Articles / Ubuntu: New gzip packages f...

Ubuntu: New gzip packages fix vulnerabilities

It was discovered that gzip incorrectly handled certain malformed compressed files. If a user or automated system were tricked into opening a specially crafted gzip file, an attacker could cause gzip to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Aki Helin discovered that gzip incorrectly handled certain malformed files compressed with the Lempel–Ziv–Welch (LZW) algorithm. If a user or automated system were tricked into opening a specially crafted gzip file, an attacker could cause gzip to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Updated packages are available from security.ubuntu.com.

===========================================================
Ubuntu Security Notice USN-889-1           January 20, 2010
gzip vulnerabilities
CVE-2009-2624, CVE-2010-0001
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
 gzip                            1.3.5-12ubuntu0.3

Ubuntu 8.04 LTS:
 gzip                            1.3.12-3.2ubuntu0.1

Ubuntu 8.10:
 gzip                            1.3.12-6ubuntu2.8.10.1

Ubuntu 9.04:
 gzip                            1.3.12-6ubuntu2.9.04.1

Ubuntu 9.10:
 gzip                            1.3.12-8ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that gzip incorrectly handled certain malformed
compressed files. If a user or automated system were tricked into opening a
specially crafted gzip file, an attacker could cause gzip to crash or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2009-2624)

Aki Helin discovered that gzip incorrectly handled certain malformed
files compressed with the Lempel–Ziv–Welch (LZW) algorithm. If a user or
automated system were tricked into opening a specially crafted gzip file,
an attacker could cause gzip to crash or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0001)


Updated packages for Ubuntu 6.06 LTS:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3.diff.gz
     Size/MD5:    60450 f776594c89517aee5199d730262c631a
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3.dsc
     Size/MD5:      580 57e2e736523ddca8eed471e37d95ba56
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
     Size/MD5:   331550 3d6c191dfd2bf307014b421c12dc8469

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_amd64.deb
     Size/MD5:    76784 382af29edab6956cb7e22d9038e7a0c6

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_i386.deb
     Size/MD5:    71542 2dba95bc16563deca9cb2043716c0614

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_powerpc.deb
     Size/MD5:    78570 14fca9db29e847da26a96d1b7eacc987

 sparc architecture (Sun SPARC/UltraSPARC):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu0.3_sparc.deb
     Size/MD5:    75350 a32d045bff7a8b2eded7ca44a6c56a71

Updated packages for Ubuntu 8.04 LTS:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1.diff.gz
     Size/MD5:    21097 35ac77f9806cfaf89b44ad13f036ebb0
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1.dsc
     Size/MD5:      690 26bb99c8353a1cea7817da3ac5b72936
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
     Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_amd64.deb
     Size/MD5:   105556 39a705cdad01d749880b1cc6d128cdbc

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_i386.deb
     Size/MD5:   100940 e05abba2953254007df763fd017c99f7

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_lpia.deb
     Size/MD5:   101502 bf3de26dd23cd7514f0d5b224219ac08

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_powerpc.deb
     Size/MD5:   107674 aa414734d70182cfccd0ac02c8873ad2

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_sparc.deb
     Size/MD5:   104294 bb4276c79332aac1f83a49fdaa347374

Updated packages for Ubuntu 8.10:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1.diff.gz
     Size/MD5:    14889 2de284c09d34e03bcfa28cd23b4dc9bb
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1.dsc
     Size/MD5:     1094 4849b332ad6c9985cce9055552586bc2
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
     Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_amd64.deb
     Size/MD5:   106498 d9d201515bae0a02ba0b4aa624c1bdfd

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_i386.deb
     Size/MD5:   101904 4074fbe8d0b57b38718efca5e1d5b6ae

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_lpia.deb
     Size/MD5:   102400 02c4cfb84517e6919817c7c647cc4fb1

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_powerpc.deb
     Size/MD5:   108666 e1c040d3997a19719553d7696c66ce11

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_sparc.deb
     Size/MD5:   105492 22015ce9386f9efcc9e6747cf454bfbb

Updated packages for Ubuntu 9.04:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1.diff.gz
     Size/MD5:    14895 3490828be3af884992fc987b7c2f5b2b
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1.dsc
     Size/MD5:     1094 64319e2f975a269dbed1022c6dfef3cf
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
     Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_amd64.deb
     Size/MD5:   106504 4572428e480bab4e70f3e37c7000ec03

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_i386.deb
     Size/MD5:   101912 9ebe65aa9f52828d4dc119088f8b272f

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_lpia.deb
     Size/MD5:   102432 03d12cec2b884662ba1dec7aad3dcd70

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_powerpc.deb
     Size/MD5:   108672 4bf7e4175faf5ca41f66a8a039825b01

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_sparc.deb
     Size/MD5:   105472 c672bd50726018ee46973bfc7bf048dd

Updated packages for Ubuntu 9.10:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1.diff.gz
     Size/MD5:    15815 940f33cfc1386b5697b87cc1392e1bfd
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1.dsc
     Size/MD5:     1116 c8a32b46e7f0a68ce00749d69ed1ecfa
   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12.orig.tar.gz
     Size/MD5:   462169 b5bac2d21840ae077e0217bc5e4845b1

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_amd64.deb
     Size/MD5:   107018 ade7350ccb5f830e190d069386d47db1

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_i386.deb
     Size/MD5:   102242 ecd938e16f552d6b6cadfe319f87cb3f

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_lpia.deb
     Size/MD5:   102672 055afc8fe249dc1ea52459d23e886b2f

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_powerpc.deb
     Size/MD5:   108986 2ada6675566a5ef68ab42eb172de5a81

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_sparc.deb
     Size/MD5:   106090 e2e1abe98864d65a73a7302b922f97b1
Screenshot

Project Spotlight

ADempiere

An ERP system.

Screenshot

Project Spotlight

icctext

A utility to edit text tags in an ICC profile.