User: Password:
Subscribe / Log in / New account

Ubuntu alert USN-127-1 (bzip2)

From:  Martin Pitt <>
Subject:  [USN-127-1] bzip2 vulnerabilities
Date:  Tue, 17 May 2005 14:58:40 +0200

=========================================================== Ubuntu Security Notice USN-127-1 May 17, 2005 bzip2 vulnerabilities CAN-2005-0953, CAN-2005-1260 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: bzip2 libbz2-1.0 The problem can be corrected by upgrading the affected package to version 1.0.2-1ubuntu0.1 (for Ubuntu 4.10), or 1.0.2-2ubuntu0.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Imran Ghory discovered a race condition in the file permission restore code of bunzip2. While a user was decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause bzip2 to restore the file permissions to the hard link target instead of to the bzip2 output file, which could be exploited to gain read or even write access to files of other users. (CAN-2005-0953) Specially crafted bzip2 archives caused an infinite loop in the decompressor which resulted in an indefinitively large output file ("decompression bomb"). This could be exploited to a Denial of Service attack due to disk space exhaustion on systems which automatically process user supplied bzip2 compressed files. (CAN-2005-1260) Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: Size/MD5: 11463 f41f690ff6fbab41b51f4bc74a94ccec Size/MD5: 582 35cc8d1071721389a1f15ca23c0b423f Size/MD5: 665198 ee76864958d568677f03db8afad92beb amd64 architecture (Athlon64, Opteron, EM64T Xeon) Size/MD5: 231626 c1d7730fffe239921b5029bbcae76aac Size/MD5: 36272 d4a9299e4b06726dc88a513ffd8ec55d Size/MD5: 29898 4386a71c42656cf99b33baeb99e79b4c i386 architecture (x86 compatible Intel/AMD) Size/MD5: 228992 8bd1ee063e22d07353a45781f2e66ce3 Size/MD5: 37162 a09cbb601c062ed1c98a62aa6b174e27 Size/MD5: 29260 8eeeebcecb057b94a1174a809d0d6038 powerpc architecture (Apple Macintosh G3/G4/G5) Size/MD5: 232182 0554e36432c93a0c3c1d92382ac79a6c Size/MD5: 41406 6e44800b5f55a65e100024c9f4b60d81 Size/MD5: 33602 6127c224707e15755237526b62cc1264 Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: Size/MD5: 11648 ffa0f303e1b1138672df8af3ed61a36d Size/MD5: 605 038fc61ae3c6a5f1ca3e4b36db33f9b0 Size/MD5: 665198 ee76864958d568677f03db8afad92beb amd64 architecture (Athlon64, Opteron, EM64T Xeon) Size/MD5: 231960 70e59024cfde7094249c8db0d7762c50 Size/MD5: 36822 462dadc1b8dff11c045a45b295c2ca21 Size/MD5: 30270 026c8e240a2e0fcea47d532c209af032 i386 architecture (x86 compatible Intel/AMD) Size/MD5: 229180 a05a675282214a1c944eb6c90e0cc717 Size/MD5: 37688 28d2f72a15e8d664aa8b2cb60fc58ca1 Size/MD5: 29626 e42f8c47d203c668549c08d02faebe45 powerpc architecture (Apple Macintosh G3/G4/G5) Size/MD5: 232506 30a2fa79bd53c66c6678dd4d581bc0a6 Size/MD5: 41972 90061fab66d20ccd3358988d8eda230f Size/MD5: 33968 4e8568f2f05a32a84268e5bc088185ef -- ubuntu-security-announce mailing list

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds