Advertisement
Smart VPS: 192 MB RAM, 10 GB disc space, 50 GB data transfer and Virtuozzo OS virtualization solution.
Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||
Conectiva alert CLA-2003:724 (unzip)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : unzip SUMMARY : Directory transversal vulnerability [UPDATE] DATE : 2003-08-18 19:52:00 ID : CLA-2003:724 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION unzip is a program widely used for the distribution of multiple files concatenated/compacted (a file commonly known as an "archive"). This is a reedition of the announcement CLSA-2003:672[1]. A vulnerability[2] has been found in the way unzip extracts files with invalid characters between two '.' (dot) characters in their path/names. These characters are filtered and result in a ".." sequence (indicating the parent directory). By exploiting this vulnerability, an attacker can overwrite arbitrary files if the user unpacking such an archive has sufficient filesystem permissions to do so. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0282 to this issue[3]. [Updated 2003-Aug-18] Ben Laurie found that the original patch for this vulnerability was missing a case where the file name/path contains a quoted slash. This update includes a new patch that fix this issue. SOLUTION All unzip users should upgrade. REFERENCES: 1.http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000672&idioma=en 2.http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/unzip-5.50-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/unzip-5.50-1U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/unzip-5.50-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/unzip-5.50-1U80_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/unzip-5.50-13860U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/unzip-5.50-13860U90_2cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/QVjp42jd0JmAcZARAq4qAKC3smo1dl6ohsiT8KNRVng3fwBfBgCfUXgj 5Y2yA9jaLP5sDf9FDkn28f0= =ySTr -----END PGP SIGNATURE----- (Log in to post comments)
|
|||||||||||||