|
|
| Problem Description |
Several vulnerabilities have been discovered in the gzip package:
Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which
allows local users to execute arbitrary commands via filenames that are
injected into a sed script. (CAN-2005-0758)
A race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a
gzip file allows local users to modify permissions of arbitrary files
via a hard link attack on a file while it is being decompressed, whose
permissions are changed by gzip after the decompression is complete.
(CAN-2005-0988)
A directory traversal vulnerability via "gunzip -N" in gzip 1.2.4
through 1.3.5 allows remote attackers to write to arbitrary directories
via a .. (dot dot) in the original filename within a compressed file.
(CAN-2005-1228)
Updated packages are patched to address these issues.
| Updated Packages |
Mandrakelinux 10.0
747eb53b876e9dd0544d58d8cafd436d 10.0/RPMS/gzip-1.2.4a-13.2.100mdk.i586.rpm 6b8b1c839de2659bdbf3ef7b2d084c49 10.0/SRPMS/gzip-1.2.4a-13.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64
55b145f3a6211d3214e4ac84a9f3d2db amd64/10.0/RPMS/gzip-1.2.4a-13.2.100mdk.amd64.rpm 6b8b1c839de2659bdbf3ef7b2d084c49 amd64/10.0/SRPMS/gzip-1.2.4a-13.2.100mdk.src.rpm
Mandrakelinux 10.1
f52a97a5a011807be418d9813e8be8a7 10.1/RPMS/gzip-1.2.4a-13.2.101mdk.i586.rpm 50b48751f7f56fafc86ae58c39473b19 10.1/SRPMS/gzip-1.2.4a-13.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64
6f68527ab34b108cd142f7612f01624b x86_64/10.1/RPMS/gzip-1.2.4a-13.2.101mdk.x86_64.rpm 50b48751f7f56fafc86ae58c39473b19 x86_64/10.1/SRPMS/gzip-1.2.4a-13.2.101mdk.src.rpm
Corporate Server 2.1
531d8990f2c080218daaafd80fa324d4 corporate/2.1/RPMS/gzip-1.2.4a-11.4.C21mdk.i586.rpm 255e4af1676fa7db7ebb6f9997bee3ef corporate/2.1/SRPMS/gzip-1.2.4a-11.4.C21mdk.src.rpm
Corporate Server 2.1/X86_64
7094630fcd81e61eb6402d25b4afa2dd x86_64/corporate/2.1/RPMS/gzip-1.2.4a-11.4.C21mdk.x86_64.rpm 255e4af1676fa7db7ebb6f9997bee3ef x86_64/corporate/2.1/SRPMS/gzip-1.2.4a-11.4.C21mdk.src.rpm
Corporate Server 3.0
4d73819ec9c73150407ab0a6739e797b corporate/3.0/RPMS/gzip-1.2.4a-13.2.C30mdk.i586.rpm 2d3852158ecc68f805ce3e63d3e0c563 corporate/3.0/SRPMS/gzip-1.2.4a-13.2.C30mdk.src.rpm
Corporate Server 3.0/X86_64
502e80bad0a21a86c06f85836c9e9579 x86_64/corporate/3.0/RPMS/gzip-1.2.4a-13.2.C30mdk.x86_64.rpm 2d3852158ecc68f805ce3e63d3e0c563 x86_64/corporate/3.0/SRPMS/gzip-1.2.4a-13.2.C30mdk.src.rpm
Mandriva Linux LE2005
2e4b095f517150b0c3fd8f06e8b02b54 10.2/RPMS/gzip-1.2.4a-14.1.102mdk.i586.rpm d9a2c5788a582dc194e4726b68708e75 10.2/SRPMS/gzip-1.2.4a-14.1.102mdk.src.rpm
Mandriva Linux LE2005/X86_64
819a41d23efc8ad2c26cd9786178a52c x86_64/10.2/RPMS/gzip-1.2.4a-14.1.102mdk.x86_64.rpm d9a2c5788a582dc194e4726b68708e75 x86_64/10.2/SRPMS/gzip-1.2.4a-14.1.102mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.