Opened 15 years ago

Closed 15 years ago

#2205 closed defect (fixed)

Unzip-5.52 Vulnerability

Reported by: bdubbs@… Owned by: bdubbs@…
Priority: high Milestone: 6.2.0
Component: BOOK Version: SVN
Severity: critical Keywords:
Cc:

Description

From the info zip web site:

"The Unix port of UnZip 5.52 is reported to have a race-condition vulnerability, whereby a local attacker could change the permissions of the user's files during unpacking. (This has been assigned CVE #CAN-2005-2475.) "

Most locations have pulled the 5.52 sources, but they are still on anduin.

A warning needs to be put into the book until a new version is released.

Attachments (1)

unzip-5.52-security_fix-1.patch (2.5 KB ) - added by Ag. Hatzimanikas 15 years ago.
unzip-5.52-security_fix-1.patch

Download all attachments as: .zip

Change History (7)

comment:1 by dnicholson@…, 15 years ago

I've been meaning to report this for a long time. There are numerous reported vulnerabilities on unzip. But here's a patch for CAN-2005-2475:

http://people.ubuntu.com/patches/unzip.CAN-2005-2475.diff

This is the same as what fedora is applying:

http://cvs.fedora.redhat.com/viewcvs/*checkout*/devel/unzip/unzip-5.52-toctou.patch

There's also a beta version of unzip-6.0 if we really want to be aggressive.

http://downloads.sourceforge.net/infozip/unzip60c.zip

It also could be a good idea to just apply debian's whole current diff as it has a few other CVE's.

http://ftp.debian.org/pool/main/u/unzip/unzip_5.52-9.diff.gz

comment:2 by Ag. Hatzimanikas, 15 years ago

I didn't receive email notification about this ticket (specifically Dan's answer),so I did some research and it looks that it was reported by Oliver Brakmann in our security mailing list back in february.

Here is the link with an attached patch which fixes also another vulnerability. http://linuxfromscratch.org/pipermail/lfs-security/2006-February/001436.html

by Ag. Hatzimanikas, 15 years ago

unzip-5.52-security_fix-1.patch

comment:3 by Ag. Hatzimanikas, 15 years ago

The aforementioned (attached) patch it doesn't break the patch [1] that is mentioned by Alexander in the unzip page,which also applies with some offsets.

1.https://bugzilla.altlinux.ru/attachment.cgi?id=532

comment:4 by Randy McMurchy, 15 years ago

Type: taskdefect

comment:5 by bdubbs@…, 15 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:6 by bdubbs@…, 15 years ago

Resolution: fixed
Status: assignedclosed

Added security patch at revision 6398. Used the patch submitted by Ag Hatzim.

Note: See TracTickets for help on using tickets.