1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - -------------------------------------------------------------------- |
5 |
GENTOO LINUX SECURITY ANNOUNCEMENT |
6 |
- - -------------------------------------------------------------------- |
7 |
|
8 |
PACKAGE :unzip |
9 |
SUMMARY :directory-traversal vulnerability |
10 |
DATE :2002-10-01 10:30 UTC |
11 |
|
12 |
- - -------------------------------------------------------------------- |
13 |
|
14 |
OVERVIEW |
15 |
|
16 |
Archive extraction is usually treated by users as a safe operation. |
17 |
There are few problems with files extraction though. |
18 |
|
19 |
DETAIL |
20 |
|
21 |
Among them: huge files with high compression ratio are able to fill |
22 |
memory/disk (see "Antivirus scanner DoS with zip archives" thread on |
23 |
Vuln-Dev), special device names and special characters in file names, |
24 |
directory traversal (dot-dot bug). Probably, directory traversal is |
25 |
most dangerous among this bugs, because it allows to craft archive |
26 |
which will trojan system on extraction. This problem is known for |
27 |
software developers, and newer archivers usually have some kind of |
28 |
protection. But in some cases this protection is weak and can be |
29 |
bypassed. I did very quick (approx. 30 minutes, so may be I've missed |
30 |
something) researches on few popular archivers. Results are below. |
31 |
|
32 |
Read the full advisory at |
33 |
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 |
34 |
|
35 |
SOLUTION |
36 |
|
37 |
It is recommended that all Gentoo Linux users who are running |
38 |
app-arch/unzip-5.42-r1 and earlier update their systems |
39 |
as follows: |
40 |
|
41 |
emerge rsync |
42 |
emerge unzip |
43 |
emerge clean |
44 |
|
45 |
- - -------------------------------------------------------------------- |
46 |
aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz |
47 |
- - -------------------------------------------------------------------- |
48 |
-----BEGIN PGP SIGNATURE----- |
49 |
Version: GnuPG v1.0.7 (GNU/Linux) |
50 |
|
51 |
iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU |
52 |
u5jofs44arhh9ZKkAmPxv2A= |
53 |
=myfe |
54 |
-----END PGP SIGNATURE----- |
55 |
_______________________________________________ |
56 |
gentoo-announce mailing list |
57 |
gentoo-announce@g.o |
58 |
http://lists.gentoo.org/mailman/listinfo/gentoo-announce |