diff -Nru base-files-4.0.4ubuntu2/debian/changelog base-files-4.0.4ubuntu2.1/debian/changelog
--- base-files-4.0.4ubuntu2/debian/changelog	2008-10-20 13:07:32.000000000 +0100
+++ base-files-4.0.4ubuntu2.1/debian/changelog	2008-10-29 20:51:46.000000000 +0000
@@ -1,3 +1,13 @@
+base-files (4.0.4ubuntu2.1) intrepid-security; urgency=low
+
+  * SECURITY UPDATE: change permissions of kernels copied from the Live CD
+    by Ubiquity 1.9.4 thru 1.10.9. LP: #290798.
+
+  * Correct group ownership of files changed by Ubiquity 1.7.5 thru 1.10.9.
+    LP: #288479.
+
+ -- Scott James Remnant <scott@ubuntu.com>  Wed, 29 Oct 2008 20:50:56 +0000
+
 base-files (4.0.4ubuntu2) intrepid; urgency=low
 
   * Prepare for Intrepid release: etc/{lsb-release,issue,issue.net}.
diff -Nru base-files-4.0.4ubuntu2/debian/postinst base-files-4.0.4ubuntu2.1/debian/postinst
--- base-files-4.0.4ubuntu2/debian/postinst	2008-08-08 18:53:55.000000000 +0100
+++ base-files-4.0.4ubuntu2.1/debian/postinst	2008-10-29 20:46:08.000000000 +0000
@@ -146,6 +146,58 @@
   fi
 fi
 
+# Ubiquity 1.9.4 thru 1.10.9 failed to set kernel permissions after
+# copying from the Live CD, leaving the file globally writable.
+if dpkg --compare-versions "$2" le-nl "4.0.4ubuntu2" &&
+   dpkg --compare-versions "$2" ge "4.0.1ubuntu5"
+then
+  find -L /boot -name "vmlinu[zx]-*" -perm /g+w,o+w -print0 |
+	xargs -0rp chmod g-w,o-w
+fi
+
+# Ubiquity 1.7.5 thru 1.10.9 failed to restore the group id of
+# the process to root after doing work as the Live CD user, creating
+# files with that user's group as a result.
+if dpkg --compare-versions "$2" le-nl "4.0.4ubuntu2" &&
+   dpkg --compare-versions "$2" ge "4.0.1ubuntu1"
+then
+  NINER_NINER_PATHS="				\
+	/boot					\
+	/etc					\
+	/usr/lib/locale				\
+	/var/backups				\
+	/var/cache/apt				\
+	/var/cache/debconf			\
+	/var/cache/fontconfig			\
+	/var/cache/fonts			\
+	/var/cache/ldconfig			\
+	/var/cache/anthy			\
+	/var/lib/apt				\
+	/var/lib/dpkg				\
+	/var/lib/belocs				\
+	/var/lib/gconf				\
+	/var/lib/defoma				\
+	/var/lib/locales			\
+	/var/log/installer			"
+
+  NINER_NINER_SYMLINKS="			\
+	/initrd.img				\
+	/vmlinuz				\
+	/cdrom					\
+	/media/cdrom				\
+	/etc/alternatives			\
+	/usr/share/fonts			\
+	/var/lib/anthy				\
+	/var/lib/defoma				"
+
+  find -L $NINER_NINER_PATHS -gid 999 -print0 |
+	xargs -0rp chgrp 0
+  find $NINER_NINER_SYMLINKS -gid 999 -print0 |
+	xargs -0rp chgrp -h 0
+  find /media -maxdepth 1 -name "cdrom[0-9]*" -gid 999 -print0 |
+	xargs -0rp chgrp 0
+fi
+
 if [ -f /var/lib/dpkg/info/base.list ]; then
   :> /var/lib/dpkg/info/base.list
   rm -f /var/lib/dpkg/info/base.conffiles