--===============0336351771==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
 boundary="LQksG6bCIzRHxTLp"
Content-Disposition: inline


--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-208-1	   October 17, 2005
graphviz vulnerability
CAN-2005-2965
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

graphviz

The problem can be corrected by upgrading the affected package to
version 2.2-1ubuntu0.1.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Javier Fern=E1ndez-Sanguino Pe=F1a discovered that the "dotty" tool
created and used temporary files in an insecure way. A local attacker
could exploit this with a symlink attack to create or overwrite
arbitrary files with the privileges of the user running dotty.


  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ub=
untu0.1.diff.gz
      Size/MD5:   207632 5e836a324f059215f8d0daaa9d469107
    http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ub=
untu0.1.dsc
      Size/MD5:      788 7c934df6c6a84e937a7060d9743d1c29
    http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2.ori=
g.tar.gz
      Size/MD5:  4379295 9275d30695a5c22f360acbef7b85acd3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev=
_2.2-1ubuntu0.1_amd64.deb
      Size/MD5:   147494 2b23526fde607848990ee8b931ea9e0e
    http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc=
_2.2-1ubuntu0.1_amd64.deb
      Size/MD5:  1079078 846c09a610e9c7533c34be24ffd35524
    http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ub=
untu0.1_amd64.deb
      Size/MD5:  1026506 9f08f1dba4f6e94320600d5c4d043d83

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev=
_2.2-1ubuntu0.1_i386.deb
      Size/MD5:   147500 beb9f9a7863864a0da2c829eb4688793
    http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc=
_2.2-1ubuntu0.1_i386.deb
      Size/MD5:  1079084 58c7bd99908e4d61e946dd82b7000f12
    http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ub=
untu0.1_i386.deb
      Size/MD5:   947778 7e0fe2c149954e64cc6fdceaa5ae5bec

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev=
_2.2-1ubuntu0.1_powerpc.deb
      Size/MD5:   147508 2c786f652e59e9379e120d7065b5bca5
    http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc=
_2.2-1ubuntu0.1_powerpc.deb
      Size/MD5:  1079120 e20fb8adb1c98c784dd5016fda1df8d3
    http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ub=
untu0.1_powerpc.deb
      Size/MD5:  1075524 2d189fbb333fe89d00dd48a16dc27fc1

--LQksG6bCIzRHxTLp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDU6RqDecnbV4Fd/IRAiY/AJ9xWcJS+shpRZp9sKc7iJxsakbWUgCg+nJO
1v6SQVW4b3ZSpT6S1fJWMLQ=
=FXJD
-----END PGP SIGNATURE-----

--LQksG6bCIzRHxTLp--


--===============0336351771==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============0336351771==--