Date: 10 January 2011
References: ESB-2011.0017
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0021
dpkg vulnerability
10 January 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dpkg-dev
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Modify Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2010-1679
Reference: ESB-2011.0017
Original Bulletin:
http://www.ubuntu.com/usn/usn-1038-1
- --------------------------BEGIN INCLUDED TEXT--------------------
Ubuntu Security Notice USN-1038-1 January 06, 2011
dpkg vulnerability
CVE-2010-1679
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
dpkg-dev 1.15.4ubuntu2.3
Ubuntu 10.04 LTS:
dpkg-dev 1.15.5.6ubuntu4.5
Ubuntu 10.10:
dpkg-dev 1.15.8.4ubuntu3.1
In general, a standard system update will make all the necessary changes.
Details follow:
Jakub Wilk and Rapha=EBl Hertzog discovered that dpkg-source did not
correctly handle certain paths and symlinks when unpacking source-format
version 3.0 packages. If a user or an automated system were tricked into
unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial
of service or potentially gaining access to the system.
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3.dsc
Size/MD5: 1369 df5975398ec1f8fa00617dba2a855090
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3.tar.gz
Size/MD5: 7046765 7bd73bcbd5ff74a2083f51b068c3f071
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.15.4ubuntu2.3_all.deb
Size/MD5: 572590 4a5837b26e895fed592d8e44bc5b89ce
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3_amd64.deb
Size/MD5: 2170884 82de5906f95f9b597a914f2c81659eaf
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.3_amd64.deb
Size/MD5: 334238 f02106409df7473ceba2401e273fbad4
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3_i386.deb
Size/MD5: 2123952 6b1f6c7aa590d87bac9a630cb254bfdd
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.3_i386.deb
Size/MD5: 325934 a243cff597c7a6b2ce3ea933cbbd2538
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3_armel.deb
Size/MD5: 2133956 be580c89987c4bf0729a6b7b0287c324
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.3_armel.deb
Size/MD5: 322314 69da8bec9824d131f9fb2d29f3c7531b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3_lpia.deb
Size/MD5: 2109942 686414041cd2faade333988894c62721
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.3_lpia.deb
Size/MD5: 327130 bfb7291c389f69271b9d8d17097f1450
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3_powerpc.deb
Size/MD5: 2170404 471bebdff42698ce65e19e688ccad114
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.3_powerpc.deb
Size/MD5: 333352 e279c421aef7555990a8bc0154964c70
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.3_sparc.deb
Size/MD5: 2132714 e743264871c293f5d0c9d5fced9ee297
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.3_sparc.deb
Size/MD5: 327166 e38693753de95099f3c6e0e911c73641
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5.dsc
Size/MD5: 1351 e9c42a50bdb677925283efd746d26827
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5.tar.bz2
Size/MD5: 4682350 0404022baa0d35a11724f6268f806f35
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.15.5.6ubuntu4.5_all.deb
Size/MD5: 653864 6eb96a6344c8d86376cc5f02eafd4903
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5_amd64.deb
Size/MD5: 2254322 10b37645fade4011744c91ecf5516d89
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.5.6ubuntu4.5_amd64.deb
Size/MD5: 407622 025c51b22e0ac7b8f138a5de274231bf
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5_i386.deb
Size/MD5: 2191790 ab0b2dafdb6ba609d82b24dc61e56255
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.5.6ubuntu4.5_i386.deb
Size/MD5: 402316 3c71bc471c4b78b9794e036e3d8ccfcf
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5_armel.deb
Size/MD5: 2175460 e6f606b4848cf051a9acd26c0d5e573a
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.5.6ubuntu4.5_armel.deb
Size/MD5: 393030 39639fda1a6f61b0024ca06598a8395e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5_powerpc.deb
Size/MD5: 2239566 54f9658a4096703b403479c2086cd338
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.5.6ubuntu4.5_powerpc.deb
Size/MD5: 410174 2d3efa6860df00bb1c0ad6af0d16ba22
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.5.6ubuntu4.5_sparc.deb
Size/MD5: 2217050 6175f5d14a3a76b158503992e9d4c28b
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.5.6ubuntu4.5_sparc.deb
Size/MD5: 406216 bb96dc8b38b8a638ab7ca04f24cb393d
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.8.4ubuntu3.1.dsc
Size/MD5: 1361 ec294c6bdf531ac3dfb1cf2a039d30ad
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.8.4ubuntu3.1.tar.bz2
Size/MD5: 5078410 ba30b2d5e73830c5dbaf520e38d03afe
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.15.8.4ubuntu3.1_all.deb
Size/MD5: 772250 5bddb4a4e5802c4688eec68a1a806436
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/libdpkg-perl_1.15.8.4ubuntu3.1_all.deb
Size/MD5: 504830 21caadb68ae793839dfef2ea71b9a2a7
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.8.4ubuntu3.1_amd64.deb
Size/MD5: 2132788 424e34190fc3d2b59f1c3ebb32238cf9
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.8.4ubuntu3.1_amd64.deb
Size/MD5: 513880 678a5dfec3cf74b420475a2b922f3021
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/libdpkg-dev_1.15.8.4ubuntu3.1_amd64.deb
Size/MD5: 424950 e56298e2df7c1e9700a90d4723f831d8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.8.4ubuntu3.1_i386.deb
Size/MD5: 2073106 f5b5aab820ac4592a36958974386b587
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.8.4ubuntu3.1_i386.deb
Size/MD5: 508096 95aa9cc62b92e566e87f00cbf6b3076d
http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/libdpkg-dev_1.15.8.4ubuntu3.1_i386.deb
Size/MD5: 410698 d93501aa6f9c36ac1803b3e7adb39127
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.8.4ubuntu3.1_armel.deb
Size/MD5: 2075164 36bbda04079da2aa438a3dcfb61cd65c
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.8.4ubuntu3.1_armel.deb
Size/MD5: 501672 9878e0c6b70f2f58b70735079d786115
http://ports.ubuntu.com/pool/main/d/dpkg/libdpkg-dev_1.15.8.4ubuntu3.1_armel.deb
Size/MD5: 416906 52c402cd837d9635a445ad220a037325
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.8.4ubuntu3.1_powerpc.deb
Size/MD5: 2112602 e73d8182c2cb1c4f5df66125f0a863eb
http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.8.4ubuntu3.1_powerpc.deb
Size/MD5: 516766 f09ea74971241c741312a7a2fe85a2b7
http://ports.ubuntu.com/pool/main/d/dpkg/libdpkg-dev_1.15.8.4ubuntu3.1_powerpc.deb
Size/MD5: 422710 79eb34bd5756074dc2d364e2db8b86a9
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFNKnda/iFOrG6YcBERAj0ZAKDTqtbVBjCxwPZhr+JdL4N/vJu09QCfdmOn
1yby0cgX6JHZZwXU0Y1fOto=
=/y46
-----END PGP SIGNATURE-----
|