This one time, at band camp, Santiago Vila said: > On Wed, 25 Jan 2006, Stephen Gran wrote: > > > Package: unzip > > Version: 5.52-1sarge3 > > Severity: grave > > Tags: security > > > > http://www.securityfocus.com/bid/15968 > > Why "grave" and "security"? AFAIK, this is not the case where a > malicious user gives you a .zip archive and your system get > compromised if you try to unzip it.
Actually it appears this is exactly the case. http://www.securityfocus.com/bid/15968/discuss: "This issue allows attackers to execute arbitrary machine code in the context of users utilizing the affected application." Granted, most of the time this will only be a local user exploit, rather than a root level exploit, but if an application uses info-zip routines and runs as root, it will be root level exploit. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature