Note: This is an archival copy of Security Sun Alert 200844 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000637.1.
Article ID : 1000637.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-01-01
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in unzip(1L) May Set Unintended Permissions on Extracted Files

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6344676

Date of Workaround Release
14-NOV-2007

Date of Resolved Release
02-JAN-2008

Impact

A security vulnerability in the unzip(1L) command may set unintended permissions on extracted files. This may allow a local unprivileged user to execute arbitrary code with the privileges of another user who runs the unzip command to extract files from a specially crafted unzip archive.

This issue is also referenced in the following document:

CVE-2005-0602 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0602


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 108987-19
  • Solaris 9 without patch 112951-14
  • Solaris 10 without patch 119254-46

x86 Platform

  • Solaris 8 without patch 108988-19
  • Solaris 9 without patch 114194-11
  • Solaris 10 without patch 119255-46

Note: This issue affects versions of the unzip(1L) command prior to 5.52. The following command can be used to determine the version of unzip that is installed on a system:

    $ unzip -v
    UnZip 5.32 of 3 November 1997, by Info-ZIP.  Maintained by Greg Roelofs.
    Send bug reports to the authors at Zip-Bugs@lists.wku.edu; see README
    for details.
    [...]

Symptoms

This issue is exploited by creating archives which contain executable files with a set-id bit set (see chmod(2)). As a result, files that are extracted from an archive that has been specially crafted to exploit this issue will have this bit set when extracted on filesystems which allow this. The ls(1) command can be used to display the permissions of a newly extracted file, as in the following example:

    $ ls -l test
    -r-sr-xr-x   1 testu staff      10280 Nov  9 17:56 test

The 's' in the user permissions section of the above output indicates this file has the "set-user-id" bit set.


Workaround

It is recommended that archives from untrusted sources not be extracted using the unzip(1L) command until patches can be applied. The unzip(1L) command can be disabled entirely by removing executable permissions from the file, for example by using the chmod(1) command as follows (as the user "root"):

    # chmod a-x /usr/bin/unzip

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 108987-19 or later
  • Solaris 9 with patch 112951-14 or later
  • Solaris 10 with patch 119254-46 or later

x86 Platform

  • Solaris 8 with patch 108988-19 or later
  • Solaris 9 with patch 114194-11 or later
  • Solaris 10 with patch 119255-46 or later


Modification History
Date: 28-NOV-2007
  • Updated Contributing Factors and Resolution sections

Date: 03-DEC-2007
  • Updated Contributing Factors and Resolution sections

Date: 02-JAN-2008
  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

112951-14
114194-11
108987-19
108988-19
119254-46
119255-46




Attachments
This solution has no attachment