Sicherheit: Ausführen beliebiger Kommandos in AdvanceCOMP

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1181692023627769048==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="auayz87XHaMzVlscvjE3S7yeTWPmzYjFI"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--auayz87XHaMzVlscvjE3S7yeTWPmzYjFI
Content-Type: multipart/mixed;
boundary="GVHBDYRVKR4bRP0cPdNVzPxC6wCt5Gv4v";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <3053927b-877a-6424-37eb-46b1373d16e1@canonical.com>
Subject: [USN-3570-1] AdvanceCOMP vulnerability

--GVHBDYRVKR4bRP0cPdNVzPxC6wCt5Gv4v
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3570-1
February 14, 2018

advancecomp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

AdvanceCOMP could be made to crash or run programs if it opened a specially
crafted file.

Software Description:
- advancecomp: collection of recompression utilities

Details:

Joonun Jang discovered that AdvanceCOMP incorrectly handled certain
malformed zip files. If a user or automated system were tricked into
processing a specially crafted zip file, a remote attacker could cause
AdvanceCOMP to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
advancecomp 2.0-1ubuntu0.1

Ubuntu 16.04 LTS:
advancecomp 1.20-1ubuntu0.1

Ubuntu 14.04 LTS:
advancecomp 1.18-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3570-1
CVE-2018-1056

Package Information:
https://launchpad.net/ubuntu/+source/advancecomp/2.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/advancecomp/1.20-1ubuntu0.1
https://launchpad.net/ubuntu/+source/advancecomp/1.18-1ubuntu0.1

--GVHBDYRVKR4bRP0cPdNVzPxC6wCt5Gv4v--

--auayz87XHaMzVlscvjE3S7yeTWPmzYjFI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJahF3pAAoJEGVp2FWnRL6TtGMP/0PnwI2z3XogDv6Cv6xfS2fP
zwYkSih7F/efjIUzvke8PpFnoadDdiOWzbgsUvnxi2lVSuMImcL5IgSZrj56+r0k
VAWh2/YVtYmajmSERzftCkRcM4bO75VDhfQN21IcaviyxAzlihRhgrr4XXIIJsYG
83QQ5JS2yH/nZs9XDMBFoUITTeNn+B4rLMKtSxj5hsH7Y0Ehb3Ziw1qy3TpJHl/S
pJA8BncbaZFF1HbJQAVgmjK7BpOuQgJ0QdPFb5Bs4OML7wfxkDg0tfLqZMtWmaAx
xL2+OjpsLc+gW8HIYf3yCk3cemvrUvgIOeUv2RkWdPIkG5hYvCN9mxdnd6hs83to
7//9PrZjUMOmGLrZzXmdBOFl+iInUkdW0DYWKXZh8yzLvYmWK2B8dwA1MLNKJIn0
mW5clpstfE0CZ8Dpg/pTIsdIZbIAmJOIuZU3CdZH4Hav1eRjv7FN/1OnrLvobvSf
ZxezgqgbEDZ2wIz3SyB+fBvgKQdTDdVFGiMgl8HjWwkcbW1Ds22K805nZLHcl1U0
uoN+cmRU8jLHIhqt7dUDjozWDW191PuwnQIbM8fZfMSlnwdMLuZUj4eoW7IFC/xR
ugKNP1vJ80JPq0WbjTO9Jj4rEsPVyT+NlYNmUQM5jrq5xg1ftH0CGg7guFFcuAmW
Dgic72oRjTv+GxaIGheb
=pgTX
-----END PGP SIGNATURE-----

--auayz87XHaMzVlscvjE3S7yeTWPmzYjFI--

--===============1181692023627769048==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============1181692023627769048==--