USN-516-1: xfsdump vulnerability
Posted on: 09/21/2007 12:45 AM

A new xfsdump vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-516-1 September 20, 2007
xfsdump vulnerability
CVE-2007-2654
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
xfsdump 2.2.30-1ubuntu0.1

Ubuntu 6.10:
xfsdump 2.2.38-1ubuntu0.6.10.1

Ubuntu 7.04:
xfsdump 2.2.38-1ubuntu0.7.04.1

In general, a standard system upgrade is sufficient to affect the
necessary changes.

Details follow:

Paul Martin discovered that xfs_fsr creates a temporary directory
with insecure permissions. This allows a local attacker to exploit a
race condition in xfs_fsr to read or overwrite arbitrary files on xfs
filesystems.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1.dsc
Size/MD5: 618 d4f3b9ad40143e751b220f726961ebba
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1.tar.gz
Size/MD5: 576453 0bdb54112e248aec97ec3f76e31db3bc

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_amd64.deb
Size/MD5: 292386 0599bfb1c91ff8dd91092573aeddf7eb

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_i386.deb
Size/MD5: 272798 24c9b70f6bc313fd74e1c796fc8275c3

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_powerpc.deb
Size/MD5: 289254 2ca3f1498a821cedcdbbabb0e3e3024e

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_sparc.deb
Size/MD5: 269570 90ccbc30495a8af38bbd12036a9f777d

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1.dsc
Size/MD5: 637 f531f5e74e784f3eed86079c4bb4a399
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1.tar.gz
Size/MD5: 566100 7b23a7834d606502d7a417c27c985cd9

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_amd64.deb
Size/MD5: 307830 073c61422d102e82e5c19d0a02efb31f

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_i386.deb
Size/MD5: 297776 1f9d437502c787707a615370de257c03

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_powerpc.deb
Size/MD5: 323958 2bb7d2a50cb420dba81a852ff82495ec

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_sparc.deb
Size/MD5: 288660 33596c287661474fb78beb9501813657

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1.dsc
Size/MD5: 721 392609671d6695b02245178ea01bd755
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1.tar.gz
Size/MD5: 566169 665eca44b04dbcc7f753d59ff1e92997

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_amd64.deb
Size/MD5: 308552 c61901d79e291f4ac7c64f0f721d02a8

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_i386.deb
Size/MD5: 298510 d81af22139ffeefce8ef5979b4468773

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_powerpc.deb
Size/MD5: 334954 d423004a9bf53ae41806902d1e80a1ee

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_sparc.deb
Size/MD5: 291278 1bbe48738754e5a2c293723d8e3ef3e4


--mJm6k4Vb/yFcL9ZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8wJIH/9LqRcGPm0RAoujAJ9F9mj/RJGnfqWoNyMd9JkdU9Q+iACdFIX1
kYmwoijKlXWhZG/sHAx83io=
=x2G1
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_516_1_xfsdump_vulnerability.html)