79662 2002-10-01 23:31 /55 rader/ Daniel Ahlberg <aliz@gentoo.org> Importerad: 2002-10-01 23:31 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <1730> Ärende: GLSA: unzip ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :unzip SUMMARY :directory-traversal vulnerability DATE :2002-10-01 10:30 UTC - - -------------------------------------------------------------------- OVERVIEW Archive extraction is usually treated by users as a safe operation. There are few problems with files extraction though. DETAIL Among them: huge files with high compression ratio are able to fill memory/disk (see "Antivirus scanner DoS with zip archives" thread on Vuln-Dev), special device names and special characters in file names, directory traversal (dot-dot bug). Probably, directory traversal is most dangerous among this bugs, because it allows to craft archive which will trojan system on extraction. This problem is known for software developers, and newer archivers usually have some kind of protection. But in some cases this protection is weak and can be bypassed. I did very quick (approx. 30 minutes, so may be I've missed something) researches on few popular archivers. Results are below. Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running app-arch/unzip-5.42-r1 and earlier update their systems as follows: emerge rsync emerge unzip emerge clean - - -------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU u5jofs44arhh9ZKkAmPxv2A= =myfe -----END PGP SIGNATURE----- (79662) /Daniel Ahlberg <aliz@gentoo.org>/----------