Login
Newsletter
Werbung

Sicherheit: Unerwünschtes Überschreiben von Dateien in unzip
Aktuelle Meldungen Distributionen
Name: Unerwünschtes Überschreiben von Dateien in unzip
ID:
Distribution: Gentoo
Plattformen: Keine Angabe
Datum: Mi, 2. Oktober 2002, 13:00
Referenzen: Keine Angabe
Applikationen: UnZip

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :unzip
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 10:30 UTC

--------------------------------------------------------------------

OVERVIEW

Archive extraction is usually treated by users as a safe operation.
There are few problems with files extraction though.

DETAIL

Among them: huge files with high compression ratio are able to fill
memory/disk (see "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev), special device names and special characters in file names,
directory traversal (dot-dot bug). Probably, directory traversal is
most dangerous among this bugs, because it allows to craft archive
which will trojan system on extraction. This problem is known for
software developers, and newer archivers usually have some kind of
protection. But in some cases this protection is weak and can be
bypassed. I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.

Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-arch/unzip-5.42-r1 and earlier update their systems
as follows:

emerge rsync
emerge unzip
emerge clean

--------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU
u5jofs44arhh9ZKkAmPxv2A=
=myfe
-----END PGP SIGNATURE-----
_______________________________________________
gentoo-announce mailing list
gentoo-announce@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-announce
_______________________________________________
gentoo-security mailing list
gentoo-security@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-security
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung