LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: gzip vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Tavis Ormandy discovered that gzip did not sufficiently verify the validity of gzip or compress archives while unpacking. By tricking an user or automated system into unpacking a specially crafted compressed file, this could be exploited to execute arbitrary code with the user's privileges.
=========================================================== 
Ubuntu Security Notice USN-349-1         September 19, 2006
gzip vulnerabilities
CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337,
CVE-2006-4338
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  gzip                                     1.3.5-9ubuntu3.5

Ubuntu 5.10:
  gzip                                     1.3.5-11ubuntu2.1

Ubuntu 6.06 LTS:
  gzip                                     1.3.5-12ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Tavis Ormandy discovered that gzip did not sufficiently verify the
validity of gzip or compress archives while unpacking. By tricking an
user or automated system into unpacking a specially crafted compressed
file, this could be exploited to execute arbitrary code with the
user's privileges.


Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.5.diff.gz
      Size/MD5:    61153 d63e10a794e5ea01f2accdbaf8bf3d80
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.5.dsc
      Size/MD5:      570 24976fc238f8e6614cc28cd3d2a6ddca
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
      Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.5_amd64.deb
      Size/MD5:    75848 209e5949f27077a5111a0e48e1814e28

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.5_i386.deb
      Size/MD5:    70672 bb8ecf2656df00adb2f73d7c58bfae16

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.5_powerpc.deb
      Size/MD5:    77502 866b75307a0c11bba729754014d37cf2

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-11ubuntu2.1.diff.gz
      Size/MD5:    61684 90455942d0fc30de77d0a7e03db7901d
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-11ubuntu2.1.dsc
      Size/MD5:      572 e6b726ade7eef11b0ec01a78709718ec
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
      Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-11ubuntu2.1_amd64.deb
      Size/MD5:    76842 5afca3802f6380462aa81df1b71e03e6

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-11ubuntu2.1_i386.deb
      Size/MD5:    71672 f84d912eb056ba6301d7972a1da6fbf0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-11ubuntu2.1_powerpc.deb
      Size/MD5:    78620 83dbc2b0f7ea1be86bdfd384b0a1a42e

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-11ubuntu2.1_sparc.deb
      Size/MD5:    75866 0390a63c0774ae2661fab737371044f8

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.1.diff.gz
      Size/MD5:    59646 2661380cbe7761cda97ca2282820a9be
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.1.dsc
      Size/MD5:      574 200363f2ab018cea40c61cf9c98c705c
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
      Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.1_amd64.deb
      Size/MD5:    76470 5e9e2d325e742ce73c3c070e5d7856b3

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.1_i386.deb
      Size/MD5:    71224 4c232bcc8218250455ec4d89eabaa7ea

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.1_powerpc.deb
      Size/MD5:    78232 43b9c25f558df5037c5b798bd87a43ef

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.1_sparc.deb
      Size/MD5:    74976 25095d566148ad95e3a7fd96c03f2122

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System
Internet of things big security worry, says HP
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Insecure Connections: Enterprises hacked after neglecting third-party risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.