[USN-158-1] gzip utility vulnerability

Martin Pitt martin.pitt at canonical.com
Mon Aug 1 10:35:42 UTC 2005


===========================================================
Ubuntu Security Notice USN-158-1            August 01, 2005
gzip vulnerability
CAN-2005-0758
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

gzip

The problem can be corrected by upgrading the affected package to
version 1.3.5-9ubuntu3.3 (for Ubuntu 4.10), or 1.3.5-9ubuntu3.4 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

zgrep did not handle shell metacharacters like '|' and '&' properly
when they occurred in input file names. This could be exploited to
execute arbitrary commands with user privileges if zgrep is run in an
untrusted directory with specially crafted file names.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.diff.gz
      Size/MD5:    59244 9107611292808f982cb7e84a3e31cda3
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.dsc
      Size/MD5:      570 4848f3b7d4bf7dad3bfdce969fdb47a4
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
      Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_amd64.deb
      Size/MD5:    75472 bae609933a71ea74bb41493df98e193c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_i386.deb
      Size/MD5:    70372 b774c65773bcb2cbadec5cc15ef12344

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_powerpc.deb
      Size/MD5:    76988 5c868f74064211a975e44ec4917887a2

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.diff.gz
      Size/MD5:    59260 4fe91fb2521be43a1961f7c0ae131014
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.dsc
      Size/MD5:      570 62b96204e004beb977ae78ebb99b9120
    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
      Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_amd64.deb
      Size/MD5:    75576 21efd370efb1c0517ac767b95a37ee0a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_i386.deb
      Size/MD5:    70394 307afbed15ed18fa0b3ddf339d8b7815

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_powerpc.deb
      Size/MD5:    77130 d3a3407db3ad0a86b5556043984604cf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20050801/b412265e/attachment.pgp>


More information about the ubuntu-security-announce mailing list