On Wed, 25 Jan 2006, Stephen Gran wrote: > This one time, at band camp, Santiago Vila said: > > On Wed, 25 Jan 2006, Stephen Gran wrote: > > > > > Package: unzip > > > Version: 5.52-1sarge3 > > > Severity: grave > > > Tags: security > > > > > > http://www.securityfocus.com/bid/15968 > > > > Why "grave" and "security"? AFAIK, this is not the case where a > > malicious user gives you a .zip archive and your system get > > compromised if you try to unzip it. > > Actually it appears this is exactly the case. > > http://www.securityfocus.com/bid/15968/discuss: > "This issue allows attackers to execute arbitrary machine code in the > context of users utilizing the affected application."
No, it's not that case. This one is about an insanely long command line. Normally, you can't run unzip with an arbitrary command line unless you already have local user access. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
