USN-732-1: dash vulnerability
Posted on: 03/11/2009 10:10 PM

A new dash vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-732-1 March 10, 2009
dash vulnerability
CVE-2009-0854
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
dash 0.5.4-8ubuntu1.1

Ubuntu 8.10:
dash 0.5.4-9ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Wolfgang M. Reimer discovered that dash, when invoked as a login shell, wou=
ld
source .profile files from the current directory. Local users may be able t=
o
bypass security restrictions and gain root privileges by placing specially
crafted .profile files where they might get sourced by other dash users.


Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1.diff.gz
Size/MD5: 171656 5f74e0a922546193a9e6279ad8680c76
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1.dsc
Size/MD5: 697 e78236937fea17c0c7a43427321b1ce6
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.=
gz
Size/MD5: 212145 bc457e490a589d2f87f2333616b67931

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-8ubunt=
u1.1_all.deb
Size/MD5: 22068 82557822348627c1b240069e431886e2

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1_amd64.deb
Size/MD5: 96918 b8d43124e5353042c7fd93fcc5c19cc9

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1_i386.deb
Size/MD5: 87952 6bc4578aea92450f8e00625fd7a7755a

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_lpia.deb
Size/MD5: 88194 a90de1a5dedb9cbaeb65537e8e933356

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_powerpc.=
deb
Size/MD5: 97400 5e2187820648d980b4edaa4e4a71b6c5

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_sparc.de=
b
Size/MD5: 91072 dc5e22376445e185eacdaa049421c866

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1.diff.gz
Size/MD5: 129759 b5363e9ff9550e89dec4be8ddc408607
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1.dsc
Size/MD5: 1083 dc87a11f64c53960ffb1f55dc42a253f
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.=
gz
Size/MD5: 212145 bc457e490a589d2f87f2333616b67931

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-9ubunt=
u1.1_all.deb
Size/MD5: 22286 9a34d34a67d46b8fa42584a2a7d61f76

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1_amd64.deb
Size/MD5: 99406 8703819fce4bc25f65caa350de05763c

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1_i386.deb
Size/MD5: 90266 9d8931f5ef08f4d649127db0ab644f8e

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_lpia.deb
Size/MD5: 90322 a0db897e7a7c5a7706d71674bad025ee

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_powerpc.=
deb
Size/MD5: 99500 a583f4a7fc59a7495cb3615c4af54b05

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_sparc.de=
b
Size/MD5: 93030 1bd3a8c0907e56cb2ed17c572e61842b



--=-UJW/IxyRJzuGmm9cjozh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkm2m1gACgkQLMAs/0C4zNqpSgCeLpcCwv2HxQbBl47MmmbGyyJn
FHIAnAqxJRRcam0OyXgwgOY+WuUpfvld
=cZeU
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_732_1_dash_vulnerability.html)