FAQ   Search   Memberlist  
Profile    Log in to check your private messages    Register    Log in
9k Update 2005-02-01: Updated zip

Post new topic   Reply to topic    BLAG Forum Index -> announcements
View previous topic :: View next topic  
Author Message
PostPosted: Sat Mar 05, 2005 2:24 am    Post subject: 9k Update 2005-02-01: Updated zip Reply with quote

Fedora Legacy Update Advisory

Synopsis: Updated zip package fixes security issue
Advisory ID: FLSA:2255
Issue date: 2005-02-01
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2255
CVE Names: CAN-2004-1010

1. Topic:

An updated zip package that fixes a buffer overflow vulnerability is now

The zip program is an archiving utility which can create ZIP-compatible

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

A buffer overflow bug has been discovered in zip when handling long file
names. An attacker could create a specially crafted path which could
cause zip to crash or execute arbitrary instructions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-1010 to this issue.

Users of zip should upgrade to this updated package, which contains
backported patches and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - bug #2255 - zip long path buffer overflow

6. RPMs required:

Red Hat Linux 9:



7. Verification:

SHA1 sum Package Name

95966b2b9fdac8f17c74226c3c033b24dd6c9226 redhat/9/updates/i386/zip-2.3-
92b76aadb2e46b57dd9b71927dada7b1c1154dae redhat/9/updates/SRPMS/zip-2.3-

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:


8. References:


Display posts from previous:   
Post new topic   Reply to topic    BLAG Forum Index -> announcements
Page 1 of 1

Protected by Anti-Spam ACP