Yellow Dog Linux Security Advisory: YDU-20030710-1

Terra Soft Security Team yellowdog-updates@lists.terrasoftsolutions.com
Fri, 11 Jul 2003 14:36:29 -0600 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	unzip
Issue Date:	Jul 10,2003
Priority:	medium
Advisory ID: 	YDU-20030710-1


1. 	Topic:

	Updated unzip packages are available.


2. 	Problem:

	"The unzip utility is used for manipulating archives, which are multiple
	files stored inside of a single file.

	A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
	overwrite arbitrary files during archive extraction by placing invalid
	(non-printable) characters between two "." characters. These non-printable
	characters are filtered, resulting in a ".." sequence. The Common
	Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
	CAN-2003-0282 to this issue.

	This erratum includes a patch ensuring that non-printable characters do not
	make it possible for a malicious .zip file to write to parent directories
	unless the "-:" command line parameter is specified.

	Users of unzip are advised to upgrade to these updated packages, which are
	not vulnerable to this issue."
	
	From Red Hat Advisory

3. 	Solution:

    	a) Updating via yum...
	We suggest that you use the yum program to keep your
         system up-to-date. The following command(s) will retrieve
	and install the fixed version of this update onto your system:

		yum update unzip

	b) Updating manually...
	Download the updates below and then run the following rpm command.
    	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
			ppc/unzip-5.50-14.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
b3e4dc58bd1d14b8ffbf74c5e2a74302  SRPMS/unzip-5.50-14.src.rpm
1ea9bec0cb3899236605de4fa7ae5ab4  ppc/unzip-5.50-14.ppc.rpm

If you wish to verify that each package has not been corrupted or 
tampered with,
examine the md5sum with the following command: md5sum <filename>


5. Misc.

Terra Soft has setup a moderated mailing list where these security, 
bugfix, and package
enhancement announcements will be posted. See 
http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml