__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated ZIP Packages [Red Hat Advisory: RHSA-2004:634-08] December 17, 2004 19:00 GMT Number P-072 [REVISED 05 Jan 2005] [REVISED 18 Jan 2005] ______________________________________________________________________________ PROBLEM: The ZIP program is an archiving utility which can create ZIP-compatible archives. A buffer overflow issue has been found in ZIP when handling long file names. PLATFORM: Red Hat Enterprise Linux AS, ES, and WS (all v.3) Red Hat Enterprise Linux AS, ES, and WS (all v.2.1) Red Hat Desktop (v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 (woody) SGI ProPack 3 Service Pack 3 for SGI Altix family of systems DAMAGE: An attacker could execute arbitrary code or cause ZIP to crash. SOLUTION: Upgrade to Red Hat's latest packages. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. By creating a specially crafted path, an ASSESSMENT: attacker could possibly execute arbitrary code with the permissions of the targeted user or cause the ZIP program to crash. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-072.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-634.html ADDITIONAL LINKS: Debian Security Advisory DSA 624-1 http://www.debian.org/security/2005/dsa-624 SGI Security Advisory Number 20050101-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20050101-01-U.asc CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-1010 ______________________________________________________________________________ REVISION HISTORY: 01/05/2005 - added link to updated packages available in Debian Security Advisory DSA 624-1. 01/18/2005 - added link to updated packages available in SGI Security Advisory Number 20050101-01-U fro SGI ProPack 3 Service Pack 3 for SGI Altix family of systems. [***** Start Red Hat Advisory: RHSA-2004:634-08 *****] Updated zip package fixes security issue Advisory: RHSA-2004:634-08 Last updated on: 2004-12-16 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-1010 Security Advisory Details: An updated zip package that fixes a buffer overflow vulnerability is now available. The zip program is an archiving utility which can create ZIP-compatible archives. A buffer overflow bug has been discovered in zip when handling long file names. An attacker could create a specially crafted path which could cause zip to crash or execute arbitrary instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1010 to this issue. Users of zip should upgrade to this updated package, which contains backported patches and is not vulnerable to this issue. Updated packages: Red Hat Desktop (v. 3) ----------------------------------------------------------------------------- SRPMS: zip-2.3-16.1.src.rpm aa360ac25cf50772fd010cf2d1d91db7 IA-32: zip-2.3-16.1.i386.rpm 41fec60bfbbca5266e4bbff55f42031a x86_64: zip-2.3-16.1.x86_64.rpm 1ed34c119e86a0c739c1c5bb706ffb69 Red Hat Enterprise Linux AS (v. 2.1) ----------------------------------------------------------------------------- SRPMS: zip-2.3-10.1.src.rpm b062c345c3d6c56ed1c042145643c8c8 IA-32: zip-2.3-10.1.i386.rpm a06a150a5652173a8309cca26cc3c70f IA-64: zip-2.3-10.1.ia64.rpm 6cab305bdaca789e53e760184050fab9 Red Hat Enterprise Linux AS (v. 3) ----------------------------------------------------------------------------- SRPMS: zip-2.3-16.1.src.rpm aa360ac25cf50772fd010cf2d1d91db7 IA-32: zip-2.3-16.1.i386.rpm 41fec60bfbbca5266e4bbff55f42031a IA-64: zip-2.3-16.1.ia64.rpm 0b8464b40ec9d081dd36ab9d699a4c1c PPC: zip-2.3-16.1.ppc.rpm 787ad3673b90f4fcb0d47c815ca984f6 s390: zip-2.3-16.1.s390.rpm 97c709a606b3cec173833833b24c704b s390x: zip-2.3-16.1.s390x.rpm 4d1f10e6b1e4247cb037eb42c8fcc796 x86_64: zip-2.3-16.1.x86_64.rpm 1ed34c119e86a0c739c1c5bb706ffb69 Red Hat Enterprise Linux ES (v. 2.1) ----------------------------------------------------------------------------- SRPMS: zip-2.3-10.1.src.rpm b062c345c3d6c56ed1c042145643c8c8 IA-32: zip-2.3-10.1.i386.rpm a06a150a5652173a8309cca26cc3c70f Red Hat Enterprise Linux ES (v. 3) ----------------------------------------------------------------------------- SRPMS: zip-2.3-16.1.src.rpm aa360ac25cf50772fd010cf2d1d91db7 IA-32: zip-2.3-16.1.i386.rpm 41fec60bfbbca5266e4bbff55f42031a IA-64: zip-2.3-16.1.ia64.rpm 0b8464b40ec9d081dd36ab9d699a4c1c x86_64: zip-2.3-16.1.x86_64.rpm 1ed34c119e86a0c739c1c5bb706ffb69 Red Hat Enterprise Linux WS (v. 2.1) ----------------------------------------------------------------------------- SRPMS: zip-2.3-10.1.src.rpm b062c345c3d6c56ed1c042145643c8c8 IA-32: zip-2.3-10.1.i386.rpm a06a150a5652173a8309cca26cc3c70f Red Hat Enterprise Linux WS (v. 3) ----------------------------------------------------------------------------- SRPMS: zip-2.3-16.1.src.rpm aa360ac25cf50772fd010cf2d1d91db7 IA-32: zip-2.3-16.1.i386.rpm 41fec60bfbbca5266e4bbff55f42031a IA-64: zip-2.3-16.1.ia64.rpm 0b8464b40ec9d081dd36ab9d699a4c1c x86_64: zip-2.3-16.1.x86_64.rpm 1ed34c119e86a0c739c1c5bb706ffb69 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor ----------------------------------------------------------------------------- SRPMS: zip-2.3-10.1.src.rpm b062c345c3d6c56ed1c042145643c8c8 IA-64: zip-2.3-10.1.ia64.rpm 6cab305bdaca789e53e760184050fab9 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 138228 - CAN-2004-1010 buffer overflow when creating archive containing very long filenames. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1010 http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. [***** End Red Hat Advisory: RHSA-2004:634-08 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-062: Updated ncompress Package Fix Security Issue and Bug P-063: Adobe Reader Security Vulnerabilities P-064: Adobe Reader 5.0.9 for UNIX "mailListIsPdf" function Vulnerability P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector P-066: Veritas Backup Exec Buffer Overflow Vulnerability P-067: PHP Multiple Vulnerabilities P-068: Sun Webmail Vulnerability P-069: Sun - Multiple Mozilla Vulnerabilities P-070: Updated Samba Packages P-071: Updated "gd" Packages