Unsichere Verwendung temporärer Dateien in bzip2
ID: | USN-1308-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10 |
Datum: | Do, 15. Dezember 2011, 07:02 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4089 |
Applikationen: | bzip2 |
Originalnachricht |
|
--===============1346534219945541271== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wzJLGUyc3ArbnUjN" Content-Disposition: inline --wzJLGUyc3ArbnUjN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ========================================================================== Ubuntu Security Notice USN-1308-1 December 14, 2011 bzip2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Executables compressed by bzexe could be made to run programs as your login. Software Description: - bzip2: high-quality block-sorting file compressor - utilities Details: vladz discovered that executables compressed by bzexe insecurely create temporary files when they are ran. A local attacker could exploit this issue to execute arbitrary code as the user running a compressed executable. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: bzip2 1.0.5-6ubuntu1.11.10.1 Ubuntu 11.04: bzip2 1.0.5-6ubuntu1.11.04.1 Ubuntu 10.10: bzip2 1.0.5-4ubuntu1.1 Ubuntu 10.04 LTS: bzip2 1.0.5-4ubuntu0.2 Ubuntu 8.04 LTS: bzip2 1.0.4-2ubuntu4.2 In general, a standard system update will make all the necessary changes to the bzexe utility. If you have previously used bzexe to compress any executables, they need to be recompressed using the updated version. References: http://www.ubuntu.com/usn/usn-1308-1 CVE-2011-4089 Package Information: https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.10.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.04.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu1.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu0.2 https://launchpad.net/ubuntu/+source/bzip2/1.0.4-2ubuntu4.2 --wzJLGUyc3ArbnUjN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJO6SdeAAoJENaSAD2qAscKahAP/2aqMpuTHt47ZD5KtJCp1quA 3gqYAhHPmdP1UYlzttPm6NQLZwcjh1IumkiRZA8FW3BPv6ZATElfh0y7P4krALRb NcBA8NebHfQhnvq+nwiJIdNGK8vw0PBJ0u+xYhZ6dDwUj50gHRRSJg3htAOWewGG Ik9Hs4xSSwErXlcDszZrZ9/zGC6mjrRX3xsMxImWcSdkgxuawhbvM0ph9qiTPfqs yOtywld0y6cSV/7mUmqaKxEK4zlDrRiyPaWrwnaojUG1zHILYx+TV2XaAGr0ykza 0WqTcOKPfKDtjglZvgmLTY0fYPTji9Qo75w7XeXDUHFERaJ1FSeX3/f0FZmjfpzs vH17ZvvBB6dqUf08d0P1rouTzq01kCDXGQ0fXeJuapN/HA9/tptAA2QPG8PuadV6 +I1vZ11BKZB81zPgqxi7qSYz0+nHQwNOZZkZKrSb8ZADl9XYZYC3u3l+r1gWryQ9 XedNcgIkv6l3AfnSx6fRQiBxFrWp1hBWndgWGH2pY6j8XsTCxKos4YIb90hVN5vy zZQSDVL/k0jc224Rvok9nSQaLOT3mkkk6rVuvWa2g44AQw7iUNsvNOeEgdF/uJV3 oivUyulgzqfA+blHPyli5+LNGSQr/B+KBxCsRuunBizJfr1q+tufqyIqTHB0Wbky l7pA/smHVyqkRlE85c9g =TqeP -----END PGP SIGNATURE----- --wzJLGUyc3ArbnUjN-- --===============1346534219945541271== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce --===============1346534219945541271==-- |