The Slackware Linux Project: Mailing List Info

Mailing List Info

News
Security Advisories
FAQ
Book
General Info
Get Slack
Install Help
Configuration
Packages
ChangeLogs
Propaganda
Ports
Other Sites
Support
Contact

Mailing Lists
Archives

About

From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] unzip vulnerability patched (SSA:2003-237-01)
Date: Mon, 25 Aug 2003 20:39:27 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  unzip vulnerability patched (SSA:2003-237-01)

Upgraded infozip packages are available for Slackware 9.0 and -current.
These fix a security issue where a specially crafted archive may
overwrite files (including system files anywhere on the filesystem)
upon extraction by a user with sufficient permissions.

For more information, see:

http://www.securityfocus.com/bid/7550
http://lwn.net/Articles/38540/
http://xforce.iss.net/xforce/xfdb/12004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282


Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Mon Aug 25 15:35:28 PDT 2003
patches/packages/infozip-5.50-i486-2.tgz:  Fixed a bug where a specially
  crafted archive might try to write to ../ or ../../, etc, potentially
  overwriting system files if the user (such as root) has permissions to
  overwrite them.  Thanks to jelmer for locating this problem, and
  Ben Laurie for providing a patch.
  (* Security fix *)
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/infozip-5.50-i386-2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/infozip-5.50-i486-2.tgz



MD5 SIGNATURES:
+-------------+

Slackware 9.0 package:
d262ae0564f475b39e2ccf20fe1dfc41  infozip-5.50-i386-2.tgz

Slackware -current package:
8c4b4fc48e145a71e962cd7f99be8a5b  infozip-5.50-i486-2.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade using upgradepkg (as root):
upgradepkg infozip-5.50-i386-2.tgz



+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/SpEiakRjwEAQIjMRAmXUAJkBVx8yYSRth0DpFPM89PrxTxDMGgCdHDRL
tFzFHS6BR5BLPCyuL372C+Q=
=Kv9k
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.