Unzip-5.52 Vulnerability

[bdubbs@…]

From the info zip web site:

"The Unix port of UnZip 5.52 is reported to have a race-condition vulnerability, whereby a local attacker could change the permissions of the user's files during unpacking. (This has been assigned CVE #CAN-2005-2475.) "

Most locations have pulled the 5.52 sources, but they are still on anduin.

A warning needs to be put into the book until a new version is released.

[dnicholson@…]

I've been meaning to report this for a long time. There are numerous reported vulnerabilities on unzip. But here's a patch for CAN-2005-2475:

​http://people.ubuntu.com/patches/unzip.CAN-2005-2475.diff

This is the same as what fedora is applying:

​http://cvs.fedora.redhat.com/viewcvs/*checkout*/devel/unzip/unzip-5.52-toctou.patch

There's also a beta version of unzip-6.0 if we really want to be aggressive.

​http://downloads.sourceforge.net/infozip/unzip60c.zip

It also could be a good idea to just apply debian's whole current diff as it has a few other CVE's.

​http://ftp.debian.org/pool/main/u/unzip/unzip_5.52-9.diff.gz

[Ag. Hatzimanikas]

I didn't receive email notification about this ticket (specifically Dan's answer),so I did some research and it looks that it was reported by Oliver Brakmann in our security mailing list back in february.

Here is the link with an attached patch which fixes also another vulnerability. ​http://linuxfromscratch.org/pipermail/lfs-security/2006-February/001436.html

[Ag. Hatzimanikas]

unzip-5.52-security_fix-1.patch

[Ag. Hatzimanikas]

The aforementioned (attached) patch it doesn't break the patch [1] that is mentioned by Alexander in the unzip page,which also applies with some offsets.

1.​https://bugzilla.altlinux.ru/attachment.cgi?id=532

[bdubbs@…]

Added security patch at revision 6398. Used the patch submitted by Ag Hatzim.