Advisories | Mandriva

Package name	unzip
Date	October 26th, 2005
Advisory ID	MDKSA-2005:197
Affected versions	10.1, CS2.1, CS3.0, MNF2.0, 10.2, 2006.0

Problem Description

Unzip 5.51 and earlier does not properly warn the user when
extracting setuid or setgid files, which may allow local users
to gain privileges. (CAN-2005-0602)

Imran Ghory found a race condition in the handling of output files.
While a file was unpacked by unzip, a local attacker with write
permissions to the target directory could exploit this to change the
permissions of arbitrary files of the unzip user. This affects
versions of unzip 5.52 and lower (CAN-2005-2475)

The updated packages have been patched to address these issues.

Updated Packages

Mandrakelinux 10.1

 cb3280ad8d82e7f7108ed7a5336217ea  10.1/RPMS/unzip-5.51-1.2.101mdk.i586.rpm
 0ec9c5f7200a6bc97429408d49f26252  10.1/SRPMS/unzip-5.51-1.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 67cb90cf939bd25c74deba5e45d6dbb8  x86_64/10.1/RPMS/unzip-5.51-1.2.101mdk.x86_64.rpm
 0ec9c5f7200a6bc97429408d49f26252  x86_64/10.1/SRPMS/unzip-5.51-1.2.101mdk.src.rpm

Corporate Server 2.1

 7588a2f5d443685a928d3c3feb547aba  corporate/2.1/RPMS/unzip-5.50-4.4.C21mdk.i586.rpm
 7d3e7ef187a36a39b3427d0d38959189  corporate/2.1/SRPMS/unzip-5.50-4.4.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 79aa9befeb7ed8de2220afc3fb3d1886  x86_64/corporate/2.1/RPMS/unzip-5.50-4.4.C21mdk.x86_64.rpm
 7d3e7ef187a36a39b3427d0d38959189  x86_64/corporate/2.1/SRPMS/unzip-5.50-4.4.C21mdk.src.rpm

Corporate Server 3.0

 b17cff4c27c1a268fd3cd7cec5661c12  corporate/3.0/RPMS/unzip-5.50-9.2.C30mdk.i586.rpm
 1aedfd6f58ec41f16c72f3581744812e  corporate/3.0/SRPMS/unzip-5.50-9.2.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 0b6a7cbd46e1ae821ad90bfc9623d86b  x86_64/corporate/3.0/RPMS/unzip-5.50-9.2.C30mdk.x86_64.rpm
 1aedfd6f58ec41f16c72f3581744812e  x86_64/corporate/3.0/SRPMS/unzip-5.50-9.2.C30mdk.src.rpm

Multi Network Firewall 2.0

 09797c30705503bef945eac7ae58e6ba  mnf/2.0/RPMS/unzip-5.50-9.2.M20mdk.i586.rpm
 81f25b8506bab3e2d467a918247a24ea  mnf/2.0/SRPMS/unzip-5.50-9.2.M20mdk.src.rpm

Mandriva Linux LE2005

 2fbac32dc8e75c593af39fda3abb2b85  10.2/RPMS/unzip-5.51-1.2.102mdk.i586.rpm
 95661a9046eb3b823a631ad85d9e0805  10.2/SRPMS/unzip-5.51-1.2.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 099a8fe40622a82cabd9495cdf52377a  x86_64/10.2/RPMS/unzip-5.51-1.2.102mdk.x86_64.rpm
 95661a9046eb3b823a631ad85d9e0805  x86_64/10.2/SRPMS/unzip-5.51-1.2.102mdk.src.rpm

Mandriva Linux 2006

 36aa8d839b74be9bb71fffd19f55e20c  2006.0/RPMS/unzip-5.52-1.2.20060mdk.i586.rpm
 0dce17e0e7ff5040bf7d28802df8de7c  2006.0/SRPMS/unzip-5.52-1.2.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 10ac5d8076fa230106359170360a5f23  x86_64/2006.0/RPMS/unzip-5.52-1.2.20060mdk.x86_64.rpm
 0dce17e0e7ff5040bf7d28802df8de7c  x86_64/2006.0/SRPMS/unzip-5.52-1.2.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2475

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

		rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.