Advisories

Mandriva Advisories

Package name	unzip
Date	July 7th, 2003
Advisory ID	MDKSA-2003:073
Affected versions	8.2, 9.0, 9.1, MNF8.2, CS2.1
Synopsis	Updated unzip packages fix vulnerability

Problem Description

A vulnerability was discovered in unzip 5.50 and earlier that allows
attackers to overwrite arbitrary files during archive extraction by
placing non-printable characters between two "." characters. These
invalid characters are filtered which results in a ".." sequence.

The patch applied to these packages prevents unzip from writing to
parent directories unless the "-:" command line option is used.

Updated Packages

Mandrakelinux 8.2

 2b6f9fa219510dc5d0f3c8a4c5b0ff7a  8.2/RPMS/unzip-5.50-4.1mdk.i586.rpm
1b16ee3b0288fbed97d46c3542765d1d  8.2/SRPMS/unzip-5.50-4.1mdk.src.rpm

Mandrakelinux 8.2/PPC

 f69c968aa6da2d9a8cfa4696b12b3860  ppc/8.2/RPMS/unzip-5.50-4.1mdk.ppc.rpm
1b16ee3b0288fbed97d46c3542765d1d  ppc/8.2/SRPMS/unzip-5.50-4.1mdk.src.rpm

Mandrakelinux 9.0

 a46b18334a96f2e2a6fa0bba82c3abe5  9.0/RPMS/unzip-5.50-4.1mdk.i586.rpm
1b16ee3b0288fbed97d46c3542765d1d  9.0/SRPMS/unzip-5.50-4.1mdk.src.rpm

Mandrakelinux 9.1

 27dcadbb90d10e8a707ed0ada31ace4c  9.1/RPMS/unzip-5.50-4.1mdk.i586.rpm
1b16ee3b0288fbed97d46c3542765d1d  9.1/SRPMS/unzip-5.50-4.1mdk.src.rpm

Mandrakelinux 9.1/PPC

 277fed45dc8ae6724b4fadc158783c56  ppc/9.1/RPMS/unzip-5.50-4.1mdk.ppc.rpm
1b16ee3b0288fbed97d46c3542765d1d  ppc/9.1/SRPMS/unzip-5.50-4.1mdk.src.rpm

Multi Network Firewall 8.2

 2b6f9fa219510dc5d0f3c8a4c5b0ff7a  mnf8.2/RPMS/unzip-5.50-4.1mdk.i586.rpm
1b16ee3b0288fbed97d46c3542765d1d  mnf8.2/SRPMS/unzip-5.50-4.1mdk.src.rpm

Corporate Server 2.1

 a46b18334a96f2e2a6fa0bba82c3abe5  corporate/2.1/RPMS/unzip-5.50-4.1mdk.i586.rpm
1b16ee3b0288fbed97d46c3542765d1d  corporate/2.1/SRPMS/unzip-5.50-4.1mdk.src.rpm

Corporate Server 2.1/X86_64

 96ba0a37cde8a7629bba206f03cc87c8  x86_64/corporate/2.1/RPMS/unzip-5.50-4.1mdk.x86_64.rpm
1b16ee3b0288fbed97d46c3542765d1d  x86_64/corporate/2.1/SRPMS/unzip-5.50-4.1mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282
http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer