FAQ   Search   Memberlist  
Profile    Log in to check your private messages    Register    Log in
9k Update 2005-02-01: Updated zip

 
Post new topic   Reply to topic    BLAG Forum Index -> announcements
View previous topic :: View next topic  
Author Message
mike_m
PostPosted: Sat Mar 05, 2005 2:24 am    Post subject: 9k Update 2005-02-01: Updated zip Reply with quote
———————————————————————
Fedora Legacy Update Advisory

Synopsis: Updated zip package fixes security issue
Advisory ID: FLSA:2255
Issue date: 2005-02-01
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2255
CVE Names: CAN-2004-1010
———————————————————————

———————————————————————
1. Topic:

An updated zip package that fixes a buffer overflow vulnerability is now
available.

The zip program is an archiving utility which can create ZIP-compatible
archives.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

A buffer overflow bug has been discovered in zip when handling long file
names. An attacker could create a specially crafted path which could
cause zip to crash or execute arbitrary instructions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-1010 to this issue.

Users of zip should upgrade to this updated package, which contains
backported patches and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - bug #2255 - zip long path buffer overflow

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/zip-2.3-26.1.0.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/zip-2.3-26.1.0.9.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
———————————————————————

95966b2b9fdac8f17c74226c3c033b24dd6c9226 redhat/9/updates/i386/zip-2.3-26.1.0.9.legacy.i386.rpm
92b76aadb2e46b57dd9b71927dada7b1c1154dae redhat/9/updates/SRPMS/zip-2.3-26.1.0.9.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1010
http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html
Display posts from previous:   
Post new topic   Reply to topic    BLAG Forum Index -> announcements
Page 1 of 1

Protected by Anti-Spam ACP