Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[gentoo-announce] GLSA: unzip
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
klieber
Bodhisattva
Bodhisattva


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Tue Oct 01, 2002 1:50 pm    Post subject: [gentoo-announce] GLSA: unzip Reply with quote

Daniel Ahlberg wrote:
- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE \240 \240 \240 \240:unzip
SUMMARY \240 \240 \240 \240:directory-traversal vulnerability
DATE \240 \240 \240 \240 \240 :2002-10-01 10:30 UTC

- - --------------------------------------------------------------------

OVERVIEW

Archive extraction is usually treated by users as a safe operation. There are few problems with files extraction though.

DETAIL

Among them: huge files with high compression ratio are able to fill memory/disk (see "Antivirus scanner DoS with zip archives" thread on Vuln-Dev), special device names and special characters in file names, directory traversal (dot-dot bug). Probably, directory traversal is most dangerous among this bugs, because it allows to craft archive which will trojan system on extraction. This problem is known for software developers, and newer archivers usually have some kind of protection. But in some cases this protection is weak and can be bypassed. I did very quick (approx. 30 minutes, so may be I've missed something) researches on few popular archivers. Results are below.

Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running app-arch/unzip-5.42-r1 and earlier update their systems as follows:

emerge rsync
emerge unzip
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------

Mailing List Archive: http://lists.gentoo.org/pipermail/gentoo-announce/2002-October/000210.html

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum