Red Hat Linux 5.0 及之前版本中的压缩包存在gzexe暂时文件漏洞。本地用户可以通过向暂时文件的符号连接攻击来重写其他用户的文件。
Debian has issued upgrades that will eliminate the vulnerability in Debian packages. See DSA-308-1 (in the reference section) for URLs. SGI has released advisory 20040104-01-P to address this issue. Patch 5424 will be released for IRIX versions later than 6.5.17. Users should upgrade to one of these versions and then apply the patch when it is available. Further details can be found in the attached advisory. GNU gzip 1.2.4
gzip contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when the gzexe script creates temp files insecurely. It is possible that the flaw may allow arbitrary file overwriting resulting in a loss of integrity.
Currently, there are no known workarounds to correct this issue. However, SGI has released a patch to address this vulnerability.