aru Posted June 16, 2003 Report Share Posted June 16, 2003 MandrakeSoft Security Advisory MDKSA-2003:068 : gzip June 16th, 2003 Updated gzip packages fix insecure temporary file creation A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. Patches have been applied to make use of mktemp to generate unique filenames, and properly make use of noclobber in the script. Likewise, a fix for gzexe which had been applied previously was incomplete. It has been fixed to make full use of mktemp everywhere a temporary file is created. The znew problem was initially reported by Michal Zalewski and was again reported more recently to Debian by Paul Szabo. The released versions of Mandrake GNU/Linux affected are: 8.2 [*] 8.2/PPC [*] 9.0 [*] 9.1 [*] 9.1/PPC [*] Multi Network Firewall 8.2 [*] Corporate Server 2.1 Full information about this advisory, including the updated packages, is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:068 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CVE-1999-1332 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0367 http://marc.theaimsgroup.com/?l=bugtraq&m=...98519803911&w=2 http://bugs.debian.org/cgi-bin/bugreport.c....cgi?bug=193375 Posted automatically by aru (mdksec2mub v0.0.6) Link to comment Share on other sites More sharing options...
Recommended Posts