OpenLinux: unzip directory traversal
To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx
full-disclosure@xxxxxxxxxxxxxxxx security-alerts@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenLinux: unzip directory traversal
Advisory number: CSSA-2003-031.0
Issue date: 2003 November 07
Cross reference: sr882696 fz528147 erg712381 CAN-2003-0282
______________________________________________________________________________
1. Problem Description
unzip is a program widely used for the distribution of
multiple files concatenated/compacted (a file commonly known
as an "archive").
A vulnerability has been found in the way unzip extracts files
with invalid characters between two '.' (dot) characters in
their path/names. These characters are filtered and result in
a ".." sequence (indicating the parent directory). By exploiting
this vulnerability, an attacker can overwrite arbitrary files
if the user unpacking such an archive has sufficient filesystem
permissions to do so.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0282 to this issue.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to unzip-5.40-6MR.i386.rpm
OpenLinux 3.1.1 Workstation prior to unzip-5.40-6MR.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/RPMS
4.2 Packages
308bbe0a68423441404609f93288b0e7 unzip-5.40-6MR.i386.rpm
4.3 Installation
rpm -Fvh unzip-5.40-6MR.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/SRPMS
4.5 Source Packages
f220b525c0b9d8d157d46d23018a5676 unzip-5.40-6MR.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-031.0/RPMS
5.2 Packages
ee383aa3af5442bf977f454dc62cdcaa unzip-5.40-6MR.i386.rpm
5.3 Installation
rpm -Fvh unzip-5.40-6MR.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-031.0/SRPMS
5.5 Source Packages
7541701bdcb262ac4970c3bd4a4da077 unzip-5.40-6MR.src.rpm
6. References
Specific references for this advisory:
http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175&w=2
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr882696 fz528147
erg712381.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
8. Acknowledgements
SCO would like to thank Ben Laurie who found that the original patch
to fix this issue missed a case where the path component included
a quoted slash. These updated packages contain a new patch that
corrects this issue.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)
iD8DBQE/sYZnbluZssSXDTERAil9AJsFDmPro0woAzrp0fk2sFczftQYfACfRqRL
7xzvK4yZjt1YLPb5IQccWB4=
=l6Nv
-----END PGP SIGNATURE-----