USN-248-1: unzip vulnerability
Posted on: 02/15/2006 11:12 AM

A new unzip vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-248-1 February 13, 2006
unzip vulnerability
CVE-2005-4667
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

unzip

The problem can be corrected by upgrading the affected package to
version 5.51-2ubuntu0.3 (for Ubuntu 4.10), 5.51-2ubuntu1.3 (for Ubuntu
5.04), or 5.52-3ubuntu2.1 (for Ubuntu 5.10). In general, a standard
system upgrade is sufficient to effect the necessary changes.

Details follow:

A buffer overflow was discovered in the handling of file name
arguments. By tricking a user or automated system into processing a
specially crafted, excessively long file name with unzip, an attacker
could exploit this to execute arbitrary code with the user's
privileges.


Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3.diff.gz
Size/MD5: 6433 bd8da93f936f5ac234e5327c59bf8758
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3.dsc
Size/MD5: 534 db487b07f655377436bc72be8431351a
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51.orig.tar.gz
Size/MD5: 1112594 8a25712aac642430d87d21491f7c6bd1

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3_amd64.deb
Size/MD5: 148742 3af9fe5de336b8a59b19d2eadb892888

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3_i386.deb
Size/MD5: 135516 c334934daf9a7e49f064ef17e884f106

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3_powerpc.deb
Size/MD5: 149480 d5d41b65e3da33976e137bd22a85e2e5

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3.diff.gz
Size/MD5: 7253 443470aef5d23f7290151222116fa81d
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3.dsc
Size/MD5: 534 2618e86f3a4d42382c0add1ae2f978f5
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51.orig.tar.gz
Size/MD5: 1112594 8a25712aac642430d87d21491f7c6bd1

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3_amd64.deb
Size/MD5: 148844 b30b12cd03aa4cedcc0ab83d387e2466

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3_i386.deb
Size/MD5: 136232 72feb619b0290ba9056cf24f9b467ec0

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3_powerpc.deb
Size/MD5: 150924 3985b6ad992bd5a4dfd9aef941d83d8b

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1.diff.gz
Size/MD5: 9670 76fa4142b93fd08f8fa4861533846d90
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1.dsc
Size/MD5: 534 4afc9cba0b40ff5fcb5eef8442ac7da2
http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52.orig.tar.gz
Size/MD5: 1140291 9d23919999d6eac9217d1f41472034a9

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1_amd64.deb
Size/MD5: 160486 6619e42ad67d9e53a50a93cb33073829

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1_i386.deb
Size/MD5: 147208 58a818487eb9b617a3e8f278246528b7

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1_powerpc.deb
Size/MD5: 161976 d71ed8a8078bbf56bd87d16564fc5197

--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD8um1DecnbV4Fd/IRAj1PAKC6vyMn4rSFHtr4mZUDf+cJsvwD/gCgpKka
k0kPq0RM7QfvYlnlXoKbDDU=
=88w0
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_248_1_unzip_vulnerability.html)