A new xfsdump vulnerability update is available for Ubuntu Linux. Here the announcement:
Ubuntu Security Notice USN-516-1 September 20, 2007
xfsdump vulnerability
CVE-2007-2654
==========================
==========================
=========
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
xfsdump 2.2.30-1ubuntu0.1
Ubuntu 6.10:
xfsdump 2.2.38-1ubuntu0.6.10.1
Ubuntu 7.04:
xfsdump 2.2.38-1ubuntu0.7.04.1
In general, a standard system upgrade is sufficient to affect the
necessary changes.
Details follow:
Paul Martin discovered that xfs_fsr creates a temporary directory
with insecure permissions. This allows a local attacker to exploit a
race condition in xfs_fsr to read or overwrite arbitrary files on xfs
filesystems.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1.dsc
Size/MD5: 618 d4f3b9ad40143e751b220f726961ebba
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1.tar.gz
Size/MD5: 576453 0bdb54112e248aec97ec3f76e31db3bc
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_amd64.deb
Size/MD5: 292386 0599bfb1c91ff8dd91092573aeddf7eb
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_i386.deb
Size/MD5: 272798 24c9b70f6bc313fd74e1c796fc8275c3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_powerpc.deb
Size/MD5: 289254 2ca3f1498a821cedcdbbabb0e3e3024e
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1u=
buntu0.1_sparc.deb
Size/MD5: 269570 90ccbc30495a8af38bbd12036a9f777d
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1.dsc
Size/MD5: 637 f531f5e74e784f3eed86079c4bb4a399
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1.tar.gz
Size/MD5: 566100 7b23a7834d606502d7a417c27c985cd9
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_amd64.deb
Size/MD5: 307830 073c61422d102e82e5c19d0a02efb31f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_i386.deb
Size/MD5: 297776 1f9d437502c787707a615370de257c03
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_powerpc.deb
Size/MD5: 323958 2bb7d2a50cb420dba81a852ff82495ec
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.6.10.1_sparc.deb
Size/MD5: 288660 33596c287661474fb78beb9501813657
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1.dsc
Size/MD5: 721 392609671d6695b02245178ea01bd755
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1.tar.gz
Size/MD5: 566169 665eca44b04dbcc7f753d59ff1e92997
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_amd64.deb
Size/MD5: 308552 c61901d79e291f4ac7c64f0f721d02a8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_i386.deb
Size/MD5: 298510 d81af22139ffeefce8ef5979b4468773
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_powerpc.deb
Size/MD5: 334954 d423004a9bf53ae41806902d1e80a1ee
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1u=
buntu0.7.04.1_sparc.deb
Size/MD5: 291278 1bbe48738754e5a2c293723d8e3ef3e4
--mJm6k4Vb/yFcL9ZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG8wJIH/9LqRcGPm0RAoujAJ9F9mj/RJGnfqWoNyMd9JkdU9Q+iACdFIX1
kYmwoijKlXWhZG/sHAx83io=
=x2G1
-----END PGP SIGNATURE-----