[USN-590-1] bzip2 vulnerability

Kees Cook kees at ubuntu.com
Mon Mar 24 20:47:17 UTC 2008


=========================================================== 
Ubuntu Security Notice USN-590-1             March 24, 2008
bzip2 vulnerability
CVE-2008-1372
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libbz2-1.0                      1.0.3-0ubuntu2.1

Ubuntu 6.10:
  libbz2-1.0                      1.0.3-3ubuntu0.1

Ubuntu 7.04:
  libbz2-1.0                      1.0.3-6ubuntu0.1

Ubuntu 7.10:
  libbz2-1.0                      1.0.4-0ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that bzip2 did not correctly handle certain malformed
archives.  If a user or automated system were tricked into processing
a specially crafted bzip2 archive, applications linked against libbz2
could be made to crash, possibly leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1.diff.gz
      Size/MD5:    72067 9b73f1a1cbea8f8e7dfba9b0cd358bf3
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1.dsc
      Size/MD5:      833 180fa43bfd8645b2a0c353b8927961c4
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3.orig.tar.gz
      Size/MD5:   669075 8a716bebecb6e647d2e8a29ea5d8447f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_amd64.deb
      Size/MD5:   268000 b9532e26529bda8991e97cd819544aba
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-1.0_1.0.3-0ubuntu2.1_amd64.deb
      Size/MD5:    38388 baf7e58f129b30288d0cf1f76df39255
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-dev_1.0.3-0ubuntu2.1_amd64.deb
      Size/MD5:    30688 1c98274562642c9a3dee9bb91c070b5a
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_amd64.deb
      Size/MD5:    40978 b904382cd76c9ffcd0dc92a5c3219a1a
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_amd64.deb
      Size/MD5:    32500 f6bf61f94fc0b4351fd79532df9025b1

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_i386.deb
      Size/MD5:   265034 71b410100340e0df581c1dd8b5dfe316
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_i386.deb
      Size/MD5:    35690 ad14744ff24eb1decb20995a7a9bbeb1
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_i386.deb
      Size/MD5:    29518 a835eb9af19b2c045393c8c4c483f51c
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_i386.deb
      Size/MD5:    43012 4407f311343b9ca791aabf98bfdcd751
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_i386.deb
      Size/MD5:    32564 1b4dbd9a480cf4515cd7a7b64e1c215b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_powerpc.deb
      Size/MD5:   268616 c397d3782a2b937a84f05d39bbe0666d
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_powerpc.deb
      Size/MD5:    39518 5dc92398adb2a55977e4aa395062deac
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_powerpc.deb
      Size/MD5:    33064 d8d02ff467de3cb1aa966d01d55bff63
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_powerpc.deb
      Size/MD5:    43586 2c0696f8499181a13ca2c4a019972b9f
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_powerpc.deb
      Size/MD5:    33864 60dde6ba6b87d7bb261e04dfe1a89560

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_sparc.deb
      Size/MD5:   266558 69f664880f5c2d982a7906c21d01b60d
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_sparc.deb
      Size/MD5:    37524 1cc8f48aa7130c5d6523aa9be202b1d5
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_sparc.deb
      Size/MD5:    31480 9a826b5230f20fe079150562ab96d427
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_sparc.deb
      Size/MD5:    40510 3a5787038eb631638918245f0ecb0460
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_sparc.deb
      Size/MD5:    32010 7a05d5fe1e1b4a90dfef111e01e6c661

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-3ubuntu0.1.diff.gz
      Size/MD5:    72910 f0ee43d65ceafedcfb89e84d7a6a84b5
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-3ubuntu0.1.dsc
      Size/MD5:      887 6dbabc13e388138fc8bd271f7c521218
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3.orig.tar.gz
      Size/MD5:   669075 8a716bebecb6e647d2e8a29ea5d8447f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-3ubuntu0.1_amd64.deb
      Size/MD5:   268466 ba96d43b05d0f4d70d0693b8ec6dc45a
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-1.0_1.0.3-3ubuntu0.1_amd64.deb
      Size/MD5:    36484 54ac11540a1f9ebeb2e8207581565b27
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-dev_1.0.3-3ubuntu0.1_amd64.deb
      Size/MD5:    29258 61502f1c1dd54ece6a210c4a27aa841f
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-3ubuntu0.1_amd64.deb
      Size/MD5:    41320 ec4c49a63283a2ce8961549ef884b32c
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-3ubuntu0.1_amd64.deb
      Size/MD5:    32404 884923c398c46a105597a07231e40dfc

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-3ubuntu0.1_i386.deb
      Size/MD5:   265994 2cf7a465438cba563663bac727eb0171
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-3ubuntu0.1_i386.deb
      Size/MD5:    35976 be6b7111e0b6ab34d4f59fd3c3ef79c2
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-3ubuntu0.1_i386.deb
      Size/MD5:    29390 996172c9d38f0f74eb9b7636cb50e4a9
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-3ubuntu0.1_i386.deb
      Size/MD5:    41724 5eb28101d70842d52add63c4ded3a78b
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-3ubuntu0.1_i386.deb
      Size/MD5:    32130 6669754e7924ae13e0c78549585dab68

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-3ubuntu0.1_powerpc.deb
      Size/MD5:   269554 dce122e34946819b3aca55663958689e
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-3ubuntu0.1_powerpc.deb
      Size/MD5:    41886 80c1da7a792929a6a2f913a79d07e871
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-3ubuntu0.1_powerpc.deb
      Size/MD5:    34972 2f7ebbbcc7b471a6521989acca861c23
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-3ubuntu0.1_powerpc.deb
      Size/MD5:    45914 61ee3716c49ef08178b99228a00660d7
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-3ubuntu0.1_powerpc.deb
      Size/MD5:    35752 b21e379f844f57083ec6fa72b4f21926

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-3ubuntu0.1_sparc.deb
      Size/MD5:   267394 3248ae0bb35ad6d238df41eb18d5631b
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-3ubuntu0.1_sparc.deb
      Size/MD5:    40442 2c936325437b86c1cffed94af70b5967
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-3ubuntu0.1_sparc.deb
      Size/MD5:    33844 b20b3fa3e3272b6dfd8e81cd01d1376e
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-3ubuntu0.1_sparc.deb
      Size/MD5:    41908 cae6101436671a4ec22079d19c5073f3
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-3ubuntu0.1_sparc.deb
      Size/MD5:    33130 97a7d92dc65a87ab27fd35148ef2b601

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-6ubuntu0.1.diff.gz
      Size/MD5:    73260 fd44facd77b9d5c8ee403c87956959d3
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-6ubuntu0.1.dsc
      Size/MD5:      998 a0e1544931745cc9219b440f5a50ed33
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3.orig.tar.gz
      Size/MD5:   669075 8a716bebecb6e647d2e8a29ea5d8447f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-6ubuntu0.1_amd64.deb
      Size/MD5:   269010 7fd27a00599be078eaa69431b3427614
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-1.0_1.0.3-6ubuntu0.1_amd64.deb
      Size/MD5:    37204 a302c00544f28f77748248d2947967e3
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-dev_1.0.3-6ubuntu0.1_amd64.deb
      Size/MD5:    29296 1291a663855bfca22a9a7730a6445982
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-6ubuntu0.1_amd64.deb
      Size/MD5:    41938 53509b290d6b38e9fd1ce3c70e5815ef
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-6ubuntu0.1_amd64.deb
      Size/MD5:    32416 7242fc55f28d1c7982a22e6797e29642

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-6ubuntu0.1_i386.deb
      Size/MD5:   266466 29d5d61cc8ec2d32b84475e5624a5e1e
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-6ubuntu0.1_i386.deb
      Size/MD5:    36576 f850663d1ae752357646bbe40b049f8c
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-6ubuntu0.1_i386.deb
      Size/MD5:    29392 b447037b639fd00b97c2c9caae277da3
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-6ubuntu0.1_i386.deb
      Size/MD5:    42306 8f14ca607c277581f7b3ae84b4716ab4
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-6ubuntu0.1_i386.deb
      Size/MD5:    32098 db5b00b2ca199be08e13a306803b91c2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-6ubuntu0.1_powerpc.deb
      Size/MD5:   271630 86e6f57b81c780aee0b2bd91e5429e10
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-6ubuntu0.1_powerpc.deb
      Size/MD5:    42422 f75ff05ab027e94f0a24fbd7634f4a57
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-6ubuntu0.1_powerpc.deb
      Size/MD5:    34918 8d5a7b0b94806d8e405a03a92d61f68d
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-6ubuntu0.1_powerpc.deb
      Size/MD5:    47436 2e371d647ff08833e0108718e7a216e5
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-6ubuntu0.1_powerpc.deb
      Size/MD5:    35706 0bdaa4e65a73f0b2b54a54847e69d734

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-6ubuntu0.1_sparc.deb
      Size/MD5:   268298 16d932810a4f43245341394cedb3a99c
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-6ubuntu0.1_sparc.deb
      Size/MD5:    41354 cb83e7203ce37dbd8b26de9533e5acbb
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-6ubuntu0.1_sparc.deb
      Size/MD5:    33992 754e583ecd06426b9a7ceb64e0c8454b
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-6ubuntu0.1_sparc.deb
      Size/MD5:    42488 a7aa7db5f92553b7cfc386e62a408f5a
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-6ubuntu0.1_sparc.deb
      Size/MD5:    32994 56b05fbc008a7e8c07d96eca551d3688

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4-0ubuntu2.1.diff.gz
      Size/MD5:    72929 d71a1950e9b6665ca07da25d3e70d377
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4-0ubuntu2.1.dsc
      Size/MD5:      941 d5800a50a383b6643ffc1f394c6130bc
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4.orig.tar.gz
      Size/MD5:   841221 fc310b254f6ba5fbb5da018f04533688

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2-doc_1.0.4-0ubuntu2.1_all.deb
      Size/MD5:   327412 cba2f8043e206d019796dfc9083a57d4

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4-0ubuntu2.1_amd64.deb
      Size/MD5:    46802 ed4ea9c52fa96cae4ef7acf6a6f60a23
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-1.0_1.0.4-0ubuntu2.1_amd64.deb
      Size/MD5:    37354 adffef220c30bd947f7784c897dd2e79
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-dev_1.0.4-0ubuntu2.1_amd64.deb
      Size/MD5:    29040 4886f1c7781b656bbbc4955a7e191a44
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.4-0ubuntu2.1_amd64.deb
      Size/MD5:    42808 289a6459e679b9c53249d7d47e7effd7
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.4-0ubuntu2.1_amd64.deb
      Size/MD5:    31674 7e831b49cf92a1f7e60cefb1c50a88ae

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4-0ubuntu2.1_i386.deb
      Size/MD5:    44742 e2f6842369c8bbe0388d43d282abdd30
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.4-0ubuntu2.1_i386.deb
      Size/MD5:    36912 14499394e7099fe7c0110a1326d63205
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.4-0ubuntu2.1_i386.deb
      Size/MD5:    29542 add7aacd22dadeb234856b9f9a0ec414
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.4-0ubuntu2.1_i386.deb
      Size/MD5:    43094 e19195eb92daaa687cb2072672201c25
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.4-0ubuntu2.1_i386.deb
      Size/MD5:    30954 040a5868fb8a016e08e5dd9e5ec1a446

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4-0ubuntu2.1_powerpc.deb
      Size/MD5:    49208 b2898aa7fa213ae0774bce2e2d3758fc
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.4-0ubuntu2.1_powerpc.deb
      Size/MD5:    42660 434f7394c2ea5b9cc10e0bee2873a516
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.4-0ubuntu2.1_powerpc.deb
      Size/MD5:    34944 a79290347970fc38d55f63012b210470
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.4-0ubuntu2.1_powerpc.deb
      Size/MD5:    48154 81516aa253c227097cf57ac526061ee5
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.4-0ubuntu2.1_powerpc.deb
      Size/MD5:    34782 207352da7d6f414dbb20eb449f279ebc

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.4-0ubuntu2.1_sparc.deb
      Size/MD5:    46304 681bcace6d88ba3dad0a9611fd38aa82
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.4-0ubuntu2.1_sparc.deb
      Size/MD5:    41586 e5885183ba0d1ff58bbdef629741883c
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.4-0ubuntu2.1_sparc.deb
      Size/MD5:    34102 0ab8ccc082f6f675ed2f81865aa9f51b
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.4-0ubuntu2.1_sparc.deb
      Size/MD5:    43444 2ff7c281c9b4864bb5a63724dd637e73
    http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.4-0ubuntu2.1_sparc.deb
      Size/MD5:    32148 5c3c764e38985ea2225440dcad7a7c13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20080324/489170ec/attachment.sig>


More information about the ubuntu-security-announce mailing list