Date: 22 June 2010
References: ESB-2010.0481 ESB-2011.0752
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0557
OPIE vulnerability
22 June 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: opie
Publisher: Ubuntu
Operating System: Ubuntu
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-1938
Reference: ESB-2010.0481
Original Bulletin:
http://www.ubuntu.com/usn/usn-955-1
http://www.ubuntu.com/usn/usn-955-2
Comment: This bulletin contains two (2) Ubuntu security advisories.
This advisory references vulnerabilities in products which run on
platforms other than Ubuntu. It is recommended that administrators
running opie check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
===========================================================
Ubuntu Security Notice USN-955-1 June 21, 2010
opie vulnerability
CVE-2010-1938
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
libopie-dev 2.40~dfsg-0ubuntu1.9.04.1
Ubuntu 9.10:
libopie-dev 2.40~dfsg-0ubuntu1.9.10.1
Ubuntu 10.04 LTS:
libopie-dev 2.40~dfsg-0ubuntu1.10.04.1
In general, a standard system update will make all the necessary changes.
Details follow:
Maksymilian Arciemowicz and Adam Zabrocki discovered that OPIE incorrectly
handled long usernames. A remote attacker could exploit this with a crafted
username and make applications linked against libopie crash, leading to a
denial of service.
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg-0ubuntu1.9.04.1.diff.gz
Size/MD5: 9412 6e9e9190b066ff3ce4d79c44af2cfebe
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg-0ubuntu1.9.04.1.dsc
Size/MD5: 1139 7e1e1f2997befa10ae8cffabfa4db522
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg.orig.tar.gz
Size/MD5: 174823 4a2be4eedcefedd106af82aa06aedd60
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.04.1_amd64.deb
Size/MD5: 32852 b9c79d257b6a746d0ad07053e41d15a5
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.04.1_amd64.deb
Size/MD5: 44898 48b0a257f368ac90c41eb3484e147b0b
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.04.1_amd64.deb
Size/MD5: 48514 d3bfc3b527faaadbd82d6ca83c2f1ca7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.04.1_i386.deb
Size/MD5: 31798 ed4992c032d6947a2cfea458a6ad2c51
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.04.1_i386.deb
Size/MD5: 44102 9cddebdf2ff4e1cbca7d14e8cb15b984
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.04.1_i386.deb
Size/MD5: 47654 688e469a8a7958453e3e205c4f3768c8
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.04.1_lpia.deb
Size/MD5: 30716 08cb73e7ff0534a082f9a6659e0ce333
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.04.1_lpia.deb
Size/MD5: 43802 219ba660fd518ba025bb044e78a3a625
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.04.1_lpia.deb
Size/MD5: 47284 251588648175ef401d32d3890b30a50a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.04.1_powerpc.deb
Size/MD5: 33580 f585ffa422c9d61630c8d9bd4ce4dc1e
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.04.1_powerpc.deb
Size/MD5: 46016 e344999d7cbbf96b42322a503bc19845
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.04.1_powerpc.deb
Size/MD5: 48928 a07244aee0e9e844cac51ea172a59be6
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.04.1_sparc.deb
Size/MD5: 32112 09c04bef194c1a1e4c71cd43dd3ac537
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.04.1_sparc.deb
Size/MD5: 45388 f2c093ff244a2ee6072a70cfd0fe75ca
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.04.1_sparc.deb
Size/MD5: 48594 4779a75bb2a444dea595c4e83726f3b3
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg-0ubuntu1.9.10.1.diff.gz
Size/MD5: 9416 1b4036959fde389a79c60555cb294082
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg-0ubuntu1.9.10.1.dsc
Size/MD5: 1139 b15759930af9e24a9858f1912003d654
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg.orig.tar.gz
Size/MD5: 174823 4a2be4eedcefedd106af82aa06aedd60
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.10.1_amd64.deb
Size/MD5: 33946 bbcf3722c4eec05dcc85714bb4905519
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.10.1_amd64.deb
Size/MD5: 45872 2904223e62ddc578dd9cec239f9cea51
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.10.1_amd64.deb
Size/MD5: 49212 63025a249846bf7a9fe283d0447f83ed
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.10.1_i386.deb
Size/MD5: 32460 371573fae6f6061e73efbf641293e1f8
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.10.1_i386.deb
Size/MD5: 44720 17c63c58981fe7dba64f848a20224e13
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.10.1_i386.deb
Size/MD5: 48218 f24bdb5f2e0f42b88d43307cbb78cc8c
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.10.1_lpia.deb
Size/MD5: 31496 98769948900f0e6a9fb3b30cd09ad418
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.10.1_lpia.deb
Size/MD5: 44596 963a18749621b7615ba19ec5b0ad1a4e
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.10.1_lpia.deb
Size/MD5: 47840 705abfed82e0e64ea47046e59947681a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.10.1_powerpc.deb
Size/MD5: 33648 dab512cd68ebce9a256c7b126250176e
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.10.1_powerpc.deb
Size/MD5: 45774 291e20a894ec6cca0d15f355ebd99f3e
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.10.1_powerpc.deb
Size/MD5: 48682 b7cacffb565f7a765bda1df9d3667c75
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.9.10.1_sparc.deb
Size/MD5: 32326 d5afe5e50292147af7fd593ccc8f45eb
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.9.10.1_sparc.deb
Size/MD5: 45628 1e6435a28498b1d1660555eb2feff9b1
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.9.10.1_sparc.deb
Size/MD5: 48570 64b774c24b1d32889ad3e177a030d9db
Updated packages for Ubuntu 10.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg-0ubuntu1.10.04.1.diff.gz
Size/MD5: 9417 7d69bcb66c523fabb6bcb77f6f49a75a
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg-0ubuntu1.10.04.1.dsc
Size/MD5: 1143 b5ef0adf98f91a9ad6e47d51c30545ce
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie_2.40~dfsg.orig.tar.gz
Size/MD5: 174823 4a2be4eedcefedd106af82aa06aedd60
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.10.04.1_amd64.deb
Size/MD5: 33830 89f9d096e9869d76540c50875c666a2a
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.10.04.1_amd64.deb
Size/MD5: 45772 f4b2493ccb1e7c77ed29003349a82cd3
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.10.04.1_amd64.deb
Size/MD5: 49080 efce404aa45a9a51431396e213db5425
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.10.04.1_i386.deb
Size/MD5: 32276 d387fa29e024e41302e0001d6c498b31
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.10.04.1_i386.deb
Size/MD5: 44642 5b26dafeeefca98b742c083c41d9b4bc
http://security.ubuntu.com/ubuntu/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.10.04.1_i386.deb
Size/MD5: 48008 c892f45587d5d39879c48e0f6d2d001e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.10.04.1_powerpc.deb
Size/MD5: 33566 e741a9deb923cfb671bbc1812610b882
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.10.04.1_powerpc.deb
Size/MD5: 45678 c53206c0d347bd0b97a37eedaa197790
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.10.04.1_powerpc.deb
Size/MD5: 48600 ffcd300b5f3fa6e5c11651dc0434bbba
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/opie/libopie-dev_2.40~dfsg-0ubuntu1.10.04.1_sparc.deb
Size/MD5: 33506 3c577ee37bc07cf204b317e2b75bb10b
http://ports.ubuntu.com/pool/main/o/opie/opie-client_2.40~dfsg-0ubuntu1.10.04.1_sparc.deb
Size/MD5: 46780 20f06a8f6a908e494bdb9e398de11f71
http://ports.ubuntu.com/pool/main/o/opie/opie-server_2.40~dfsg-0ubuntu1.10.04.1_sparc.deb
Size/MD5: 49756 9d18a9f6dfb7cb9333207f7566e0d54f
===========================================================
Ubuntu Security Notice USN-955-2 June 21, 2010
libpam-opie vulnerability
CVE-2010-1938
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
libpam-opie 0.21-8build1.9.04.1
Ubuntu 9.10:
libpam-opie 0.21-8build2.1
Ubuntu 10.04 LTS:
libpam-opie 0.21-8build3.1
In general, a standard system update will make all the necessary changes.
Details follow:
USN-955-1 fixed vulnerabilities in OPIE. This update provides rebuilt
libpam-opie packages against the updated libopie library.
Original advisory details:
Maksymilian Arciemowicz and Adam Zabrocki discovered that OPIE incorrectly
handled long usernames. A remote attacker could exploit this with a crafted
username and make applications linked against libopie crash, leading to a
denial of service.
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1.diff.gz
Size/MD5: 5955 68d77e8427fd1e4e6fc542bdbdecdcb8
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1.dsc
Size/MD5: 1052 a6621de8231000b1cd722de1889442df
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21.orig.tar.gz
Size/MD5: 41624 8dffef43ddbd14512171cca5c4570207
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1_amd64.deb
Size/MD5: 24330 f7a795c4f3662f08d14110782384ea59
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1_i386.deb
Size/MD5: 23494 09dc94d2c3d571a4fbaa710aed7dbf1e
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1_lpia.deb
Size/MD5: 23220 c695dc2d85b0f93d6a1fc03afdc8b627
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1_powerpc.deb
Size/MD5: 27188 fca2d90bf1877341d4fe871292798005
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build1.9.04.1_sparc.deb
Size/MD5: 24280 dc93f7554de0791124cb9c853cb3bf32
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1.diff.gz
Size/MD5: 5985 a9a21c66edf5da6f3efd983d9c6f8f14
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1.dsc
Size/MD5: 1032 20f0a833495a08445485b8513f6f1034
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21.orig.tar.gz
Size/MD5: 41624 8dffef43ddbd14512171cca5c4570207
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1_amd64.deb
Size/MD5: 25310 3bbc38e74436df6976f3c046713a1c4a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1_i386.deb
Size/MD5: 24056 a8fed25799038ff959d22abab4c441bb
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1_lpia.deb
Size/MD5: 23894 c427d754c78b149a2177363e8913644e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1_powerpc.deb
Size/MD5: 25358 38a5a2e4c10ceab01ac39422e58be4bc
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build2.1_sparc.deb
Size/MD5: 24646 fa87c02f217c29deb3c2d1022d0874ed
Updated packages for Ubuntu 10.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build3.1.diff.gz
Size/MD5: 6083 23785c595192d3614e0336d24052288e
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build3.1.dsc
Size/MD5: 1032 a19a8b3b2b4a9be41bd5cc05e720bd53
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21.orig.tar.gz
Size/MD5: 41624 8dffef43ddbd14512171cca5c4570207
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build3.1_amd64.deb
Size/MD5: 25290 88dfc0489c3b39abb4fb4a76069abd55
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-opie/libpam-opie_0.21-8build3.1_i386.deb
Size/MD5: 23974 ca0173f16362e88e1fdd35e49abe37f0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build3.1_powerpc.deb
Size/MD5: 25376 e601a2b8d8f106b5568b492698e0558e
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libp/libpam-opie/libpam-opie_0.21-8build3.1_sparc.deb
Size/MD5: 25710 31bb892e98f301cdf8e5bbfdf6c027fa
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMIA9o/iFOrG6YcBERAtTpAJ9zPzR3cpgPDZKWquemfrRj6t+OwwCfc/CJ
Cl4Oh6A7AH/FtKMCxNFB0/g=
=81xG
-----END PGP SIGNATURE-----
|