lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100311070646.GH4381@outflux.net>
Date: Wed, 10 Mar 2010 23:06:46 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-909-1] dpkg vulnerability

===========================================================
Ubuntu Security Notice USN-909-1             March 11, 2010
dpkg vulnerability
CVE-2010-0396
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  dpkg-dev                        1.13.11ubuntu7.1

Ubuntu 8.04 LTS:
  dpkg-dev                        1.14.16.6ubuntu4.1

Ubuntu 8.10:
  dpkg-dev                        1.14.20ubuntu6.3

Ubuntu 9.04:
  dpkg-dev                        1.14.24ubuntu1.1

Ubuntu 9.10:
  dpkg-dev                        1.15.4ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

William Grant discovered that dpkg-source did not safely apply diffs
when unpacking source packages.  If a user or an automated system were
tricked into unpacking a specially crafted source package, a remote
attacker could modify files outside the target unpack directory, leading
to a denial of service or potentially gaining access to the system.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1.dsc
      Size/MD5:      760 34441c52e805649411aefadcf436c498
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1.tar.gz
      Size/MD5:  3605915 fff28ddf0f4817c3ecbcc5444ce7a452

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.13.11ubuntu7.1_all.deb
      Size/MD5:   163246 0422c23c508b70a10351558490d74d56

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_amd64.deb
      Size/MD5:  1910180 0f671a7f4397f7e644f049c475e931db
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_amd64.deb
      Size/MD5:   126800 97ee0be20c06746e8896bc1ebce5ea4b

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_i386.deb
      Size/MD5:  1866112 544fd3d266045aebe103d70ab8b7509f
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_i386.deb
      Size/MD5:   117076 4dba6966f8d12302ecb46c58e1969ff1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_powerpc.deb
      Size/MD5:  1898810 c32bbc1af794165bb4a23c454d37ec26
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_powerpc.deb
      Size/MD5:   127240 82fba117821acdc09b3662ca754052bf

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_sparc.deb
      Size/MD5:  1878838 3dfb5489e39febdd95abff4033f59d39
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_sparc.deb
      Size/MD5:   118940 e508264b3c4b7cb997a4ed087d089703

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1.dsc
      Size/MD5:     1208 2a22d05fa34b6b04d5a17263bfe4f0d6
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1.tar.gz
      Size/MD5:  6390427 178b735e17fde21579df4ca26bfa6e67

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.16.6ubuntu4.1_all.deb
      Size/MD5:   559370 40325831979d41736a7d185cac8fbd00

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_amd64.deb
      Size/MD5:  2348266 4593b864a8d6a60adf493f9a1e6b635b
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_amd64.deb
      Size/MD5:   413652 f634c625575e29267e22ff8770d0590b

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_i386.deb
      Size/MD5:  2295972 d3054a2d2e7b382d01203f9020854c45
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_i386.deb
      Size/MD5:   405256 407e3696ed9ceeecc64b7ba3c95a9340

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_lpia.deb
      Size/MD5:  2296428 719d6602689db30cd1f7f7f1ae893c4f
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_lpia.deb
      Size/MD5:   406182 7067d8bb99e5b61d76b76bc9a6d9045b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_powerpc.deb
      Size/MD5:  2349398 7091950bd709fe1703068d65ab9e92fb
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_powerpc.deb
      Size/MD5:   417724 3f8f2ad7d3e5a4489c0273a2cbbc694b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_sparc.deb
      Size/MD5:  2304870 8154035a4d26b6ecb3244ad436fd6a06
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_sparc.deb
      Size/MD5:   406124 9369a5fe72e587105a85818cd1e01b95

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3.dsc
      Size/MD5:     1374 b31bf239dbb395dedb8b8913006f424b
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3.tar.gz
      Size/MD5:  6667294 5e976d2038d4f4e7c091ff0a5a9d6287

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.20ubuntu6.3_all.deb
      Size/MD5:   612902 a23c54c5bb99d9ce8f0f3d3b34515622

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_amd64.deb
      Size/MD5:  2278804 90f46bebbae90673a1d4061f7d69eb9d
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_amd64.deb
      Size/MD5:   414836 b27191cafff2143d90453efcc758b466

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_i386.deb
      Size/MD5:  2230408 7e8a9e7997148da06dc2175d2b3a0249
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_i386.deb
      Size/MD5:   406610 a3e5a0a62c42671a5ccdd68fdf3ef186

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_lpia.deb
      Size/MD5:  2229312 a50c5d32e2bbe16d4f75d987295bfcec
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_lpia.deb
      Size/MD5:   406868 5c5c03bee5447f51c7fe9c8acf48e072

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_powerpc.deb
      Size/MD5:  2268434 20bcc6e0351ddc88ea0f0114ccd9fddc
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_powerpc.deb
      Size/MD5:   416446 63ab7115e4a551c4060db078b2e99c65

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_sparc.deb
      Size/MD5:  2235650 ebf0beecfc3cf739cb45d4e02e432ea2
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_sparc.deb
      Size/MD5:   407274 eddb7ffd933d842d372ad5cca7f61ccc

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1.dsc
      Size/MD5:     1374 966f0d0737c4b468b297110b090c3ec8
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1.tar.gz
      Size/MD5:  6857872 af3f9838a9f61354f02f1376094dd387

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.24ubuntu1.1_all.deb
      Size/MD5:   643570 f8183801f8337e8f05d3f4f500839ee4

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_amd64.deb
      Size/MD5:  2402910 7e11960c3370d46ff85f6fbfb74cbb9c
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_amd64.deb
      Size/MD5:   418624 5410f79d5e0f97d16ed6fecfde8b1878

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_i386.deb
      Size/MD5:  2354476 d02b003cba30d3bb8b7ad76c3d6dcd75
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_i386.deb
      Size/MD5:   410460 483f6e495f85b2bee9e28f3176798c1f

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_lpia.deb
      Size/MD5:  2352378 f9aae3bcecc6bf90a79430896b79c640
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_lpia.deb
      Size/MD5:   410520 81dd12b39aa98e98f41a29c1b9058036

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_powerpc.deb
      Size/MD5:  2393240 25dca2b3b4a883a08d16837e9a35b911
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_powerpc.deb
      Size/MD5:   420232 7467a2ea13d2e78b187f6bcefb55bf4b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_sparc.deb
      Size/MD5:  2360038 e90d547b96a88831053304d18343a5ef
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_sparc.deb
      Size/MD5:   411142 ea1b073a035a0b14d90bd36e41f63533

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1.dsc
      Size/MD5:     1369 f882af2befea5a4b083bd0b92e332df4
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1.tar.gz
      Size/MD5:  7046069 8b5a0f7410f1a275cc696383afacf621

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.15.4ubuntu2.1_all.deb
      Size/MD5:   573258 63b13346961f9bf2d36f2661bcce1b18

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_amd64.deb
      Size/MD5:  2170832 456e1befb49374eb295c8f5c0e634adc
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_amd64.deb
      Size/MD5:   333910 865568f183c69e5f99ae6bfd3c701628

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_i386.deb
      Size/MD5:  2126260 df700c2e82786fb0ba11b1ba293af49e
    http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_i386.deb
      Size/MD5:   325634 c03e628356ca458881f95af0f74f28e9

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_lpia.deb
      Size/MD5:  2104834 d82b8607c7b2002c450536b92abc1024
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_lpia.deb
      Size/MD5:   326974 75b5575b0e1321d5f8c01f01724970b2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_powerpc.deb
      Size/MD5:  2171106 408fc498138e077016de2b63892c9bb4
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_powerpc.deb
      Size/MD5:   333172 2efebdb20f9dc76f97b59340c1800995

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_sparc.deb
      Size/MD5:  2133260 a4dda0dea25fa3e484796a8e211c7dda
    http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_sparc.deb
      Size/MD5:   327004 09180d098f2c2dbed84a9f90097dd8fc


Download attachment "signature.asc" of type "application/pgp-signature" (237 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ