The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
gzip Directory Traversal Vulnerability ("gunzip -N")
------------------------------------------------------------------------
SUMMARY
"gzip, gunzip, zcat - compress or expand files" - "Gzip reduces the size
of the named files using Lempel-Ziv coding (LZ77). Whenever possible, each
file is replaced by one with the extension .gz, while keeping the same
ownership modes, access and modification times. (The default extension is
-gz for VMS, z for MSDOS, OS/2 FAT, Windows NT FAT and Atari.) If no files
are specified, or if a file name is "-", the standard input is compressed
to the standard output. Gzip will only attempt to compress regular files.
In particular, it will ignore symbolic links."
A directory traversal vulnerability exists in gzip. It allows attackers to
create arbitrary files with arbitrary contents on a system, if they can
get a user or a program with sufficient rights to decompress a malicious
gz file from the attackers with "gunzip -N".
DETAILS
Vulnerable Systems:
* gzip version 1.2.4, 1.2.4a, 1.3.3, 1.3.4 and 1.3.5 (previous unix
versions suspected).
A directory traversal bug exists in multiple versions of gzip. When
compressing a file, gzip saves its original name but not its path inside
the compressed file. When using gunzip's "-N" option, the original name
found inside the compressed file will be used as the name to save the
decompressed file with. "gunzip -N" doesn't check if the original name
inside the compressed file has any "/" characters in it. This makes it
possible to create a malicious compressed file that when decompressed with
"gunzip -N" will create a file at an arbitrary location in the file
system, such as "/etc/nologin" or "/etc/cron.d/evil".
The command "gunzip -N" prints no output during normal operation, so the
user will not get any warning. The command "gunzip -Nv" prints information
about what file it is creating where, but then it may be too late. The
gunzip command always asks before overwriting existing files, so this bug
only allows for creating new files and not overwriting old ones.
The compressed file "
<http://bugs.debian.org/cgi-bin/bugreport.cgi/dir-traversal-bug.gz?bug=305255&msg=3&att=1>
dir-traversal-bug.gz" will create a file in "/tmp" when decompressed with
"gunzip -N".
Patch Availability:
Please read original article before downloading those patches
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255> here:
<http://bugs.debian.org/cgi-bin/bugreport.cgi/gzip.dirtraversal.patch?bug=305255&msg=3&att=2>
gzip.dirtraversal.patch
<http://bugs.debian.org/cgi-bin/bugreport.cgi/gzip.dirtraversal_better.patch?bug=305255&msg=12&att=1>
gzip.dirtraversal_better.patch
ADDITIONAL INFORMATION
The information has been provided by <mailto:metaur@telia.com> Ulf H
rnhammar.
The original article can be found at:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255>
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
