Ubuntu Local Security Checks : Ubuntu USN-349-1 (gzip)

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.57393

Category: Ubuntu Local Security Checks

Title: Ubuntu USN-349-1 (gzip)

Summary: Ubuntu USN-349-1 (gzip)

Description:
The remote host is missing an update to gzip
announced via advisory USN-349-1.

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

Tavis Ormandy discovered that gzip did not sufficiently verify the
validity of gzip or compress archives while unpacking. By tricking an
user or automated system into unpacking a specially crafted compressed
file, this could be exploited to execute arbitrary code with the
user's privileges.

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
gzip 1.3.5-9ubuntu3.5

Ubuntu 5.10:
gzip 1.3.5-11ubuntu2.1

Ubuntu 6.06 LTS:
gzip 1.3.5-12ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

http://www.securityspace.com/smysecure/catid.html?in=USN-349-1

Risk factor : High

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2006-4334
Bugtraq: 20060919 rPSA-2006-0170-1 gzip (Google Search)
http://www.securityfocus.com/archive/1/archive/1/446426/100/0/threaded
Bugtraq: 20070330 VMSA-2007-0002 VMware ESX security updates (Google Search)
http://www.securityfocus.com/archive/1/archive/1/464268/100/0/threaded
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676
http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
Debian Security Information: DSA-1181 (Google Search)
http://www.us.debian.org/security/2006/dsa-1181
http://www.securityfocus.com/archive/1/archive/1/451324/100/0/threaded
FreeBSD Security Advisory: FreeBSD-SA-06:21
http://security.freebsd.org/advisories/FreeBSD-SA-06:21.gzip.asc
http://security.gentoo.org/glsa/glsa-200609-13.xml
HPdes Security Advisory: HPSBTU02168
http://www.securityfocus.com/archive/1/archive/1/450078/100/0/threaded
HPdes Security Advisory: SSRT061237
HPdes Security Advisory: HPSBUX02195
http://www.securityfocus.com/archive/1/archive/1/462007/100/0/threaded
http://www.mandriva.com/security/advisories?name=MDKSA-2006:167
http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.020-gzip.html
http://www.redhat.com/support/errata/RHSA-2006-0667.html
SGI Security Advisory: 20061001-01-P
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102766-1
SuSE Security Announcement: SUSE-SA:2006:056 (Google Search)
http://www.novell.com/linux/security/advisories/2006_56_gzip.html
http://www.trustix.org/errata/2006/0052/
http://www.ubuntu.com/usn/usn-349-1
Cert/CC Advisory: TA06-333A
http://www.us-cert.gov/cas/techalerts/TA06-333A.html
CERT/CC vulnerability note: VU#933712
http://www.kb.cert.org/vuls/id/933712
BugTraq ID: 20101
http://www.securityfocus.com/bid/20101
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10527
http://www.vupen.com/english/advisories/2006/4275
http://www.vupen.com/english/advisories/2006/4750
http://www.vupen.com/english/advisories/2007/0092
http://www.vupen.com/english/advisories/2007/0832
http://www.vupen.com/english/advisories/2007/1171
http://securitytracker.com/id?1016883
http://secunia.com/advisories/22002
http://secunia.com/advisories/22009
http://secunia.com/advisories/22017
http://secunia.com/advisories/22033
http://secunia.com/advisories/22034
http://secunia.com/advisories/22012
http://secunia.com/advisories/22043
http://secunia.com/advisories/22085
http://secunia.com/advisories/22101
http://secunia.com/advisories/22027
http://secunia.com/advisories/22435
http://secunia.com/advisories/22661
http://secunia.com/advisories/22487
http://secunia.com/advisories/23155
http://secunia.com/advisories/21996
http://secunia.com/advisories/23679
http://secunia.com/advisories/24435
http://secunia.com/advisories/24636
XForce ISS Database: gzip-huftbuild-code-execution(29038)
http://xforce.iss.net/xforce/xfdb/29038
Common Vulnerability Exposure (CVE) ID: CVE-2006-4335
http://www.gentoo.org/security/en/glsa/glsa-200611-24.xml
CERT/CC vulnerability note: VN#381508
http://www.kb.cert.org/vuls/id/381508
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10391
http://www.vupen.com/english/advisories/2006/3695
http://www.vupen.com/english/advisories/2006/4760
http://secunia.com/advisories/23153
http://secunia.com/advisories/23156
XForce ISS Database: gzip-lzh-array-code-execution(29040)
http://xforce.iss.net/xforce/xfdb/29040
Common Vulnerability Exposure (CVE) ID: CVE-2006-4336
CERT/CC vulnerability note: VN#554780
http://www.kb.cert.org/vuls/id/554780
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10140
XForce ISS Database: gzip-unpack-buffer-underflow(29042)
http://xforce.iss.net/xforce/xfdb/29042
Common Vulnerability Exposure (CVE) ID: CVE-2006-4337
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11212
Common Vulnerability Exposure (CVE) ID: CVE-2006-4338
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11290
http://www.osvdb.org/29008
XForce ISS Database: gzip-lhz-dos(29046)
http://xforce.iss.net/xforce/xfdb/29046

Copyright Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.57393
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-349-1 (gzip)
Summary:	Ubuntu USN-349-1 (gzip)
Description:	The remote host is missing an update to gzip announced via advisory USN-349-1. A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Tavis Ormandy discovered that gzip did not sufficiently verify the validity of gzip or compress archives while unpacking. By tricking an user or automated system into unpacking a specially crafted compressed file, this could be exploited to execute arbitrary code with the user's privileges. Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: gzip 1.3.5-9ubuntu3.5 Ubuntu 5.10: gzip 1.3.5-11ubuntu2.1 Ubuntu 6.06 LTS: gzip 1.3.5-12ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-349-1 Risk factor : High
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2006-4334 Bugtraq: 20060919 rPSA-2006-0170-1 gzip (Google Search) http://www.securityfocus.com/archive/1/archive/1/446426/100/0/threaded Bugtraq: 20070330 VMSA-2007-0002 VMware ESX security updates (Google Search) http://www.securityfocus.com/archive/1/archive/1/464268/100/0/threaded http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676 http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html Debian Security Information: DSA-1181 (Google Search) http://www.us.debian.org/security/2006/dsa-1181 http://www.securityfocus.com/archive/1/archive/1/451324/100/0/threaded FreeBSD Security Advisory: FreeBSD-SA-06:21 http://security.freebsd.org/advisories/FreeBSD-SA-06:21.gzip.asc http://security.gentoo.org/glsa/glsa-200609-13.xml HPdes Security Advisory: HPSBTU02168 http://www.securityfocus.com/archive/1/archive/1/450078/100/0/threaded HPdes Security Advisory: SSRT061237 HPdes Security Advisory: HPSBUX02195 http://www.securityfocus.com/archive/1/archive/1/462007/100/0/threaded http://www.mandriva.com/security/advisories?name=MDKSA-2006:167 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.020-gzip.html http://www.redhat.com/support/errata/RHSA-2006-0667.html SGI Security Advisory: 20061001-01-P ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102766-1 SuSE Security Announcement: SUSE-SA:2006:056 (Google Search) http://www.novell.com/linux/security/advisories/2006_56_gzip.html http://www.trustix.org/errata/2006/0052/ http://www.ubuntu.com/usn/usn-349-1 Cert/CC Advisory: TA06-333A http://www.us-cert.gov/cas/techalerts/TA06-333A.html CERT/CC vulnerability note: VU#933712 http://www.kb.cert.org/vuls/id/933712 BugTraq ID: 20101 http://www.securityfocus.com/bid/20101 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10527 http://www.vupen.com/english/advisories/2006/4275 http://www.vupen.com/english/advisories/2006/4750 http://www.vupen.com/english/advisories/2007/0092 http://www.vupen.com/english/advisories/2007/0832 http://www.vupen.com/english/advisories/2007/1171 http://securitytracker.com/id?1016883 http://secunia.com/advisories/22002 http://secunia.com/advisories/22009 http://secunia.com/advisories/22017 http://secunia.com/advisories/22033 http://secunia.com/advisories/22034 http://secunia.com/advisories/22012 http://secunia.com/advisories/22043 http://secunia.com/advisories/22085 http://secunia.com/advisories/22101 http://secunia.com/advisories/22027 http://secunia.com/advisories/22435 http://secunia.com/advisories/22661 http://secunia.com/advisories/22487 http://secunia.com/advisories/23155 http://secunia.com/advisories/21996 http://secunia.com/advisories/23679 http://secunia.com/advisories/24435 http://secunia.com/advisories/24636 XForce ISS Database: gzip-huftbuild-code-execution(29038) http://xforce.iss.net/xforce/xfdb/29038 Common Vulnerability Exposure (CVE) ID: CVE-2006-4335 http://www.gentoo.org/security/en/glsa/glsa-200611-24.xml CERT/CC vulnerability note: VN#381508 http://www.kb.cert.org/vuls/id/381508 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10391 http://www.vupen.com/english/advisories/2006/3695 http://www.vupen.com/english/advisories/2006/4760 http://secunia.com/advisories/23153 http://secunia.com/advisories/23156 XForce ISS Database: gzip-lzh-array-code-execution(29040) http://xforce.iss.net/xforce/xfdb/29040 Common Vulnerability Exposure (CVE) ID: CVE-2006-4336 CERT/CC vulnerability note: VN#554780 http://www.kb.cert.org/vuls/id/554780 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10140 XForce ISS Database: gzip-unpack-buffer-underflow(29042) http://xforce.iss.net/xforce/xfdb/29042 Common Vulnerability Exposure (CVE) ID: CVE-2006-4337 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11212 Common Vulnerability Exposure (CVE) ID: CVE-2006-4338 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11290 http://www.osvdb.org/29008 XForce ISS Database: gzip-lhz-dos(29046) http://xforce.iss.net/xforce/xfdb/29046
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com