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_sparc.deb
      Size/MD5:    75350 a32d045bff7a8b2eded7ca44a6c56a71

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1.diff.gz
      Size/MD5:    21097 35ac77f9806cfaf89b44ad13f036ebb0
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1.dsc
      Size/MD5:      690 26bb99c8353a1cea7817da3ac5b72936
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
      Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_amd64.deb
      Size/MD5:   105556 39a705cdad01d749880b1cc6d128cdbc

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_i386.deb
      Size/MD5:   100940 e05abba2953254007df763fd017c99f7

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_lpia.deb
      Size/MD5:   101502 bf3de26dd23cd7514f0d5b224219ac08

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_powerpc.deb
      Size/MD5:   107674 aa414734d70182cfccd0ac02c8873ad2

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_sparc.deb
      Size/MD5:   104294 bb4276c79332aac1f83a49fdaa347374

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1.diff.gz
      Size/MD5:    14889 2de284c09d34e03bcfa28cd23b4dc9bb
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1.dsc
      Size/MD5:     1094 4849b332ad6c9985cce9055552586bc2
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
      Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_amd64.deb
      Size/MD5:   106498 d9d201515bae0a02ba0b4aa624c1bdfd

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_i386.deb
      Size/MD5:   101904 4074fbe8d0b57b38718efca5e1d5b6ae

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_lpia.deb
      Size/MD5:   102400 02c4cfb84517e6919817c7c647cc4fb1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_powerpc.deb
      Size/MD5:   108666 e1c040d3997a19719553d7696c66ce11

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_sparc.deb
      Size/MD5:   105492 22015ce9386f9efcc9e6747cf454bfbb

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1.diff.gz
      Size/MD5:    14895 3490828be3af884992fc987b7c2f5b2b
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1.dsc
      Size/MD5:     1094 64319e2f975a269dbed1022c6dfef3cf
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
      Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_amd64.deb
      Size/MD5:   106504 4572428e480bab4e70f3e37c7000ec03

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_i386.deb
      Size/MD5:   101912 9ebe65aa9f52828d4dc119088f8b272f

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_lpia.deb
      Size/MD5:   102432 03d12cec2b884662ba1dec7aad3dcd70

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_powerpc.deb
      Size/MD5:   108672 4bf7e4175faf5ca41f66a8a039825b01

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_sparc.deb
      Size/MD5:   105472 c672bd50726018ee46973bfc7bf048dd

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1.diff.gz
      Size/MD5:    15815 940f33cfc1386b5697b87cc1392e1bfd
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1.dsc
      Size/MD5:     1116 c8a32b46e7f0a68ce00749d69ed1ecfa
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
      Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_amd64.deb
      Size/MD5:   107018 ade7350ccb5f830e190d069386d47db1

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_i386.deb
      Size/MD5:   102242 ecd938e16f552d6b6cadfe319f87cb3f

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_lpia.deb
      Size/MD5:   102672 055afc8fe249dc1ea52459d23e886b2f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_powerpc.deb
      Size/MD5:   108986 2ada6675566a5ef68ab42eb172de5a81

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_sparc.deb
      Size/MD5:   106090 e2e1abe98864d65a73a7302b922f97b1




Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ