dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


SOT Linux 2002 Advisory: tar, unzip

Oct 03, 2002, 21:55 (0 Talkback[s])

[ Thanks to SOT Linux Security Team for this link. ]

---------------------------------------------------------------------
                   SOT Linux Security Advisory

Subject:           Updated tar and unzip package for SOT Linux 2002
Advisory ID:       SLSA-2002:22
Date:              Thursday, October 3, 2002
Product:           SOT Linux 2002
---------------------------------------------------------------------

1. Problem description

A directory traversal vulnerability in unzip version 5.42 and earlier,
as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite
arbitrary files during archive extraction via a ".." (dot dot) in an
extracted filename.

In addition, unzip version 5.42 and earlier also allows attackers to
overwrite arbitrary files during archive extraction via filenames in the
archive that begin with the "/" (slash) character.


2. Updated packages

SOT Linux 2002 Desktop:
i386:
ftp://ftp.sot.com/updates/2002/Desktop/i386/tar-1.13.25-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Desktop/i386/unzip-5.50-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/tar-1.13.25-1.src.rpm
ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/unzip-5.50-1.src.rpm
SOT Linux 2002 Server:
 
i386:
ftp://ftp.sot.com/updates/2002/Server/i386/tar-1.13.25-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/unzip-5.50-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Server/SRPMS/tar-1.13.25-1.src.rpm
ftp://ftp.sot.com/updates/2002/Server/SRPMS/unzip-5.50-1.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.
 
If you want to upgrade manually, download the updated package from
the SOT Linux FTP site (use the links above) or from one of our mirrors.
The list of mirrors can be obtained at www.sot.com/en/linux
Update the package with the following command:
rpm -Uvh filename


4. Verification

All packages are PGP signed by SOT for security.
 
You can verify each package with the following command:
rpm --checksig  If you wish to verify the integrity of the downloaded package, run
"md5sum filename" and compare the output with data given below.

Package Name                         MD5 sum
---------------------------------------------------------------------
/Desktop/i386/tar-1.13.25-1.i386.rpm 2879809dac49fc5137a017f997f2aa1b
/Desktop/i386/unzip-5.50-1.i386.rpm  db2e768a393f146e034805b7d9011a4c
/Desktop/SRPMS/tar-1.13.25-1.src.rpm 8d2b7cc3c90d37905df67e76061e68bd
/Desktop/SRPMS/unzip-5.50-1.src.rpm  69bcb69f467682815ed71e53671c856c
/Server/i386/tar-1.13.25-1.i386.rpm  2879809dac49fc5137a017f997f2aa1b
/Server/i386/unzip-5.50-1.i386.rpm   db2e768a393f146e034805b7d9011a4c
/Server/SRPMS/tar-1.13.25-1.src.rpm  8d2b7cc3c90d37905df67e76061e68bd
/Server/SRPMS/unzip-5.50-1.src.rpm   69bcb69f467682815ed71e53671c856c


5. References

http://online.securityfocus.com/archive/1/196445

Copyright(c) 2001, 2002 SOT
        
---------------------------------------------------------------------
You can view other update advisories for SOT Linux 2002 at:
http://www.sot.com/en/linux/sa/
To unsubscribe, visit your account at https://www.sot.com/
---------------------------------------------------------------------