MandrivaUsers.org > Security Advisory (MDKSA-2003:068): gzip

Full Version: Security Advisory (MDKSA-2003:068): gzip

MandrivaUsers.org > Announcements > Mandriva Security Advisories

aru

Jun 16 2003, 09:21 PM

MandrakeSoft Security Advisory MDKSA-2003:068 : gzip

June 16th, 2003
Updated gzip packages fix insecure temporary file creation

A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. Patches have been applied to make use of mktemp to generate unique filenames, and properly make use of noclobber in the script. Likewise, a fix for gzexe which had been applied previously was incomplete. It has been fixed to make full use of mktemp everywhere a temporary file is created.

The znew problem was initially reported by Michal Zalewski and was again reported more recently to Debian by Paul Szabo.

The released versions of Mandrake GNU/Linux affected are:[list] 8.2

[*] 8.2/PPC

[*] 9.0

[*] 9.1

[*] 9.1/PPC

[*] Multi Network Firewall 8.2

[*] Corporate Server 2.1 [list]
Full information about this advisory, including the updated packages, is available at:
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:068

Other references:
http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CVE-1999-1332
http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0367
http://marc.theaimsgroup.com/?l=bugtraq&m=...98519803911&w=2
http://bugs.debian.org/cgi-bin/bugreport.c....cgi?bug=193375

[size=9]Posted automatically by aru (mdksec2mub v0.0.6)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.