Yellow Dog Linux Security Announcement -------------------------------------- Package: tar/unzip Issue Date: October 20, 2002 Priority: high Advisory ID: YDU-20021020-10 1. Topic: Updated tar and unzip packages are available. 2. Problem: "The unzip and tar utilities contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction. The unzip and tar utilities are used for manipulating archives, which are multiple files stored inside of a single file. A directory traversal vulnerability in unzip version 5.42 and earlier, as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite arbitrary files during archive extraction via a ".." (dot dot) in an extracted filename. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1267 and CAN-2001-1268 to this issue. In addition, unzip version 5.42 and earlier also allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the "/" (slash) character. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1269 to this issue. During testing of the fix to GNU tar, it was discovered that GNU tar 1.13.25 was still vulnerable to a modified version of the same problem. Red Hat has provided a patch to tar 1.3.25 to correct this problem. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0399 to this issue." (from Red Had advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install tar unzip b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/tar-2.3.9-0.73.3a.ppc.rpm ppc/unzip-5.50-2.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 218b1aa59c80092225f9d14eaf75676e ppc/tar-2.3.9-0.73.3a.ppc.rpm 779b7bf8aa001663666675c56a432287 ppc/unzip-5.50-2.ppc.rpm 1de42ffa96d6bdf268da5fc0fdb7c848 SRPMS/tar-2.3.9-0.73.3a.src.rpm 558884cd9555d9d1be0ee906593f20ea SRPMS/unzip-5.50-2.src.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml