OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 10-Jul-2003 16:51:26
Branch: HEAD Handle: 2003071015512500
Modified files:
openpkg-web/security OpenPKG-SA-2003.033-infozip.txt
Log:
finish infozip SA
Summary:
Revision Changes Path
1.2 +20 -31 openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.033-infozip.txt
--- openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt 10 Jul 2003 09:54:17
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt 10 Jul 2003 14:51:25
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -10,45 +13,27 @@
Vulnerability: overwrite arbitrary files
OpenPKG Specific: no
-Affected Releases: Affected Packages: Corrected Packages:
+Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= infozip-20030306-20030708 >= infozip-20030710-20030710
OpenPKG 1.2 <= infozip-1.2.0-1.2.0 >= infozip-1.2.0-1.2.1
OpenPKG 1.1 <= infozip-1.1.0-1.1.0 >= infozip-1.1.0-1.1.1
Dependent Packages: none
-Affected Releases: Dependent Packages:
-OpenPKG CURRENT bar quux
-OpenPKG 1.2 bar quux
-OpenPKG 1.1 bar
-
-FIXME candidates
- cvsweb PreReq:
- docbook BuildPreReq:
- heise PreReq: BuildPreReq:
- mozilla PreReq: BuildPreReq:
- pccts BuildPreReq:
- sam2p PreReq: BuildPreReq:
- sav BuildPreReq:
- saxon BuildPreReq:
- tetex BuildPreReq:
- tex4ht BuildPreReq:
-
Description:
- A directory traversal vulnerability in UnZip 5.50 allows attackers to
- overwrite arbitrary files via invalid characters between two . (dot)
- characters, which are filtered and result in a ".." sequence. The
- corrected packages include a patch taken from RedHat [1] ensuring that
- non-printable characters do not make it possible for a malicious .zip
- file to write to parent directories unless the "-:" command line
- parameter is specified. The Common Vulnerabilities and Exposures
- (CVE) project assigned the id CAN-2003-0282 [2] to the problem.
+ A directory traversal vulnerability in UnZip 5.50 allows attackers
+ to overwrite arbitrary files via invalid characters between two "."
+ (dot) characters, which are filtered and result in a ".." sequence.
+ The corrected packages include a patch taken from RedHat [1] ensuring
+ that non-printable characters do not make it possible for a malicious
+ .zip file to write to parent directories unless the "-:" command line
+ parameter is specified. The Common Vulnerabilities and Exposures (CVE)
+ project assigned the id CAN-2003-0282 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm -q
infozip". If you have the "infozip" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
- (see Solution) and it's dependent packages (see above), if any, too.
- [3][4]
+ (see Solution) [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
@@ -68,9 +53,6 @@
$ <prefix>/bin/rpm --rebuild infozip-1.2.0-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/infozip-1.2.0-1.2.1.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________
References:
@@ -92,3 +74,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/DVYpgHWT4GPEy58RAisWAKCfTyhAL0ZEt7XAUArYbNLES/QQkwCghv5N
+AvflUCxv94iCNmCRHbk6L4g=
+=Ki6S
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
