=========================================================== Ubuntu Security Notice USN-909-1 March 11, 2010 dpkg vulnerability CVE-2010-0396 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: dpkg-dev 1.13.11ubuntu7.1 Ubuntu 8.04 LTS: dpkg-dev 1.14.16.6ubuntu4.1 Ubuntu 8.10: dpkg-dev 1.14.20ubuntu6.3 Ubuntu 9.04: dpkg-dev 1.14.24ubuntu1.1 Ubuntu 9.10: dpkg-dev 1.15.4ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: William Grant discovered that dpkg-source did not safely apply diffs when unpacking source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1.dsc Size/MD5: 760 34441c52e805649411aefadcf436c498 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1.tar.gz Size/MD5: 3605915 fff28ddf0f4817c3ecbcc5444ce7a452 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.13.11ubuntu7.1_all.deb Size/MD5: 163246 0422c23c508b70a10351558490d74d56 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_amd64.deb Size/MD5: 1910180 0f671a7f4397f7e644f049c475e931db http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_amd64.deb Size/MD5: 126800 97ee0be20c06746e8896bc1ebce5ea4b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_i386.deb Size/MD5: 1866112 544fd3d266045aebe103d70ab8b7509f http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_i386.deb Size/MD5: 117076 4dba6966f8d12302ecb46c58e1969ff1 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_powerpc.deb Size/MD5: 1898810 c32bbc1af794165bb4a23c454d37ec26 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_powerpc.deb Size/MD5: 127240 82fba117821acdc09b3662ca754052bf sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.13.11ubuntu7.1_sparc.deb Size/MD5: 1878838 3dfb5489e39febdd95abff4033f59d39 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.13.11ubuntu7.1_sparc.deb Size/MD5: 118940 e508264b3c4b7cb997a4ed087d089703 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1.dsc Size/MD5: 1208 2a22d05fa34b6b04d5a17263bfe4f0d6 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1.tar.gz Size/MD5: 6390427 178b735e17fde21579df4ca26bfa6e67 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.16.6ubuntu4.1_all.deb Size/MD5: 559370 40325831979d41736a7d185cac8fbd00 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_amd64.deb Size/MD5: 2348266 4593b864a8d6a60adf493f9a1e6b635b http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_amd64.deb Size/MD5: 413652 f634c625575e29267e22ff8770d0590b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_i386.deb Size/MD5: 2295972 d3054a2d2e7b382d01203f9020854c45 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_i386.deb Size/MD5: 405256 407e3696ed9ceeecc64b7ba3c95a9340 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_lpia.deb Size/MD5: 2296428 719d6602689db30cd1f7f7f1ae893c4f http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_lpia.deb Size/MD5: 406182 7067d8bb99e5b61d76b76bc9a6d9045b powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_powerpc.deb Size/MD5: 2349398 7091950bd709fe1703068d65ab9e92fb http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_powerpc.deb Size/MD5: 417724 3f8f2ad7d3e5a4489c0273a2cbbc694b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.16.6ubuntu4.1_sparc.deb Size/MD5: 2304870 8154035a4d26b6ecb3244ad436fd6a06 http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.16.6ubuntu4.1_sparc.deb Size/MD5: 406124 9369a5fe72e587105a85818cd1e01b95 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3.dsc Size/MD5: 1374 b31bf239dbb395dedb8b8913006f424b http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3.tar.gz Size/MD5: 6667294 5e976d2038d4f4e7c091ff0a5a9d6287 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.20ubuntu6.3_all.deb Size/MD5: 612902 a23c54c5bb99d9ce8f0f3d3b34515622 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_amd64.deb Size/MD5: 2278804 90f46bebbae90673a1d4061f7d69eb9d http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_amd64.deb Size/MD5: 414836 b27191cafff2143d90453efcc758b466 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_i386.deb Size/MD5: 2230408 7e8a9e7997148da06dc2175d2b3a0249 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_i386.deb Size/MD5: 406610 a3e5a0a62c42671a5ccdd68fdf3ef186 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_lpia.deb Size/MD5: 2229312 a50c5d32e2bbe16d4f75d987295bfcec http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_lpia.deb Size/MD5: 406868 5c5c03bee5447f51c7fe9c8acf48e072 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_powerpc.deb Size/MD5: 2268434 20bcc6e0351ddc88ea0f0114ccd9fddc http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_powerpc.deb Size/MD5: 416446 63ab7115e4a551c4060db078b2e99c65 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.20ubuntu6.3_sparc.deb Size/MD5: 2235650 ebf0beecfc3cf739cb45d4e02e432ea2 http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.20ubuntu6.3_sparc.deb Size/MD5: 407274 eddb7ffd933d842d372ad5cca7f61ccc Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1.dsc Size/MD5: 1374 966f0d0737c4b468b297110b090c3ec8 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1.tar.gz Size/MD5: 6857872 af3f9838a9f61354f02f1376094dd387 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.14.24ubuntu1.1_all.deb Size/MD5: 643570 f8183801f8337e8f05d3f4f500839ee4 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_amd64.deb Size/MD5: 2402910 7e11960c3370d46ff85f6fbfb74cbb9c http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_amd64.deb Size/MD5: 418624 5410f79d5e0f97d16ed6fecfde8b1878 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_i386.deb Size/MD5: 2354476 d02b003cba30d3bb8b7ad76c3d6dcd75 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_i386.deb Size/MD5: 410460 483f6e495f85b2bee9e28f3176798c1f lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_lpia.deb Size/MD5: 2352378 f9aae3bcecc6bf90a79430896b79c640 http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_lpia.deb Size/MD5: 410520 81dd12b39aa98e98f41a29c1b9058036 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_powerpc.deb Size/MD5: 2393240 25dca2b3b4a883a08d16837e9a35b911 http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_powerpc.deb Size/MD5: 420232 7467a2ea13d2e78b187f6bcefb55bf4b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.14.24ubuntu1.1_sparc.deb Size/MD5: 2360038 e90d547b96a88831053304d18343a5ef http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.14.24ubuntu1.1_sparc.deb Size/MD5: 411142 ea1b073a035a0b14d90bd36e41f63533 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1.dsc Size/MD5: 1369 f882af2befea5a4b083bd0b92e332df4 http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1.tar.gz Size/MD5: 7046069 8b5a0f7410f1a275cc696383afacf621 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg-dev_1.15.4ubuntu2.1_all.deb Size/MD5: 573258 63b13346961f9bf2d36f2661bcce1b18 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_amd64.deb Size/MD5: 2170832 456e1befb49374eb295c8f5c0e634adc http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_amd64.deb Size/MD5: 333910 865568f183c69e5f99ae6bfd3c701628 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_i386.deb Size/MD5: 2126260 df700c2e82786fb0ba11b1ba293af49e http://security.ubuntu.com/ubuntu/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_i386.deb Size/MD5: 325634 c03e628356ca458881f95af0f74f28e9 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_lpia.deb Size/MD5: 2104834 d82b8607c7b2002c450536b92abc1024 http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_lpia.deb Size/MD5: 326974 75b5575b0e1321d5f8c01f01724970b2 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_powerpc.deb Size/MD5: 2171106 408fc498138e077016de2b63892c9bb4 http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_powerpc.deb Size/MD5: 333172 2efebdb20f9dc76f97b59340c1800995 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dpkg/dpkg_1.15.4ubuntu2.1_sparc.deb Size/MD5: 2133260 a4dda0dea25fa3e484796a8e211c7dda http://ports.ubuntu.com/pool/main/d/dpkg/dselect_1.15.4ubuntu2.1_sparc.deb Size/MD5: 327004 09180d098f2c2dbed84a9f90097dd8fc