Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] infozip (SSA:2005-121-01)
Date: Mon, 2 May 2005 01:54:29 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  infozip (SSA:2005-121-01)

New infozip (zip/unzip) packages are available for Slackware 8.1, 9.0,
9.1, 10.0, 10.1, and -current to fix security issues.

- From the www.info-zip.org site:

      Zip 2.3 and (presumably) all previous versions have a buffer-
      overrun vulnerability relating to deep directory paths that could
      potentially lead to local privilege escalation (e.g., in the case of
      automated, Zip-based backups). See the FAQ page for details.

      All versions of UnZip through 5.50 have a number of directory-
      traversal vulnerabilities, and version 5.50 also has a textmode data-
      corruption bug that affects 16-bit ports such as MS-DOS. See the FAQ
      page for details.


Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/infozip-5.52-i486-1.tgz:  Upgraded to unzip552.tar.gz and
  zip231.tar.gz.  These fix some buffer overruns if deep directory paths are
  packed into a Zip archive which could be a security vulnerability (for
  example, in a case of automated archiving or backups that use Zip).  However,
  it also appears that these now use certain assembly instructions that might
  not be available on older CPUs, so if you have an older machine you may wish
  to take this into account before deciding whether you should upgrade.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/infozip-5.52-i486-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/infozip-5.52-i486-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/infozip-5.52-i486-1.tgz

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/infozip-5.52-i486-1.tgz

Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/infozip-5.52-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/infozip-5.52-i486-1.tgz


MD5 signatures:
+-------------+

Slackware 8.1 package:
d3fd87796f1303bf17b94611b4827d60  infozip-5.52-i486-1.tgz

Slackware 9.0 package:
af5f763f9dadadd473032bdebd76f085  infozip-5.52-i486-1.tgz

Slackware 9.1 package:
8d8e78360cd13b2a0f7f0db9a538d031  infozip-5.52-i486-1.tgz

Slackware 10.0 package:
c8ab2971135894313f241a91f11ff02b  infozip-5.52-i486-1.tgz

Slackware 10.1 package:
0a94f56bc134975d5fff2f259121b9ad  infozip-5.52-i486-1.tgz

Slackware -current package:
e90e33f4fbd2c312faa556bea61e123e  infozip-5.52-i486-1.tgz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg infozip-5.52-i486-1.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFCddJvakRjwEAQIjMRApNVAKCBFfwk++a7jnBOyY6ujkpJ/3x1nwCgjFGI
nF5ZF5XOIeRNCC20DijzYc0=
=X5Uu
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.