1. Ubuntu Security Notices
  2. USN-986-3

USN-986-3: dpkg vulnerability

Publication date

20 September 2010

Overview

dpkg could be made to run programs as your login if it opened a specially crafted file.

Releases

Packages

  • dpkg - package maintenance system for Debian

Details

USN-986-1 fixed vulnerabilities in bzip2. dpkg statically links against libbz2
and needed to be rebuilt to use the updated libbz2.

Original advisory details:

An integer overflow was discovered in bzip2. If a user or automated system
were tricked into decompressing a crafted bz2 file, an attacker could cause
bzip2 or any application linked against libbz2 to crash or possibly execute
code as the user running the program.

USN-986-1 fixed vulnerabilities in bzip2. dpkg statically links against libbz2
and needed to be rebuilt to use the updated libbz2.

Original advisory details:

An integer overflow was discovered in bzip2. If a user or automated system
were tricked into decompressing a crafted bz2 file, an attacker could cause
bzip2 or any application linked against libbz2 to crash or possibly execute
code as the user running the program.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
9.10 karmic dpkg –  1.15.4ubuntu2.2
9.04 jaunty dpkg –  1.14.24ubuntu1.2
8.04 hardy dpkg –  1.14.16.6ubuntu4.2
6.06 dapper dpkg –  1.13.11ubuntu7.2
10.04 lucid dpkg –  1.15.5.6ubuntu4.3

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›