Heads up - serious vulnerability in 'unzip'
Mike Watson
mikew at CRUCIS.NET
Tue Jul 8 22:45:50 IST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 08 July 2003 03:13 am, you wrote:
> Theres a problem with unzip. Looks like it could be serious for
> anyone running MailScanner as root where the virus scanner uses
> external unzip (such as Clam). Patches are available.
>
> (from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282 )
>
> Directory traversal vulnerability in UnZip 5.50 allows attackers to
> overwrite arbitrary files via invalid characters between two . (dot)
> characters, which are filtered and result in a ".." sequence.
>
>
>
>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
Snipped
Red Hat has already released a fix for unzip for RH8 & 9. Earlier
versions too I think.
Mike W
- --
Registered Linux - 256979
NRA Life
ARS: W0TMW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/CzuR5fq6h2uDDlQRAgsDAJ4scKkrGmWGrEbFC1TIbTVa5qq6LwCgoRhO
GxWmORq0if5GEe/XsTqe8/Q=
=KMyp
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by F-Prot and MailScanner,
and is believed to be clean.
More information about the MailScanner
mailing list