Sicherheit: Mangelnde Eingabeprüfung in dpkg

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============6211069602885728675==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="JnRK182DuVE54sSL0vSTXLUF3PRxIVThu"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--JnRK182DuVE54sSL0vSTXLUF3PRxIVThu
Content-Type: text/plain; charset=UTF-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2183-1
April 28, 2014

dpkg vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

A malicious source package could write files outside the unpack directory.

Software Description:
- dpkg: Debian package management system

Details:

Jakub Wilk discovered that dpkg incorrectly certain paths and symlinks when
unpacking source packages. If a user or an automated system were tricked
into unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial of
service or potentially gaining access to the system.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
libdpkg-perl 1.17.5ubuntu5.1

Ubuntu 13.10:
libdpkg-perl 1.16.12ubuntu1.1

Ubuntu 12.10:
libdpkg-perl 1.16.7ubuntu6.1

Ubuntu 12.04 LTS:
libdpkg-perl 1.16.1.2ubuntu7.3

Ubuntu 10.04 LTS:
dpkg-dev 1.15.5.6ubuntu4.7

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2183-1
CVE-2014-0471

Package Information:
https://launchpad.net/ubuntu/+source/dpkg/1.17.5ubuntu5.1
https://launchpad.net/ubuntu/+source/dpkg/1.16.12ubuntu1.1
https://launchpad.net/ubuntu/+source/dpkg/1.16.7ubuntu6.1
https://launchpad.net/ubuntu/+source/dpkg/1.16.1.2ubuntu7.3
https://launchpad.net/ubuntu/+source/dpkg/1.15.5.6ubuntu4.7

--JnRK182DuVE54sSL0vSTXLUF3PRxIVThu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTXlhFAAoJEGVp2FWnRL6TdlEP/ArZXJhYeDd65NvdEOJGW6zL
wSDow163vTTzUE+j+oC2SX9xjHwUGGuDfHGasSQRqG6AH12xu7sQpQPqy2gpLbaY
+MMg7Ts53Gj1aDB7k+KtRzJx/BuS2Hy83wdQsOhmEyny59685kctQTz3fRKeUhII
44U8pkvDw0w2uaC7atbyXxJEjW3u9Peujxjd2XBYhPamJxk7BXfrqgyZ4pg3RXoW
127DbrTVpmw5uiMJJt4bko0oDAPJPqrFBpP7NRJFevie8bJ5RbqBE6XFofoI9iWt
H7/21YtixdEZjwZbIhxywS706NLJYDGetxxECEMwHhfu48oG5f+IwDJf+A3KIvOA
glqXxSadnDFw50oj5SLrFG1+c494ncNhEkQ/M+ZvwoUIR/tVUPNZmUsZGYpKJYlt
ahBxIYRFXHkypbpv3V3CuJ27GXUVajCOLYizUE/SRyMDez9TtZa4phIWR03cVMby
7GEq5fqC86O2iqIxt2GrPUTGWC3yO2+76afcPvGbGULdMM3keR1KU5PMs00H12Uj
Cdiu4ZY9A35UnBLntipz+tC/pAGP3TZUxYoTsQda2nW8y8GBC5KlHcSpd4AX70/8
juJtH8ZO0Lohk7hPdTx87pjPukO9h3xGdotjfWyPZsS2S4gLUTyf7uUcxKXu3tNF
pjR+PM6CAYwqrm8IxZSp
=R8So
-----END PGP SIGNATURE-----

--JnRK182DuVE54sSL0vSTXLUF3PRxIVThu--

--===============6211069602885728675==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============6211069602885728675==--