Ubuntu 732-1: dash vulnerability

    Date10 Mar 2009
    CategoryUbuntu
    105
    Posted ByLinuxSecurity Advisories
    Wolfgang M. Reimer discovered that dash, when invoked as a login shell, would source .profile files from the current directory. Local users may be able to bypass security restrictions and gain root privileges by placing specially crafted .profile files where they might get sourced by other dash users. [More...]
    ===========================================================
    Ubuntu Security Notice USN-732-1             March 10, 2009
    dash vulnerability
    CVE-2009-0854
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 8.04 LTS
    Ubuntu 8.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 8.04 LTS:
      dash                            0.5.4-8ubuntu1.1
    
    Ubuntu 8.10:
      dash                            0.5.4-9ubuntu1.1
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    Wolfgang M. Reimer discovered that dash, when invoked as a login shell, would
    source .profile files from the current directory. Local users may be able to
    bypass security restrictions and gain root privileges by placing specially
    crafted .profile files where they might get sourced by other dash users.
    
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1.diff.gz
          Size/MD5:   171656 5f74e0a922546193a9e6279ad8680c76
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1.dsc
          Size/MD5:      697 e78236937fea17c0c7a43427321b1ce6
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.gz
          Size/MD5:   212145 bc457e490a589d2f87f2333616b67931
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-8ubuntu1.1_all.deb
          Size/MD5:    22068 82557822348627c1b240069e431886e2
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_amd64.deb
          Size/MD5:    96918 b8d43124e5353042c7fd93fcc5c19cc9
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_i386.deb
          Size/MD5:    87952 6bc4578aea92450f8e00625fd7a7755a
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_lpia.deb
          Size/MD5:    88194 a90de1a5dedb9cbaeb65537e8e933356
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_powerpc.deb
          Size/MD5:    97400 5e2187820648d980b4edaa4e4a71b6c5
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_sparc.deb
          Size/MD5:    91072 dc5e22376445e185eacdaa049421c866
    
    Updated packages for Ubuntu 8.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1.diff.gz
          Size/MD5:   129759 b5363e9ff9550e89dec4be8ddc408607
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1.dsc
          Size/MD5:     1083 dc87a11f64c53960ffb1f55dc42a253f
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.gz
          Size/MD5:   212145 bc457e490a589d2f87f2333616b67931
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-9ubuntu1.1_all.deb
          Size/MD5:    22286 9a34d34a67d46b8fa42584a2a7d61f76
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_amd64.deb
          Size/MD5:    99406 8703819fce4bc25f65caa350de05763c
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_i386.deb
          Size/MD5:    90266 9d8931f5ef08f4d649127db0ab644f8e
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_lpia.deb
          Size/MD5:    90322 a0db897e7a7c5a7706d71674bad025ee
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_powerpc.deb
          Size/MD5:    99500 a583f4a7fc59a7495cb3615c4af54b05
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_sparc.deb
          Size/MD5:    93030 1bd3a8c0907e56cb2ed17c572e61842b
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"38","type":"x","order":"1","pct":52.05,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.7,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.25,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.