LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware Security Update: unzip vulnerability patched (http://www.linuxquestions.org/questions/slackware-14/slackware-security-update-unzip-vulnerability-patched-85800/)

phoeniXflame 08-26-2003 03:57 AM

Slackware Security Update: unzip vulnerability patched
 
I thought this might be helpful for everyone who isnt subscribed to the mailing lists ...

Quote:

[slackware-security] unzip vulnerability patched (SSA:2003-237-01)

Upgraded infozip packages are available for Slackware 9.0 and -current.
These fix a security issue where a specially crafted archive may
overwrite files (including system files anywhere on the filesystem)
upon extraction by a user with sufficient permissions.

For more information, see:

http://www.securityfocus.com/bid/7550
http://lwn.net/Articles/38540/
http://xforce.iss.net/xforce/xfdb/12004
http://cve.mitre.org/cgi-bin/cvename...=CAN-2003-0282


Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Mon Aug 25 15:35:28 PDT 2003
patches/packages/infozip-5.50-i486-2.tgz: Fixed a bug where a specially
crafted archive might try to write to ../ or ../../, etc, potentially
overwriting system files if the user (such as root) has permissions to
overwrite them. Thanks to jelmer for locating this problem, and
Ben Laurie for providing a patch.
(* Security fix *)
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackwar....50-i386-2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackwar....50-i486-2.tgz



MD5 SIGNATURES:
+-------------+

Slackware 9.0 package:
d262ae0564f475b39e2ccf20fe1dfc41 infozip-5.50-i386-2.tgz

Slackware -current package:
8c4b4fc48e145a71e962cd7f99be8a5b infozip-5.50-i486-2.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade using upgradepkg (as root):
upgradepkg infozip-5.50-i386-2.tgz



+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

slakmagik 08-26-2003 05:03 AM

Thanks. But maybe these should all go in one thread so people who haven't seen the old ones can review them when it gets bumped and people who have can just keep up with the new posts?

zsejk 08-26-2003 11:11 AM

You mean something like http://www.slackware.com/security/li...curity&y=2003?

:)

-zsejk

slakmagik 08-26-2003 11:20 AM

Hm. Well, *kinda* like that. I suppose it's close enough. ;)

I have to remember to hit *all* the links at that site and not just the mirrors and the book. :) Thanks.

emilryge 08-26-2003 12:50 PM

When was this send out?
I signed up like a week ago (both lists) and still have not recieved a single mail.

- Emil

emilryge 08-26-2003 12:52 PM

When was this warning send out?

I signed up for both slackware mailing list more than a week ago and still have not recieved a single mail...

- Emil


All times are GMT -5. The time now is 12:11 PM.