OpenLinux: unzip directory traversal

security_at_sco.com
Date: 11/12/03

  • Next message: advisories: "Corsaire Security Advisory: PeopleSoft PeopleBooks Search CGI multiple argument issues"
    To: announce@lists.caldera.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com
    Date: Wed, 12 Nov 2003 14:41:42 -0800 (PST)
    
    

    To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: OpenLinux: unzip directory traversal
    Advisory number: CSSA-2003-031.0
    Issue date: 2003 November 07
    Cross reference: sr882696 fz528147 erg712381 CAN-2003-0282
    ______________________________________________________________________________

    1. Problem Description

            unzip is a program widely used for the distribution of
            multiple files concatenated/compacted (a file commonly known
            as an "archive").
            
            A vulnerability has been found in the way unzip extracts files
            with invalid characters between two '.' (dot) characters in
            their path/names. These characters are filtered and result in
            a ".." sequence (indicating the parent directory). By exploiting
            this vulnerability, an attacker can overwrite arbitrary files
            if the user unpacking such an archive has sufficient filesystem
            permissions to do so.
            
            The Common Vulnerabilities and Exposures project (cve.mitre.org)
            has assigned the name CAN-2003-0282 to this issue.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------
            OpenLinux 3.1.1 Server prior to unzip-5.40-6MR.i386.rpm
            OpenLinux 3.1.1 Workstation prior to unzip-5.40-6MR.i386.rpm

    3. Solution

            The proper solution is to install the latest packages. Many
            customers find it easier to use the Caldera System Updater, called
            cupdate (or kcupdate under the KDE environment), to update these
            packages rather than downloading and installing them by hand.

    4. OpenLinux 3.1.1 Server

            4.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/RPMS

            4.2 Packages

            308bbe0a68423441404609f93288b0e7 unzip-5.40-6MR.i386.rpm

            4.3 Installation

            rpm -Fvh unzip-5.40-6MR.i386.rpm

            4.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/SRPMS

            4.5 Source Packages

            f220b525c0b9d8d157d46d23018a5676 unzip-5.40-6MR.src.rpm

    5. OpenLinux 3.1.1 Workstation

            5.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-031.0/RPMS

            5.2 Packages

            ee383aa3af5442bf977f454dc62cdcaa unzip-5.40-6MR.i386.rpm

            5.3 Installation

            rpm -Fvh unzip-5.40-6MR.i386.rpm

            5.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-031.0/SRPMS

            5.5 Source Packages

            7541701bdcb262ac4970c3bd4a4da077 unzip-5.40-6MR.src.rpm

    6. References

            Specific references for this advisory:
                    http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175&w=2
                    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr882696 fz528147
            erg712381.

    7. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers intended
            to promote secure installation and use of SCO products.

    8. Acknowledgements

            SCO would like to thank Ben Laurie who found that the original patch
            to fix this issue missed a case where the path component included
            a quoted slash. These updated packages contain a new patch that
            corrects this issue.
    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

    iD8DBQE/sYZnbluZssSXDTERAil9AJsFDmPro0woAzrp0fk2sFczftQYfACfRqRL
    7xzvK4yZjt1YLPb5IQccWB4=
    =l6Nv
    -----END PGP SIGNATURE-----


  • Next message: advisories: "Corsaire Security Advisory: PeopleSoft PeopleBooks Search CGI multiple argument issues"