Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: unzip
Date: Tue, 01 Oct 2002 05:38:06
Message-Id: 20021001103805.404E234778@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT
6 - - --------------------------------------------------------------------
7
8 PACKAGE        :unzip
9 SUMMARY        :directory-traversal vulnerability
10 DATE           :2002-10-01 10:30 UTC
11
12 - - --------------------------------------------------------------------
13
14 OVERVIEW
15
16 Archive extraction is usually treated by users as a safe operation.
17 There are few problems with files extraction though.
18
19 DETAIL
20
21 Among them: huge files with high compression ratio are able to fill
22 memory/disk (see "Antivirus scanner DoS with zip archives" thread on
23 Vuln-Dev), special device names and special characters in file names,
24 directory traversal (dot-dot bug). Probably, directory traversal is
25 most dangerous among this bugs, because it allows to craft archive
26 which will trojan system on extraction. This problem is known for
27 software developers, and newer archivers usually have some kind of
28 protection. But in some cases this protection is weak and can be
29 bypassed. I did very quick (approx. 30 minutes, so may be I've missed
30 something) researches on few popular archivers. Results are below.
31
32 Read the full advisory at
33 http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2
34
35 SOLUTION
36
37 It is recommended that all Gentoo Linux users who are running
38 app-arch/unzip-5.42-r1 and earlier update their systems
39 as follows:
40
41 emerge rsync
42 emerge unzip
43 emerge clean
44
45 - - --------------------------------------------------------------------
46 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
47 - - --------------------------------------------------------------------
48 -----BEGIN PGP SIGNATURE-----
49 Version: GnuPG v1.0.7 (GNU/Linux)
50
51 iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU
52 u5jofs44arhh9ZKkAmPxv2A=
53 =myfe
54 -----END PGP SIGNATURE-----