Opened 17 years ago

Closed 17 years ago

#2205 closed defect (fixed)

Unzip-5.52 Vulnerability

Reported by: bdubbs@… Owned by: bdubbs@…
Priority: high Milestone: 6.2.0
Component: BOOK Version: SVN
Severity: critical Keywords:


From the info zip web site:

"The Unix port of UnZip 5.52 is reported to have a race-condition vulnerability, whereby a local attacker could change the permissions of the user's files during unpacking. (This has been assigned CVE #CAN-2005-2475.) "

Most locations have pulled the 5.52 sources, but they are still on anduin.

A warning needs to be put into the book until a new version is released.

Attachments (1)

unzip-5.52-security_fix-1.patch (2.5 KB ) - added by Ag. Hatzimanikas 17 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 by dnicholson@…, 17 years ago

I've been meaning to report this for a long time. There are numerous reported vulnerabilities on unzip. But here's a patch for CAN-2005-2475:

This is the same as what fedora is applying:*checkout*/devel/unzip/unzip-5.52-toctou.patch

There's also a beta version of unzip-6.0 if we really want to be aggressive.

It also could be a good idea to just apply debian's whole current diff as it has a few other CVE's.

comment:2 by Ag. Hatzimanikas, 17 years ago

I didn't receive email notification about this ticket (specifically Dan's answer),so I did some research and it looks that it was reported by Oliver Brakmann in our security mailing list back in february.

Here is the link with an attached patch which fixes also another vulnerability.

by Ag. Hatzimanikas, 17 years ago


comment:3 by Ag. Hatzimanikas, 17 years ago

The aforementioned (attached) patch it doesn't break the patch [1] that is mentioned by Alexander in the unzip page,which also applies with some offsets.


comment:4 by Randy McMurchy, 17 years ago

Type: taskdefect

comment:5 by bdubbs@…, 17 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:6 by bdubbs@…, 17 years ago

Resolution: fixed
Status: assignedclosed

Added security patch at revision 6398. Used the patch submitted by Ag Hatzim.

Note: See TracTickets for help on using tickets.