2

USN-909-1: dpkg vulnerability

view story
linux-howto

http://www.ubuntu.com – Referenced CVEs:  CVE-2010-0396 Description:  =========================================================== Ubuntu Security Notice USN-909-1 March 11, 2010 dpkg vulnerability CVE-2010-0396 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: dpkg-dev 1.13.11ubuntu7.1 Ubuntu 8.04 LTS: dpkg-dev 1.14.16.6ubuntu4.1 Ubuntu 8.10: dpkg-dev 1.14.20ubuntu6.3 Ubuntu 9.04: dpkg-dev 1.14.24ubuntu1.1 Ubuntu 9.10: dpkg-dev 1.15.4ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: William Grant discovered that dpkg-source did not safely apply diffs when unpacking source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system. (Distributions)