Security Advisory - RHSA-2003:199-05 ------------------------------------------------------------------------------ Summary: Updated unzip packages fix trojan vulnerability
Updated unzip packages resolving a vulnerability allowing arbitrary files to be overwritten are now available.
Description: The unzip utility is used for manipulating archives, which are multiple files stored inside of a single file.
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0282 to this issue.
This erratum includes a patch ensuring that non-printable characters do not make it possible for a malicious .zip file to write to parent directories unless the "-:" command line parameter is specified.
Users of unzip are advised to upgrade to these updated packages, which are not vulnerable to this issue.
References: http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175 ------------------------------------------------------------------------------
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
