Login
Newsletter
Werbung

Sicherheit: Unsichere Verwendung temporärer Dateien in bzip2
Aktuelle Meldungen Distributionen
Name: Unsichere Verwendung temporärer Dateien in bzip2
ID: USN-1308-1
Distribution: Ubuntu
Plattformen: Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Do, 15. Dezember 2011, 07:02
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4089
Applikationen: bzip2

Originalnachricht


--===============1346534219945541271==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="wzJLGUyc3ArbnUjN"
Content-Disposition: inline


--wzJLGUyc3ArbnUjN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-1308-1
December 14, 2011

bzip2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Executables compressed by bzexe could be made to run programs as your
login.

Software Description:
- bzip2: high-quality block-sorting file compressor - utilities

Details:

vladz discovered that executables compressed by bzexe insecurely create
temporary files when they are ran. A local attacker could exploit this issue to
execute arbitrary code as the user running a compressed executable.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
bzip2 1.0.5-6ubuntu1.11.10.1

Ubuntu 11.04:
bzip2 1.0.5-6ubuntu1.11.04.1

Ubuntu 10.10:
bzip2 1.0.5-4ubuntu1.1

Ubuntu 10.04 LTS:
bzip2 1.0.5-4ubuntu0.2

Ubuntu 8.04 LTS:
bzip2 1.0.4-2ubuntu4.2

In general, a standard system update will make all the necessary changes to
the bzexe utility. If you have previously used bzexe to compress any
executables, they need to be recompressed using the updated version.

References:
http://www.ubuntu.com/usn/usn-1308-1
CVE-2011-4089

Package Information:
https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.10.1
https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.04.1
https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu1.1
https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu0.2
https://launchpad.net/ubuntu/+source/bzip2/1.0.4-2ubuntu4.2


--wzJLGUyc3ArbnUjN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJO6SdeAAoJENaSAD2qAscKahAP/2aqMpuTHt47ZD5KtJCp1quA
3gqYAhHPmdP1UYlzttPm6NQLZwcjh1IumkiRZA8FW3BPv6ZATElfh0y7P4krALRb
NcBA8NebHfQhnvq+nwiJIdNGK8vw0PBJ0u+xYhZ6dDwUj50gHRRSJg3htAOWewGG
Ik9Hs4xSSwErXlcDszZrZ9/zGC6mjrRX3xsMxImWcSdkgxuawhbvM0ph9qiTPfqs
yOtywld0y6cSV/7mUmqaKxEK4zlDrRiyPaWrwnaojUG1zHILYx+TV2XaAGr0ykza
0WqTcOKPfKDtjglZvgmLTY0fYPTji9Qo75w7XeXDUHFERaJ1FSeX3/f0FZmjfpzs
vH17ZvvBB6dqUf08d0P1rouTzq01kCDXGQ0fXeJuapN/HA9/tptAA2QPG8PuadV6
+I1vZ11BKZB81zPgqxi7qSYz0+nHQwNOZZkZKrSb8ZADl9XYZYC3u3l+r1gWryQ9
XedNcgIkv6l3AfnSx6fRQiBxFrWp1hBWndgWGH2pY6j8XsTCxKos4YIb90hVN5vy
zZQSDVL/k0jc224Rvok9nSQaLOT3mkkk6rVuvWa2g44AQw7iUNsvNOeEgdF/uJV3
oivUyulgzqfA+blHPyli5+LNGSQr/B+KBxCsRuunBizJfr1q+tufqyIqTHB0Wbky
l7pA/smHVyqkRlE85c9g
=TqeP
-----END PGP SIGNATURE-----

--wzJLGUyc3ArbnUjN--


--===============1346534219945541271==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============1346534219945541271==--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung