USN-589-1: unzip vulnerability
Posted on: 03/20/2008 09:30 PM

A new unzip vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-589-1 March 20, 2008
unzip vulnerability
CVE-2008-0888
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
unzip 5.52-6ubuntu4.1

Ubuntu 6.10:
unzip 5.52-8ubuntu1.1

Ubuntu 7.04:
unzip 5.52-9ubuntu3.1

Ubuntu 7.10:
unzip 5.52-10ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Tavis Ormandy discovered that unzip did not correctly clean up pointers.
If a user or automated service was tricked into processing a specially
crafted ZIP archive, a remote attacker could execute arbitrary code with
user privileges.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-6ubuntu4=
.1.diff.gz
Size/MD5: 12788 c944a77823f756df4f6f1352028c51ba
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-6ubuntu4=
.1.dsc
Size/MD5: 535 05a4c713cd2bc201d7fec5dd0f1807ce
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52.orig.tar=
.gz
Size/MD5: 1140291 9d23919999d6eac9217d1f41472034a9

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-6ubuntu4=
.1_amd64.deb
Size/MD5: 161102 b975bb72efc3b8b8a7355011090a76d3

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-6ubuntu4=
.1_i386.deb
Size/MD5: 147240 7470f2fa04517e0b5b601f69db54ac84

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-6ubuntu4=
.1_powerpc.deb
Size/MD5: 165218 a6b0dc720809d80d31e809492056eee0

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-6ubuntu4=
.1_sparc.deb
Size/MD5: 164078 552d2029d247f091442e174eae9c3a19

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-8ubuntu1=
.1.diff.gz
Size/MD5: 12565 7c86995d3353555020b5072979437d32
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-8ubuntu1=
.1.dsc
Size/MD5: 535 942549c5fc2654810ecece441c702ed7
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52.orig.tar=
.gz
Size/MD5: 1140291 9d23919999d6eac9217d1f41472034a9

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-8ubuntu1=
.1_amd64.deb
Size/MD5: 164316 1fba1ee7c30fbd2572c49d55938eac54

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-8ubuntu1=
.1_i386.deb
Size/MD5: 151466 20e48a45fad384a8310ce970c00903b2

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-8ubuntu1=
.1_powerpc.deb
Size/MD5: 165248 c9f333ffc8b3ea28bd5882c6f683d200

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-8ubuntu1=
.1_sparc.deb
Size/MD5: 163544 b9cf45c1b44e808e6f4bc28a0e462ba5

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-9ubuntu3=
.1.diff.gz
Size/MD5: 91922 4ab4fa170cfb1009969476118e6c5ea0
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-9ubuntu3=
.1.dsc
Size/MD5: 619 721b61d3b81b58e01eab7e4d75ec0616
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52.orig.tar=
.gz
Size/MD5: 1140291 9d23919999d6eac9217d1f41472034a9

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-9ubuntu3=
.1_amd64.deb
Size/MD5: 167272 1b0f7e30281083c3c1f7ee7ea1edbff4

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-9ubuntu3=
.1_i386.deb
Size/MD5: 154032 ab6718b23c1cff644082b0126a72a02e

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-9ubuntu3=
.1_powerpc.deb
Size/MD5: 169850 b3cf955d0462608841b350435a049f4d

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-9ubuntu3=
.1_sparc.deb
Size/MD5: 166698 4a8cfaa0a4f1eb5bd54649a8a770b9fd

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-10ubuntu=
1.1.diff.gz
Size/MD5: 92162 9cb570c2efaac04984b2a0742015ea05
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-10ubuntu=
1.1.dsc
Size/MD5: 621 8e761acc5aa550a4c12c32a1c233d992
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52.orig.tar=
.gz
Size/MD5: 1140291 9d23919999d6eac9217d1f41472034a9

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-10ubuntu=
1.1_amd64.deb
Size/MD5: 167694 cd72a56dbb1eab868f159b9b822a22c8

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-10ubuntu=
1.1_i386.deb
Size/MD5: 154212 be2f160d462a22bd11bf744498e69977

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-10ubuntu=
1.1_powerpc.deb
Size/MD5: 169998 630a0893db3e5fee553860240946cb21

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-10ubuntu=
1.1_sparc.deb
Size/MD5: 166968 88ffce45be1200383a5609f09be92417


--8w3uRX/HFJGApMzv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH4sU8H/9LqRcGPm0RAvkBAJ4g6q4OyHR1Ozdsa5KstWtm6QtB8QCfYWZT
Zt/9oaolMJmR531KKmpLgII=
=5eIr
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_589_1_unzip_vulnerability.html)