DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Update-manager | Canonical | * | 1:0.87.24 |
| Update-manager | Canonical | 1:0.134.7 | 1:0.134.7 |
| Update-manager | Canonical | 1:0.142.19 | 1:0.142.19 |
| Update-manager | Canonical | 1:0.150 | 1:0.150 |
| Update-manager | Canonical | 1:0.152.25 | 1:0.152.25 |
| Ubuntu_linux | Canonical | 8.04 | 8.04 |
| Ubuntu_linux | Canonical | 10.04 | 10.04 |
| Ubuntu_linux | Canonical | 10.10 | 10.10 |
| Ubuntu_linux | Canonical | 11.04 | 11.04 |
| Ubuntu_linux | Canonical | 11.10 | 11.10 |
| Update-manager | Ubuntu | devel | * |
| Update-manager | Ubuntu | hardy | * |
| Update-manager | Ubuntu | lucid | * |
| Update-manager | Ubuntu | maverick | * |
| Update-manager | Ubuntu | natty | * |
| Update-manager | Ubuntu | oneiric | * |