-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2003-42
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date : 09 Jul 2003
Last revised : 09 Jul 2003
Package : unzip
Summary : Files are overwritten
More information :
Unzip will list, test, or extract files from a ZIP archive.
UnZip contains a vulnerability during the handling of pathnames
for archived files. Specifically, when certain encoded characters are
inserted into '../' directory traversal sequences, the creator of the
archive can cause the file to be extracted to arbitrary locations on the
filesystem - including paths containing system binaries and other
sensitive or confidential information.
Impact :
This will allow an attacker to create files in a hostile archive to be
placed anywhere on the target system.
Affected Products :
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg tool to apply the update.
<Turbolinux 8 Server>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 4a3bcdbec851a5a9ea031c5dc0a1d935
Binary Packages
Size : MD5
unzip-5.50-4.i586.rpm
210944 3a9d7a6b826e2189cc52823e36a212ce
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 df3fb547784f93d85266a67903432c17
Binary Packages
Size : MD5
unzip-5.50-4.i586.rpm
210999 fb3a436e55f341464a12ed62ece9cb49
<Turbolinux 7 Server>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 b5d2bdfebd58aa2662175824089ff471
Binary Packages
Size : MD5
unzip-5.50-4.i586.rpm
211162 2633633d94d5f234008b2fffd0016d20
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 dfb74486f5d4570d26faef50072188c5
Binary Packages
Size : MD5
unzip-5.50-4.i586.rpm
211181 bf38f7e2ff297f75be563492e34eba96
<Turbolinux Server 6.5>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 5e5ba38b8eb96a872cee00cf89d661d6
Binary Packages
Size : MD5
unzip-5.50-4.i386.rpm
263809 3d7b79d919fff3eee0e0508a1a09e88f
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 bcfa3f98d6cff650c02155c7f2b7051a
Binary Packages
Size : MD5
unzip-5.50-4.i386.rpm
263792 fbc5e0badf3992482da4d9fdbce2dd5c
<Turbolinux Server 6.1>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 88cc8cca19622d41067780c6d871170c
Binary Packages
Size : MD5
unzip-5.50-4.i386.rpm
263801 83d2829aa9af08cdf9ccf97a9599cb46
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
unzip-5.50-4.src.rpm
1095258 5110a3ee77e1d7b1d1719b1238d50db1
Binary Packages
Size : MD5
unzip-5.50-4.i386.rpm
263795 c2905da200b9abad3f178eb4396082c6
References :
CVE
[
CAN-2003-0282]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-0282
--------------------------------------------------------------------------
Revision History
09 Jul 2003 Initial release
--------------------------------------------------------------------------
Copyright(C) 2003 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/C4XgK0LzjOqIJMwRAhNKAJ94hb6X5Cs8BnbkGaGUhcmTM/+CfQCfZMFh
cuuWq2od9voBxWPAEsF2C+4=
=WpZ7
-----END PGP SIGNATURE-----