Yellow Dog Linux Security Announcement -------------------------------------- Package: unzip Issue Date: Jul 10,2003 Priority: medium Advisory ID: YDU-20030710-1 1. Topic: Updated unzip packages are available. 2. Problem: "The unzip utility is used for manipulating archives, which are multiple files stored inside of a single file. A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0282 to this issue. This erratum includes a patch ensuring that non-printable characters do not make it possible for a malicious .zip file to write to parent directories unless the "-:" command line parameter is specified. Users of unzip are advised to upgrade to these updated packages, which are not vulnerable to this issue." From Red Hat Advisory 3. Solution: a) Updating via yum... We suggest that you use the yum program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: yum update unzip b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/ ppc/unzip-5.50-14.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- b3e4dc58bd1d14b8ffbf74c5e2a74302 SRPMS/unzip-5.50-14.src.rpm 1ea9bec0cb3899236605de4fa7ae5ab4 ppc/unzip-5.50-14.ppc.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: md5sum 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of yum, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml