LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Slackware alert SSA:2003-237-01 (infozip)



From:
    	      Slackware Security Team <security@slackware.com>


To:
    	      slackware-security@slackware.com


Subject:
    	      [slackware-security]  unzip vulnerability patched (SSA:2003-237-01)


Date:
    	      Mon, 25 Aug 2003 20:39:27 -0700 (PDT)




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  unzip vulnerability patched (SSA:2003-237-01)

Upgraded infozip packages are available for Slackware 9.0 and -current.
These fix a security issue where a specially crafted archive may
overwrite files (including system files anywhere on the filesystem)
upon extraction by a user with sufficient permissions.

For more information, see:

http://www.securityfocus.com/bid/7550
http://lwn.net/Articles/38540/
http://xforce.iss.net/xforce/xfdb/12004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282


Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Mon Aug 25 15:35:28 PDT 2003
patches/packages/infozip-5.50-i486-2.tgz:  Fixed a bug where a specially
  crafted archive might try to write to ../ or ../../, etc, potentially
  overwriting system files if the user (such as root) has permissions to
  overwrite them.  Thanks to jelmer for locating this problem, and
  Ben Laurie for providing a patch.
  (* Security fix *)
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/infozip-5.50-i386-2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/infozip-5.50-i486-2.tgz



MD5 SIGNATURES:
+-------------+

Slackware 9.0 package:
d262ae0564f475b39e2ccf20fe1dfc41  infozip-5.50-i386-2.tgz

Slackware -current package:
8c4b4fc48e145a71e962cd7f99be8a5b  infozip-5.50-i486-2.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade using upgradepkg (as root):
upgradepkg infozip-5.50-i386-2.tgz



+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/SpEiakRjwEAQIjMRAmXUAJkBVx8yYSRth0DpFPM89PrxTxDMGgCdHDRL
tFzFHS6BR5BLPCyuL372C+Q=
=Kv9k
-----END PGP SIGNATURE-----
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds