|
Note: This is an archival copy of Security Sun Alert 201243 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000928.1. |
Category Security Release Phase Resolved 16170 Date of Workaround Release 10-OCT-2002 Date of Resolved Release 04-FEB-2003 Impact A local unprivileged user may be able to gain unauthorized root access and/or overwrite any file on the system if a privileged user extracts a tar or zip archive which contains a ".." (dot dot) in the filename. For more information see:
Contributing Factors This issue can occur in the following releases: Sun Linux
Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server. Sun Cobalt
Symptoms There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a system. Workaround Verify zip or tar archives using the options as follows: tar -tvf <tarfile>.tar Or for compressed files: tar -tvzf <tarfile>.tar.<gz|zip|Z|z> Or for zip files: unzip -l <zipfile>.zip If multiple "../" entries are not present, the archive is safe. Resolution This issue is addressed in the following releases: Sun Linux
The above patches are available at: http://sunsolve.sun.com/patches/linux/security.html Sun Cobalt
The above patches are available at http://sunsolve.sun.com/patches/cobalt/. Modification History Date: 04-FEB-2003
Product Sun Linux 5.0 Attachments This solution has no attachment | |||||||||||||||
|
|