Hosting Provided By

[SECURITY] [DSA 1465-2] New apt-listchanges packages fix arbitrary code execution

From: Steve Kemp <skx(at)debian.org>
Date: Thu Jan 17 2008 - 11:14:30 EST

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

------------------------------------------------------------------------ Debian Security Advisory DSA-1465-2 security@debian.org http://www.debian.org/security/ Steve Kemp January 17, 2008 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package        : apt-listchanges
Vulnerability  : programming error
Problem type   : local
Debian-specific: yes
CVE Id(s)      : CVE-2008-0302

Felipe Sateler discovered that apt-listchanges, a package change history notification tool, used unsafe paths when importing its python libraries. This could allow the execution of arbitary shell commands if the root user executed the command in a directory which other local users may write to.

This security update fixes a regression in the previous one, which caused the package to fail to work.

For the stable distribution (etch), this problem has been fixed in version 2.72.5etch1.

For the old stable distribution (sarge), this problem was not present.

For the unstable distribution (sid), this problem has been fixed in version 2.82.

We recommend that you upgrade your apt-listchanges package.

Upgrade instructions

- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Do you need help?

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

- --------------------------------

Debian GNU/Linux 4.0 alias etch

- -------------------------------

Debian (stable)
- ---------------

Do you need more help?

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/a/apt-listchanges/apt-listchanges_2.72.5etch2.tar.gz
    Size/MD5 checksum:    82907 2269a7d6e2bc1c964d214aa09696674f
  
http://security.debian.org/pool/updates/main/a/apt-listchanges/apt-listchanges_2.72.5etch2.dsc
    Size/MD5 checksum:      665 3f7898a52530e876b443dd8984b58f98

Architecture independent packages:

http://security.debian.org/pool/updates/main/a/apt-listchanges/apt-listchanges_2.72.5etch2_all.deb Size/MD5 checksum: 65308 323f63a82a48342fa5a2dbfd8c045c14

These files will probably be moved into the stable distribution on its next update.

--------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHj365wM/Gs81MDZ0RAgWSAKCquI3zg3sRhylg7kZtPkL/HFE6EACcDL9z NStMOkJ9uvo7YpqNnnQrrvU=
=fp/A
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Thu Jan 17 11:20:18 2008

This message: [ Message body ]
Next message: Moritz Muehlenhoff: "[SECURITY] [DSA 1466-1] New xorg-server packages fix several vulnerabilities"
Previous message: Steve Kemp: "[SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:53:48 EDT