From security@sco.com Wed Nov 12 20:50:59 2003 From: security@sco.com To: announce@lists.caldera.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com Date: Wed, 12 Nov 2003 14:41:42 -0800 (PST) Reply-To: please_reply_to_security@sco.com Subject: OpenLinux: unzip directory traversal To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: unzip directory traversal Advisory number: CSSA-2003-031.0 Issue date: 2003 November 07 Cross reference: sr882696 fz528147 erg712381 CAN-2003-0282 ______________________________________________________________________________ 1. Problem Description unzip is a program widely used for the distribution of multiple files concatenated/compacted (a file commonly known as an "archive"). A vulnerability has been found in the way unzip extracts files with invalid characters between two '.' (dot) characters in their path/names. These characters are filtered and result in a ".." sequence (indicating the parent directory). By exploiting this vulnerability, an attacker can overwrite arbitrary files if the user unpacking such an archive has sufficient filesystem permissions to do so. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0282 to this issue. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to unzip-5.40-6MR.i386.rpm OpenLinux 3.1.1 Workstation prior to unzip-5.40-6MR.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/RPMS 4.2 Packages 308bbe0a68423441404609f93288b0e7 unzip-5.40-6MR.i386.rpm 4.3 Installation rpm -Fvh unzip-5.40-6MR.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/SRPMS 4.5 Source Packages f220b525c0b9d8d157d46d23018a5676 unzip-5.40-6MR.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-031.0/RPMS 5.2 Packages ee383aa3af5442bf977f454dc62cdcaa unzip-5.40-6MR.i386.rpm 5.3 Installation rpm -Fvh unzip-5.40-6MR.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-031.0/SRPMS 5.5 Source Packages 7541701bdcb262ac4970c3bd4a4da077 unzip-5.40-6MR.src.rpm 6. References Specific references for this advisory: http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175&w=2 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr882696 fz528147 erg712381. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements SCO would like to thank Ben Laurie who found that the original patch to fix this issue missed a case where the path component included a quoted slash. These updated packages contain a new patch that corrects this issue. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/sYZnbluZssSXDTERAil9AJsFDmPro0woAzrp0fk2sFczftQYfACfRqRL 7xzvK4yZjt1YLPb5IQccWB4= =l6Nv -----END PGP SIGNATURE-----