lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: aliz at gentoo.org (Daniel Ahlberg)
Subject: GLSA: unzip

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :unzip
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 10:30 UTC

- - --------------------------------------------------------------------

OVERVIEW

Archive  extraction  is  usually treated by users as a safe operation.
There are few problems with files extraction though.

DETAIL

Among  them:  huge  files with high compression ratio are able to fill
memory/disk  (see  "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev),  special device names and special characters in file names,
directory  traversal  (dot-dot  bug). Probably, directory traversal is
most  dangerous  among  this  bugs, because it allows to craft archive
which  will  trojan  system  on  extraction. This problem is known for
software  developers,  and  newer  archivers usually have some kind of
protection.  But  in  some  cases  this  protection is weak and can be
bypassed.  I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.

Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-arch/unzip-5.42-r1 and earlier update their systems
as follows:

emerge rsync
emerge unzip
emerge clean

- - --------------------------------------------------------------------
aliz@...too.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU
u5jofs44arhh9ZKkAmPxv2A=
=myfe
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists