[USN-161-1] bzip2 utility vulnerability

Martin Pitt martin.pitt at canonical.com
Thu Aug 4 17:27:18 UTC 2005


===========================================================
Ubuntu Security Notice USN-161-1	    August 04, 2005
bzip2 vulnerability
CAN-2005-0758
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

bzip2

The problem can be corrected by upgrading the affected package to
version 1.0.2-1ubuntu0.2 (for Ubuntu 4.10), or 1.0.2-2ubuntu0.2 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

USN-158-1 fixed a command injection vulnerability in the "zgrep"
utility. It was determined that the "bzgrep" counterpart in the bzip2
package is vulnerable to the same flaw.

bzgrep did not handle shell metacharacters like '|' and '&' properly
when they occurred in input file names. This could be exploited to
execute arbitrary commands with user privileges if bzgrep was run in
an untrusted directory with specially crafted file names.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2.diff.gz
      Size/MD5:    11735 3d9a5ae13b16a5dd9020e57beac79c74
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2.dsc
      Size/MD5:      582 a489f79813ba7da1e62bbda3c235ccbc
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2.orig.tar.gz
      Size/MD5:   665198 ee76864958d568677f03db8afad92beb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2_amd64.deb
      Size/MD5:   231752 ee54b95496fe4c6a1313e3179ea765cd
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-1ubuntu0.2_amd64.deb
      Size/MD5:    36382 078310a7316287142bce4b063be16e86
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-1ubuntu0.2_amd64.deb
      Size/MD5:    29904 7204b4c261a55e95aaf011dabb287f9e

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2_i386.deb
      Size/MD5:   229128 ec416f0b001b14295fc301d79d19a9f2
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-1ubuntu0.2_i386.deb
      Size/MD5:    37272 3591a3038d53686d76d085cbe4097e68
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-1ubuntu0.2_i386.deb
      Size/MD5:    29254 a7520ab570bd81d17d48f2beafb384ce

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-1ubuntu0.2_powerpc.deb
      Size/MD5:   232308 da79f11ca562eabae59a39ea1af6fb55
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-1ubuntu0.2_powerpc.deb
      Size/MD5:    41522 8b009f607553df1e5819290f932f7799
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-1ubuntu0.2_powerpc.deb
      Size/MD5:    33608 881c09f2a5a1e4489832daf480679e71

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2.diff.gz
      Size/MD5:    11920 878237573cd883fa7a5d60ccfe7b0622
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2.dsc
      Size/MD5:      605 a26e3733c18d2c2ca4d69c147ff3767b
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2.orig.tar.gz
      Size/MD5:   665198 ee76864958d568677f03db8afad92beb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2_amd64.deb
      Size/MD5:   232126 9fa0d2d4357982cb6e1724d72e2688a6
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-2ubuntu0.2_amd64.deb
      Size/MD5:    36928 ca8e86a00ffcb01a36c9522b25a0f6c5
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-2ubuntu0.2_amd64.deb
      Size/MD5:    30270 dd1c9cf3094e4f473e34df06ae9a6802

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2_i386.deb
      Size/MD5:   229310 ca982f58fe86f2db0d59ad16fbacca12
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-2ubuntu0.2_i386.deb
      Size/MD5:    37800 db46c02fd95f3f7677bb74f69b265d5f
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-2ubuntu0.2_i386.deb
      Size/MD5:    29618 7a26241a9f0ae036f3382e0d81ef90fc

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.2-2ubuntu0.2_powerpc.deb
      Size/MD5:   232654 16fe2e3ea9e354e2ad8ed70d39aa43ac
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.2-2ubuntu0.2_powerpc.deb
      Size/MD5:    42082 f409f7820a9e60aa705c509e9cf5265a
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.2-2ubuntu0.2_powerpc.deb
      Size/MD5:    33974 c5da4019a28953a92625e1e02d4c3a27
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20050804/9cf0031f/attachment.pgp>


More information about the ubuntu-security-announce mailing list