[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100311070646.GH4381@outflux.net>
Date: Wed, 10 Mar 2010 23:06:46 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-909-1] dpkg vulnerability
===========================================================
Ubuntu Security Notice USN-909-1 March 11, 2010
dpkg vulnerability
CVE-2010-0396
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
dpkg-dev 1.13.11ubuntu7.1
Ubuntu 8.04 LTS:
dpkg-dev 1.14.16.6ubuntu4.1
Ubuntu 8.10:
dpkg-dev 1.14.20ubuntu6.3
Ubuntu 9.04:
dpkg-dev 1.14.24ubuntu1.1
Ubuntu 9.10:
dpkg-dev 1.15.4ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
William Grant discovered that dpkg-source did not safely apply diffs
when unpacking source packages. If a user or an automated system were
tricked into unpacking a specially crafted source package, a remote
attacker could modify files outside the target unpack directory, leading
to a denial of service or potentially gaining access to the system.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1.dsc
Size/MD5: 760 34441c52e805649411aefadcf436c498
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1.tar.gz
Size/MD5: 3605915 fff28ddf0f4817c3ecbcc5444ce7a452
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.13.11ubuntu7.1_all.deb
Size/MD5: 163246 0422c23c508b70a10351558490d74d56
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_amd64.deb
Size/MD5: 1910180 0f671a7f4397f7e644f049c475e931db
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_amd64.deb
Size/MD5: 126800 97ee0be20c06746e8896bc1ebce5ea4b
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_i386.deb
Size/MD5: 1866112 544fd3d266045aebe103d70ab8b7509f
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_i386.deb
Size/MD5: 117076 4dba6966f8d12302ecb46c58e1969ff1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_powerpc.deb
Size/MD5: 1898810 c32bbc1af794165bb4a23c454d37ec26
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_powerpc.deb
Size/MD5: 127240 82fba117821acdc09b3662ca754052bf
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_sparc.deb
Size/MD5: 1878838 3dfb5489e39febdd95abff4033f59d39
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_sparc.deb
Size/MD5: 118940 e508264b3c4b7cb997a4ed087d089703
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1.dsc
Size/MD5: 1208 2a22d05fa34b6b04d5a17263bfe4f0d6
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1.tar.gz
Size/MD5: 6390427 178b735e17fde21579df4ca26bfa6e67
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.16.6ubuntu4.1_all.deb
Size/MD5: 559370 40325831979d41736a7d185cac8fbd00
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_amd64.deb
Size/MD5: 2348266 4593b864a8d6a60adf493f9a1e6b635b
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_amd64.deb
Size/MD5: 413652 f634c625575e29267e22ff8770d0590b
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_i386.deb
Size/MD5: 2295972 d3054a2d2e7b382d01203f9020854c45
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_i386.deb
Size/MD5: 405256 407e3696ed9ceeecc64b7ba3c95a9340
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_lpia.deb
Size/MD5: 2296428 719d6602689db30cd1f7f7f1ae893c4f
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_lpia.deb
Size/MD5: 406182 7067d8bb99e5b61d76b76bc9a6d9045b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_powerpc.deb
Size/MD5: 2349398 7091950bd709fe1703068d65ab9e92fb
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_powerpc.deb
Size/MD5: 417724 3f8f2ad7d3e5a4489c0273a2cbbc694b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_sparc.deb
Size/MD5: 2304870 8154035a4d26b6ecb3244ad436fd6a06
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_sparc.deb
Size/MD5: 406124 9369a5fe72e587105a85818cd1e01b95
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3.dsc
Size/MD5: 1374 b31bf239dbb395dedb8b8913006f424b
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3.tar.gz
Size/MD5: 6667294 5e976d2038d4f4e7c091ff0a5a9d6287
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.20ubuntu6.3_all.deb
Size/MD5: 612902 a23c54c5bb99d9ce8f0f3d3b34515622
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_amd64.deb
Size/MD5: 2278804 90f46bebbae90673a1d4061f7d69eb9d
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_amd64.deb
Size/MD5: 414836 b27191cafff2143d90453efcc758b466
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_i386.deb
Size/MD5: 2230408 7e8a9e7997148da06dc2175d2b3a0249
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_i386.deb
Size/MD5: 406610 a3e5a0a62c42671a5ccdd68fdf3ef186
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_lpia.deb
Size/MD5: 2229312 a50c5d32e2bbe16d4f75d987295bfcec
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_lpia.deb
Size/MD5: 406868 5c5c03bee5447f51c7fe9c8acf48e072
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_powerpc.deb
Size/MD5: 2268434 20bcc6e0351ddc88ea0f0114ccd9fddc
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_powerpc.deb
Size/MD5: 416446 63ab7115e4a551c4060db078b2e99c65
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_sparc.deb
Size/MD5: 2235650 ebf0beecfc3cf739cb45d4e02e432ea2
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_sparc.deb
Size/MD5: 407274 eddb7ffd933d842d372ad5cca7f61ccc
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1.dsc
Size/MD5: 1374 966f0d0737c4b468b297110b090c3ec8
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1.tar.gz
Size/MD5: 6857872 af3f9838a9f61354f02f1376094dd387
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.24ubuntu1.1_all.deb
Size/MD5: 643570 f8183801f8337e8f05d3f4f500839ee4
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_amd64.deb
Size/MD5: 2402910 7e11960c3370d46ff85f6fbfb74cbb9c
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_amd64.deb
Size/MD5: 418624 5410f79d5e0f97d16ed6fecfde8b1878
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_i386.deb
Size/MD5: 2354476 d02b003cba30d3bb8b7ad76c3d6dcd75
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_i386.deb
Size/MD5: 410460 483f6e495f85b2bee9e28f3176798c1f
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_lpia.deb
Size/MD5: 2352378 f9aae3bcecc6bf90a79430896b79c640
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_lpia.deb
Size/MD5: 410520 81dd12b39aa98e98f41a29c1b9058036
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_powerpc.deb
Size/MD5: 2393240 25dca2b3b4a883a08d16837e9a35b911
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_powerpc.deb
Size/MD5: 420232 7467a2ea13d2e78b187f6bcefb55bf4b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_sparc.deb
Size/MD5: 2360038 e90d547b96a88831053304d18343a5ef
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_sparc.deb
Size/MD5: 411142 ea1b073a035a0b14d90bd36e41f63533
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1.dsc
Size/MD5: 1369 f882af2befea5a4b083bd0b92e332df4
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1.tar.gz
Size/MD5: 7046069 8b5a0f7410f1a275cc696383afacf621
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.15.4ubuntu2.1_all.deb
Size/MD5: 573258 63b13346961f9bf2d36f2661bcce1b18
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_amd64.deb
Size/MD5: 2170832 456e1befb49374eb295c8f5c0e634adc
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_amd64.deb
Size/MD5: 333910 865568f183c69e5f99ae6bfd3c701628
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_i386.deb
Size/MD5: 2126260 df700c2e82786fb0ba11b1ba293af49e
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_i386.deb
Size/MD5: 325634 c03e628356ca458881f95af0f74f28e9
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_lpia.deb
Size/MD5: 2104834 d82b8607c7b2002c450536b92abc1024
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_lpia.deb
Size/MD5: 326974 75b5575b0e1321d5f8c01f01724970b2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_powerpc.deb
Size/MD5: 2171106 408fc498138e077016de2b63892c9bb4
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_powerpc.deb
Size/MD5: 333172 2efebdb20f9dc76f97b59340c1800995
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_sparc.deb
Size/MD5: 2133260 a4dda0dea25fa3e484796a8e211c7dda
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_sparc.deb
Size/MD5: 327004 09180d098f2c2dbed84a9f90097dd8fc
Download attachment "signature.asc" of type "application/pgp-signature" (237 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists