aru Posted August 19, 2003 Report Share Posted August 19, 2003 MandrakeSoft Security Advisory MDKSA-2003:073-1 : unzip August 19th, 2003 Updated unzip packages fix vulnerability A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two "." characters. These invalid characters are filtered which results in a ".." sequence. The patch applied to these packages prevents unzip from writing to parent directories unless the "-:" command line option is used. Update: Ben Laurie found that the original patch used to fix this issue missed a case where the path component included a quoted slash. An updated patch was used to build these packages. The released versions of Mandrake GNU/Linux affected are: 8.2 [*] 9.0 [*] 9.1 [*] Multi Network Firewall 8.2 [*] Corporate Server 2.1 Full information about this advisory, including the updated packages, is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:073-1 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0282 http://marc.theaimsgroup.com/?l=bugtraq&m=...105259038503175 Posted automatically by aru (mdksec2mub v0.0.6) Link to comment Share on other sites More sharing options...
Recommended Posts