User: Password:
|
|
Subscribe / Log in / New account

Ubuntu alert USN-159-1 (unzip)

From:  Martin Pitt <martin.pitt@canonical.com>
To:  ubuntu-security-announce@lists.ubuntu.com
Subject:  [USN-159-1] unzip vulnerability
Date:  Mon, 1 Aug 2005 13:41:15 +0200
Cc:  full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com

=========================================================== Ubuntu Security Notice USN-159-1 August 01, 2005 unzip vulnerability CAN-2005-0602 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: unzip The problem can be corrected by upgrading the affected package to version 5.51-2ubuntu0.1 (for Ubuntu 4.10), or 5.51-2ubuntu1.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: If a ZIP archive contains binaries with the setuid and/or setgid bit set, unzip preserved those bits when extracting the archive. This could be exploited by tricking the administrator into unzipping an archive with a setuid-root binary into a directory the attacker can access. This allowed the attacker to execute arbitrary commands with root privileges. The updated version does not preserve setuid, setgid, and sticky bits any more by default. The old behaviour can be explicitly requested now by supplying the option '-K'. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 5058 5ed7b2fd196c7481a038486669df1667 http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 534 b04ea621f49716157fdff3f9379f842a http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 1112594 8a25712aac642430d87d21491f7c6bd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 147314 77f0b2321e625fef72cf04f80a7e841a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 133786 f6d0d6c32d193b12009fab6ea946bce6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 149620 1efec44b8a4be7756f47f3a6201acde4 Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 5944 11944741502707e5b1d8de30c37db17b http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 534 6e462e58df9c99892f2401f863dd9bdc http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 1112594 8a25712aac642430d87d21491f7c6bd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 147438 a026e8229b7590f5307d005b1f612af3 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 134676 75d9f59b79498117e498495126cdf873 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip... Size/MD5: 150988 597d27bb8ea7978b7549a65e39745a49 -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-...


(Log in to post comments)


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds