Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 488
Alerts This Week
Warning Icon 1 488

Ubuntu 11.10: 1308-1 Critical Advisory on bzip2 Local Attack Execution

ubuntu
Calendar Grey December 14, 2011
Scroller Ubuntu
The recent Ubuntu Security Advisory USN-1308-1 highlights a significant vulnerability in bzip2, which could enable local malicious actors to run arbitrary code.
Executables compressed by bzexe could be made to run programs as yourlogin.

Summary

Executables compressed by bzexe could be made to run programs as your

login.

Software Description:

- bzip2: high-quality block-sorting file compressor - utilities

Details:

vladz discovered that executables compressed by bzexe insecurely create

temporary files when they are ran. A local attacker could exploit this issue to

execute arbitrary code as the user running a compressed executable.

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
  bzip2                           1.0.5-6ubuntu1.11.10.1

Ubuntu 11.04:
  bzip2                           1.0.5-6ubuntu1.11.04.1

Ubuntu 10.10:
  bzip2                           1.0.5-4ubuntu1.1

Ubuntu 10.04 LTS:
  bzip2                           1.0.5-4ubuntu0.2

Ubuntu 8.04 LTS:
  bzip2                           1.0.4-2ubuntu4.2

In general, a standard system update will make all the necessary changes to
the bzexe utility. If you have previously used bzexe to compress any
executables, they need to be recompressed using the updated version.

References

https://ubuntu.com/security/notices/USN-1308-1

CVE-2011-4089

Severity
critical
Lowest
Low
Medium
High
Critical

December 14, 2011

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.