From martin.pitt@canonical.com Mon Aug 1 14:58:15 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Mon, 1 Aug 2005 12:35:42 +0200 Subject: [USN-158-1] gzip utility vulnerability =========================================================== Ubuntu Security Notice USN-158-1 August 01, 2005 gzip vulnerability CAN-2005-0758 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: gzip The problem can be corrected by upgrading the affected package to version 1.3.5-9ubuntu3.3 (for Ubuntu 4.10), or 1.3.5-9ubuntu3.4 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: zgrep did not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.diff.gz Size/MD5: 59244 9107611292808f982cb7e84a3e31cda3 http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.dsc Size/MD5: 570 4848f3b7d4bf7dad3bfdce969fdb47a4 http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz Size/MD5: 331550 3d6c191dfd2bf307014b421c12dc8469 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_amd64.deb Size/MD5: 75472 bae609933a71ea74bb41493df98e193c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_i386.deb Size/MD5: 70372 b774c65773bcb2cbadec5cc15ef12344 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_powerpc.deb Size/MD5: 76988 5c868f74064211a975e44ec4917887a2 Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.diff.gz Size/MD5: 59260 4fe91fb2521be43a1961f7c0ae131014 http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.dsc Size/MD5: 570 62b96204e004beb977ae78ebb99b9120 http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz Size/MD5: 331550 3d6c191dfd2bf307014b421c12dc8469 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_amd64.deb Size/MD5: 75576 21efd370efb1c0517ac767b95a37ee0a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_i386.deb Size/MD5: 70394 307afbed15ed18fa0b3ddf339d8b7815 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_powerpc.deb Size/MD5: 77130 d3a3407db3ad0a86b5556043984604cf [ Part 2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ]