Yellow Dog Linux Security Advisory: YDU-20030710-1
Terra Soft Security Team
yellowdog-updates@lists.terrasoftsolutions.com
Fri, 11 Jul 2003 14:36:29 -0600
Yellow Dog Linux Security Announcement
--------------------------------------
Package: unzip
Issue Date: Jul 10,2003
Priority: medium
Advisory ID: YDU-20030710-1
1. Topic:
Updated unzip packages are available.
2. Problem:
"The unzip utility is used for manipulating archives, which are multiple
files stored inside of a single file.
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0282 to this issue.
This erratum includes a patch ensuring that non-printable characters do not
make it possible for a malicious .zip file to write to parent directories
unless the "-:" command line parameter is specified.
Users of unzip are advised to upgrade to these updated packages, which are
not vulnerable to this issue."
From Red Hat Advisory
3. Solution:
a) Updating via yum...
We suggest that you use the yum program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
yum update unzip
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
ppc/unzip-5.50-14.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
b3e4dc58bd1d14b8ffbf74c5e2a74302 SRPMS/unzip-5.50-14.src.rpm
1ea9bec0cb3899236605de4fa7ae5ab4 ppc/unzip-5.50-14.ppc.rpm
If you wish to verify that each package has not been corrupted or
tampered with,
examine the md5sum with the following command: md5sum <filename>
5. Misc.
Terra Soft has setup a moderated mailing list where these security,
bugfix, and package
enhancement announcements will be posted. See
http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml