USN-158-1: gzip utility vulnerability
Posted on: 08/01/2005 06:10 AM

A gzip utility security update has been released for Ubuntu Linux

==========================================================
Ubuntu Security Notice USN-158-1 August 01, 2005
gzip vulnerability
CAN-2005-0758
==========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

gzip

The problem can be corrected by upgrading the affected package to version 1.3.5-9ubuntu3.3 (for Ubuntu 4.10), or 1.3.5-9ubuntu3.4 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

zgrep did not handle shell metacharacters like '|' and '' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.


Updated packages for Ubuntu 4.10 (Warty Warthog):

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.diff.gz
Size/MD5: 59244 9107611292808f982cb7e84a3e31cda3
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.dsc
Size/MD5: 570 4848f3b7d4bf7dad3bfdce969fdb47a4
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
Size/MD5: 331550 3d6c191dfd2bf307014b421c12dc8469

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_amd64.deb
Size/MD5: 75472 bae609933a71ea74bb41493df98e193c

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_i386.deb
Size/MD5: 70372 b774c65773bcb2cbadec5cc15ef12344

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_powerpc.deb
Size/MD5: 76988 5c868f74064211a975e44ec4917887a2

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.diff.gz
Size/MD5: 59260 4fe91fb2521be43a1961f7c0ae131014
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.dsc
Size/MD5: 570 62b96204e004beb977ae78ebb99b9120
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
Size/MD5: 331550 3d6c191dfd2bf307014b421c12dc8469

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_amd64.deb
Size/MD5: 75576 21efd370efb1c0517ac767b95a37ee0a

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_i386.deb
Size/MD5: 70394 307afbed15ed18fa0b3ddf339d8b7815

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_powerpc.deb
Size/MD5: 77130 d3a3407db3ad0a86b5556043984604cf

Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_158_1_gzip_utility_vulnerability.html)