Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-4089

Publication date 29 October 2011

Last updated 24 July 2024


Ubuntu priority

The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

Read the notes from the security team

Status

Package Ubuntu Release Status
bzip2 11.10 oneiric
Fixed 1.0.5-6ubuntu1.11.10.1
11.04 natty
Fixed 1.0.5-6ubuntu1.11.04.1
10.10 maverick
Fixed 1.0.5-4ubuntu1.1
10.04 LTS lucid
Fixed 1.0.5-4ubuntu0.2
8.04 LTS hardy
Fixed 1.0.4-2ubuntu4.2

Notes


tyhicks

I don't believe that YAMA prevents this vulnerability. It is not yet clear what versions are affected.


mdeslaur

PoC: http://www.exploit-db.com/exploits/18147/ PoC: http://pastebin.com/FaaEsXRW

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
bzip2

References

Related Ubuntu Security Notices (USN)

Other references