USN-847-1: Devscripts vulnerability  

Posted by Daniela Mehler

"Ubuntu Security Notice USN-847-1 October 08, 2009
devscripts vulnerability
CVE-2009-2946
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
devscripts 2.10.11ubuntu5.8.04.4

Ubuntu 8.10:
devscripts 2.10.26ubuntu15.2

Ubuntu 9.04:
devscripts 2.10.39ubuntu7.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Raphael Geissert discovered that uscan, a part of devscripts, did not
properly sanitize its input when processing pathnames. If uscan processed a
crafted filename for a file on a remote server, an attacker could execute
arbitrary code with the privileges of the user invoking the program.


Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4.dsc
Size/MD5: 1255 e77cd75293868dce15bda87381699c60
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4.tar.gz
Size/MD5: 494661 b9836cd30eaab24a4ae677caa501a3c3

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_amd64.deb
Size/MD5: 415752 5e481014f7449d48747173827c6112f8

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_i386.deb
Size/MD5: 415498 c91b58be71303331b753843b3f65e238

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_lpia.deb
Size/MD5: 415424 a3ffe0b548091da9a06b6540e2e81931

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_powerpc.deb
Size/MD5: 418916 9b0821303a4e38f70de0bdc46e6defec

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.11ubuntu5.8.04.4_sparc.deb
Size/MD5: 415792 f1a09efc55c39effc8e6cd01f4d49758

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2.dsc
Size/MD5: 1530 a2f1aebd332918e92060980ac76011fa
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2.tar.gz
Size/MD5: 561023 0c73fe1803a03333866299cf4909985c

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_amd64.deb
Size/MD5: 471866 f89e7cd144b853bc99baf4c966e0c3e3

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_i386.deb
Size/MD5: 471522 042a41e7c54ef83ed3b44d5191c15a07

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_lpia.deb
Size/MD5: 471450 2ece0a60ad5ab0b2c3404d450a36eb16

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_powerpc.deb
Size/MD5: 474890 c6efa6fb38fb77446566abd5cdb05d28

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.26ubuntu15.2_sparc.deb
Size/MD5: 472200 90da98a2ea045bf27c456f652b9f9b6b

Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1.dsc
Size/MD5: 1537 3f5d345bb069e0796433b96dae26d9d0
http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1.tar.gz
Size/MD5: 624181 ecc8f7705c920f415f0db16ac5e1d5cb

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_amd64.deb
Size/MD5: 529182 2a19ee9baffa132f6c56268c893d9a1e

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_i386.deb
Size/MD5: 528806 2adb86a60d3e11a3ca2a076a0736148e

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_lpia.deb
Size/MD5: 528698 e519f930ed469db24073db51e3586bcb

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_powerpc.deb
Size/MD5: 532576 623f2380e8276dbc6facbff757f43554

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/devscripts/devscripts_2.10.39ubuntu7.1_sparc.deb
Size/MD5: 529380 5e32ebcc85a7bcadf98d27853d940b16



--dc+cDN39EJAMEtIO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrOXfIACgkQW0JvuRdL8BqSTQCfXhpan1SS13o6vDyeOLbHqC9m
7G8Anj5a8aHX7vQzrwoa9lGo/hK4yfca
=Awtu
-----END PGP SIGNATURE-----
"

Rihanna saved millions on new homeUSN-845-1: Pan vulnerability

This entry was posted on 1:11 PM .