Secunia Security Advisory - Ubuntu has issued an update for apt-listchanges. This fixes a security issue, which can be exploited by malicious, local users to gain escalated privileges.
e0dfc84431276c74a0f3f112351c99a403dc91dc66ac91fc0403a4e31c0308d6
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Ubuntu update for apt-listchanges
SECUNIA ADVISORY ID:
SA28574
VERIFY ADVISORY:
http://secunia.com/advisories/28574/
CRITICAL:
Not critical
IMPACT:
Privilege escalation
WHERE:
Local system
OPERATING SYSTEM:
Ubuntu Linux 7.04
http://secunia.com/product/14068/
Ubuntu Linux 7.10
http://secunia.com/product/16251/
DESCRIPTION:
Ubuntu has issued an update for apt-listchanges. This fixes a
security issue, which can be exploited by malicious, local users to
gain escalated privileges.
The security issue is caused due to apt-listchanges trying to import
python libraries from potentially unsafe paths. This can be exploited
to e.g. execute arbitrary python code with the root privileges if the
root user executes the application in a directory with malicious
content.
SOLUTION:
Apply updated packages.
-- Ubuntu 7.04 --
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apt-listchanges/apt-listchanges_2.72ubuntu6.1.dsc
Size/MD5: 735 375004d6b85120036f9759a4ee1e6eef
http://security.ubuntu.com/ubuntu/pool/main/a/apt-listchanges/apt-listchanges_2.72ubuntu6.1.tar.gz
Size/MD5: 90531 deb56e612e9dec768e7772a331e5a3f5
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apt-listchanges/apt-listchanges_2.72ubuntu6.1_all.deb
Size/MD5: 52192 293d39e51c189423d75a4decaba1d749
-- Ubuntu 7.10 --
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apt-listchanges/apt-listchanges_2.74ubuntu3.1.dsc
Size/MD5: 736 7dd8d7f136095b687a3860c0bf2dbe0b
http://security.ubuntu.com/ubuntu/pool/main/a/apt-listchanges/apt-listchanges_2.74ubuntu3.1.tar.gz
Size/MD5: 877382 1fdce15a1ae42035ae6fe38f060e0dca
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apt-listchanges/apt-listchanges_2.74ubuntu3.1_all.deb
Size/MD5: 56816 e6b68b2e1eafda2f71f20c1aea22584b
ORIGINAL ADVISORY:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-January/000658.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------