==========================================================================
Ubuntu Security Notice USN-2183-1
April 28, 2014
dpkg vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
– Ubuntu 13.10
– Ubuntu 12.10
– Ubuntu 12.04 LTS
– Ubuntu 10.04 LTS
Summary:
A malicious source package could write files outside the unpack directory.
Software Description:
– dpkg: Debian package management system
Details:
Jakub Wilk discovered that dpkg incorrectly certain paths and symlinks when
unpacking source packages. If a user or an automated system were tricked
into unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial of
service or potentially gaining access to the system.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libdpkg-perl 1.17.5ubuntu5.1
Ubuntu 13.10:
libdpkg-perl 1.16.12ubuntu1.1
Ubuntu 12.10:
libdpkg-perl 1.16.7ubuntu6.1
Ubuntu 12.04 LTS:
libdpkg-perl 1.16.1.2ubuntu7.3
Ubuntu 10.04 LTS:
dpkg-dev 1.15.5.6ubuntu4.7
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2183-1
CVE-2014-0471
Package Information:
https://launchpad.net/ubuntu/+source/dpkg/1.17.5ubuntu5.1
https://launchpad.net/ubuntu/+source/dpkg/1.16.12ubuntu1.1
https://launchpad.net/ubuntu/+source/dpkg/1.16.7ubuntu6.1
https://launchpad.net/ubuntu/+source/dpkg/1.16.1.2ubuntu7.3
https://launchpad.net/ubuntu/+source/dpkg/1.15.5.6ubuntu4.7
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/
iQIcBAEBCgAGBQJTXlhFAAoJEGVp2FWnRL6TdlEP/ArZXJhYeDd65NvdEOJGW6zL
wSDow163vTTzUE+j+oC2SX9xjHwUGGuDfHGasSQRqG6AH12xu7sQpQPqy2gpLbaY
+MMg7Ts53Gj1aDB7k+KtRzJx/BuS2Hy83wdQsOhmEyny59685kctQTz3fRKeUhII
44U8pkvDw0w2uaC7atbyXxJEjW3u9Peujxjd2XBYhPamJxk7BXfrqgyZ4pg3RXoW
127DbrTVpmw5uiMJJt4bko0oDAPJPqrFBpP7NRJFevie8bJ5RbqBE6XFofoI9iWt
H7/21YtixdEZjwZbIhxywS706NLJYDGetxxECEMwHhfu48oG5f+IwDJf+A3KIvOA
glqXxSadnDFw50oj5SLrFG1+c494ncNhEkQ/M+ZvwoUIR/tVUPNZmUsZGYpKJYlt
ahBxIYRFXHkypbpv3V3CuJ27GXUVajCOLYizUE/SRyMDez9TtZa4phIWR03cVMby
7GEq5fqC86O2iqIxt2GrPUTGWC3yO2+76afcPvGbGULdMM3keR1KU5PMs00H12Uj
Cdiu4ZY9A35UnBLntipz+tC/pAGP3TZUxYoTsQda2nW8y8GBC5KlHcSpd4AX70/8
juJtH8ZO0Lohk7hPdTx87pjPukO9h3xGdotjfWyPZsS2S4gLUTyf7uUcxKXu3tNF
pjR+PM6CAYwqrm8IxZSp
=R8So
—–END PGP SIGNATURE—–
—