CVE-2005-0988
CVSS3.7
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:20:55
NMCOPS    

[原文]Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.


[CNNVD]Apple Mac OS X多个安全漏洞(CNNVD-200505-423)

        Apple Mac OS X是苹果家族机器所使用的操作系统。
        最新的Mac OS X更新修复了多个漏洞,具体如下:
        CVE-2006-1472
        AFP Server中的漏洞允许在搜索结果中包含执行搜索用户无权访问的文件和文件夹。如果文件名本身就是敏感信息的话,就可能导致信息泄露;如果权限允许的话,攻击者还可以访问文件内容。
        CVE-2006-1473
        已认证用户可以触发AFP Server中的整数溢出漏洞,导致拒绝服务或以系统权限执行任意代码。AFP Server在Mac OS X中不是默认启用的。
        CVE-2006-3495
        在Mac OS X Server上,AFP Server支持在网络断开后重新连接文件共享会话。重新连接密钥的存储是完全可读的,因此通过认证的本地用户就可以读取该密钥,扮演为AFP上的其他用户,并以所扮演用户的权限访问文件或文件夹。
        CVE-2006-3496
        攻击者可以通过特制的无效AFP请求触发AFP Server中的拒绝服务。
        CVE-2006-3497
        Bom的压缩状态处理可能导致堆破坏。攻击者可以创建特制的Zip文档并诱骗用户打开来触发这个漏洞,导致应用程序崩溃或执行任意代码。
        CVE-2006-3498
        bootpd的请求处理中存在栈溢出。远程攻击者可以通过特制的BOOTP请求触发这个漏洞,导致以系统权限执行任意代码。bootpd在Mac OS X上不是默认启用的,必须手动配置。
        CVE-2006-3499
        恶意的本地用户可以指定动态连接器选项,导致标准错误输出。这种输出包含有敏感内容或用户指定的内容,因此解析或重新使用标准错误的特权应用程序可能受到不良的影响。
        CVE-2006-3500
        在搜索加载到特权应用程序的函数库时没有正确的处理动态连接器,可能导致包含危险的路径,这样恶意的本地用户就可以导致加载动态连接器,以提升的权限执行任意代码。
        CVE-2006-0392
        攻击者可以通过特制的Canon RAW图形触发溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3501
        攻击者可以通过特制的Radiance图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3502
        攻击者可以通过特制的GIF图形触发内存分配失败,导致应用程序崩溃或执行任意代码。
        CVE-2006-3503
        攻击者可以通过特制的GIF图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3504
        下载验证可能将某些包含有HTML的文件错误的识别为"安全"。如果在Safari中下载了这样的文件且Safari的"下载后打开安全的文件"选项已启用,则就会从本地URI自动打开HTML文档,允许文档中嵌入的JavaScript代码绕过访问限制。
        CVE-2006-0393
        如果使用不存在的帐号试图登录到OpenSSH Server的话就会导致认证进程挂起。攻击者可以利用这种行为检测是否存在特定的帐号,大量的尝试还可以导致拒绝服务。
        CVE-2006-3505
        特制的HTML文档可能导致访问之前已解除分配的对象,造成应用程序崩溃或执行任意代码。
        此外,这个更新还修复了其他一些第三方产品中的多个漏洞。
        

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:redhat:enterprise_linux:2.1::workstation_ia64
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:redhat:enterprise_linux:3.0::workstation_server
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:turbolinux:turbolinux_appliance_server:1.0_workgroup
cpe:/o:turbolinux:turbolinux_home
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:5.4:release
cpe:/o:redhat:enterprise_linux:2.1::advanced_server_ia64
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:turbolinux:turbolinux_workstation:8.0
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:5.4:releng
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:turbolinux:turbolinux_appliance_server:1.0_hosting
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:redhat:enterprise_linux:3.0::advanced_server
cpe:/o:redhat:enterprise_linux:4.0::workstation
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/o:redhat:enterprise_linux:2.1::workstation
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:ubuntu:ubuntu_linux:5.04::i386
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:turbolinux:turbolinux_server:10.0
cpe:/o:freebsd:freebsd:4.11:release_p3
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium_processor
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:freebsd:freebsd:4.11:releng
cpe:/o:redhat:enterprise_linux_desktop:4.0Red Hat Desktop 4.0
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/a:gnu:gzip:1.2.4aGNU Gzip 1.2.4a
cpe:/o:freebsd:freebsd:4.10:release
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.11:stable
cpe:/o:redhat:linux_advanced_workstation:2.1::ia64
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/a:gnu:gzip:1.3.3GNU Gzip 1.3.3
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server_ia64
cpe:/o:turbolinux:turbolinux_desktop:10.0
cpe:/o:freebsd:freebsd:4.10:release_p8
cpe:/o:redhat:enterprise_linux:4.0::enterprise_server
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/o:ubuntu:ubuntu_linux:5.04::powerpc
cpe:/o:turbolinux:turbolinux_server:8.0
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:redhat:enterprise_linux:4.0::advanced_server
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:turbolinux:turbolinux_server:7.0
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:turbolinux:turbolinux_workstation:7.0
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:gentoo:linuxGentoo Linux
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:ubuntu:ubuntu_linux:5.04::amd64
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/a:gnu:gzip:1.2.4GNU Gzip 1.2.4
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:4.0:alpha

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:765GNU GZip CHMod File Permission Modification Race ConditionWeakness
oval:org.mitre.oval:def:1169gzip Hard Link Attack
oval:org.mitre.oval:def:10242Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary f...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0988
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-423
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-214A.html
(UNKNOWN)  CERT  TA06-214A
http://www.securityfocus.com/bid/12996
(PATCH)  BID  12996
http://www.vupen.com/english/advisories/2006/3101
(UNKNOWN)  VUPEN  ADV-2006-3101
http://www.securityfocus.com/bid/19289
(UNKNOWN)  BID  19289
http://www.securityfocus.com/archive/1/394965
(VENDOR_ADVISORY)  BUGTRAQ  20050404 gzip TOCTOU file-permissions vulnerability
http://www.osvdb.org/15487
(UNKNOWN)  OSVDB  15487
http://www.debian.org/security/2005/dsa-752
(UNKNOWN)  DEBIAN  DSA-752
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101816-1
(UNKNOWN)  SUNALERT  101816
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852
(UNKNOWN)  SLACKWARE  SSA:2006-262
http://secunia.com/advisories/22033
(UNKNOWN)  SECUNIA  22033
http://secunia.com/advisories/21253
(UNKNOWN)  SECUNIA  21253
http://secunia.com/advisories/18100
(UNKNOWN)  SECUNIA  18100
http://rhn.redhat.com/errata/RHSA-2005-357.html
(UNKNOWN)  REDHAT  RHSA-2005:357
http://lists.apple.com/archives/security-announce/2006//Aug/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2006-08-01
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.58/SCOSA-2005.58.txt
(UNKNOWN)  SCO  SCOSA-2005.58

- 漏洞信息

Apple Mac OS X多个安全漏洞
低危 竞争条件
2005-05-02 00:00:00 2007-05-11 00:00:00
本地  
        Apple Mac OS X是苹果家族机器所使用的操作系统。
        最新的Mac OS X更新修复了多个漏洞,具体如下:
        CVE-2006-1472
        AFP Server中的漏洞允许在搜索结果中包含执行搜索用户无权访问的文件和文件夹。如果文件名本身就是敏感信息的话,就可能导致信息泄露;如果权限允许的话,攻击者还可以访问文件内容。
        CVE-2006-1473
        已认证用户可以触发AFP Server中的整数溢出漏洞,导致拒绝服务或以系统权限执行任意代码。AFP Server在Mac OS X中不是默认启用的。
        CVE-2006-3495
        在Mac OS X Server上,AFP Server支持在网络断开后重新连接文件共享会话。重新连接密钥的存储是完全可读的,因此通过认证的本地用户就可以读取该密钥,扮演为AFP上的其他用户,并以所扮演用户的权限访问文件或文件夹。
        CVE-2006-3496
        攻击者可以通过特制的无效AFP请求触发AFP Server中的拒绝服务。
        CVE-2006-3497
        Bom的压缩状态处理可能导致堆破坏。攻击者可以创建特制的Zip文档并诱骗用户打开来触发这个漏洞,导致应用程序崩溃或执行任意代码。
        CVE-2006-3498
        bootpd的请求处理中存在栈溢出。远程攻击者可以通过特制的BOOTP请求触发这个漏洞,导致以系统权限执行任意代码。bootpd在Mac OS X上不是默认启用的,必须手动配置。
        CVE-2006-3499
        恶意的本地用户可以指定动态连接器选项,导致标准错误输出。这种输出包含有敏感内容或用户指定的内容,因此解析或重新使用标准错误的特权应用程序可能受到不良的影响。
        CVE-2006-3500
        在搜索加载到特权应用程序的函数库时没有正确的处理动态连接器,可能导致包含危险的路径,这样恶意的本地用户就可以导致加载动态连接器,以提升的权限执行任意代码。
        CVE-2006-0392
        攻击者可以通过特制的Canon RAW图形触发溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3501
        攻击者可以通过特制的Radiance图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3502
        攻击者可以通过特制的GIF图形触发内存分配失败,导致应用程序崩溃或执行任意代码。
        CVE-2006-3503
        攻击者可以通过特制的GIF图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3504
        下载验证可能将某些包含有HTML的文件错误的识别为"安全"。如果在Safari中下载了这样的文件且Safari的"下载后打开安全的文件"选项已启用,则就会从本地URI自动打开HTML文档,允许文档中嵌入的JavaScript代码绕过访问限制。
        CVE-2006-0393
        如果使用不存在的帐号试图登录到OpenSSH Server的话就会导致认证进程挂起。攻击者可以利用这种行为检测是否存在特定的帐号,大量的尝试还可以导致拒绝服务。
        CVE-2006-3505
        特制的HTML文档可能导致访问之前已解除分配的对象,造成应用程序崩溃或执行任意代码。
        此外,这个更新还修复了其他一些第三方产品中的多个漏洞。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Sun Solaris 8
        Sun 112668-03
        http://sunsolve.sun.com/patches
        Sun Solaris 10
        Sun 120719-01
        http://sunsolve.sun.com/patches
        GNU gzip 1.3.2
        Debian gzip_1.3.2-3woody5_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _alpha.deb
        Debian gzip_1.3.2-3woody5_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _arm.deb
        Debian gzip_1.3.2-3woody5_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _hppa.deb
        Debian gzip_1.3.2-3woody5_i386.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _i386.deb
        Debian gzip_1.3.2-3woody5_ia64.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _ia64.deb
        Debian gzip_1.3.2-3woody5_m68k.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _m68k.deb
        Debian gzip_1.3.2-3woody5_mips.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _mips.deb
        Debian gzip_1.3.2-3woody5_mipsel.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _mipsel.deb
        Debian gzip_1.3.2-3woody5_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _powerpc.deb
        Debian gzip_1.3.2-3woody5_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _s390.deb
        Debian gzip_1.3.2-3woody5_sparc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5 _sparc.deb
        GNU gzip 1.3.5
        Conectiva gzip-1.3.5-49375U10_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/10/RPMS/gzip-1.3.5-49375U10_1cl.i3 86.rpm
        Conectiva gzip-i18n-pt_BR-1.3.5-49375U10_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/10/RPMS/gzip-i18n-pt_BR-1.3.5-4937 5U10_1cl.i386.rpm
        Ubuntu gzip_1.3.5-9ubuntu3.1_amd64.deb
        Ubuntu 4.10 (Warty Warthog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3 .1_amd64.deb
        Ubuntu gzip_1.3.5-9ubuntu3.1_i386.deb
        Ubuntu 4.10 (Warty Warthog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3 .1_i386.deb
        Ubuntu gzip_1.3.5-9ubuntu3.1_powerpc.deb
        Ubuntu 4.10 (Warty Warthog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3 .1_powerpc.deb
        Ubuntu gzip_1.3.5-9ubuntu3.2_amd64.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3 .2_amd64.deb
        Ubuntu gzip_1.3.5-9ubuntu3.2_i386.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3 .2_i386.deb
        Ubuntu gzip_1.3.5-9ubuntu3.2_powerpc.deb
        Ubuntu 5.04 (Hoary Hedgehog)
        http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3 .2_powerpc.deb
        Apple Mac OS X Server 10.3.9
        Apple SecUpdSrvr2006-004Pan.dmg
        http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&cat= 1&platform=osx&method=sa/SecUpdSrvr2006-004Pan.dmg
        FreeBSD FreeBSD 4.11 -RELEASE-p3
        FreeBSD gzip.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch
        FreeBSD FreeBSD 5.3
        FreeBSD gzip.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch
        SCO Open Server 6.0
        SCO VOL.000.000 for SCOSA-2005.59
        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.59

- 漏洞信息 (F38412)

Gentoo Linux Security Advisory 200505-5 (PacketStormID:F38412)
2005-07-02 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-0758,CVE-2005-0988,CVE-2005-1228
[点击下载]

Gentoo Linux Security Advisory GLSA 200505-05 - The gzip and gunzip programs are vulnerable to a race condition when setting file permissions (CVE-2005-0988), as well as improper handling of filename restoration (CVE-2005-1228). The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CVE-2005-0758). Versions less than 1.3.5-r6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: gzip: Multiple vulnerabilities
      Date: May 09, 2005
      Bugs: #89946, #90626
        ID: 200505-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

gzip contains multiple vulnerabilities potentially allowing an attacker
to execute arbitrary commands.

Background
==========

gzip (GNU zip) is a popular compression program. The included zgrep
utility allows you to grep gzipped files in place.

Affected packages
=================

    -------------------------------------------------------------------
     Package        /  Vulnerable  /                        Unaffected
    -------------------------------------------------------------------
  1  app-arch/gzip     < 1.3.5-r6                          >= 1.3.5-r6

Description
===========

The gzip and gunzip programs are vulnerable to a race condition when
setting file permissions (CAN-2005-0988), as well as improper handling
of filename restoration (CAN-2005-1228). The zgrep utility improperly
sanitizes arguments, which may come from an untrusted source
(CAN-2005-0758).

Impact
======

These vulnerabilities could allow arbitrary command execution, changing
the permissions of arbitrary files, and installation of files to an
aribitrary location in the filesystem.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All gzip users should upgrade to the latest stable version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r6"

References
==========

  [ 1 ] CAN-2005-0758
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758
  [ 2 ] CAN-2005-0988
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988
  [ 3 ] CAN-2005-1228
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

15487
gzip Race Condition Arbitrary File Permission Modification
Local Access Required Race Condition
Loss of Integrity Upgrade
Exploit Unknown Uncoordinated Disclosure

- 漏洞描述

gzip contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker has write access to a directory in which a targeted user is using gzip to decompress a file, and will gain the ability to modify the permissions on any file owned by the targeted user. This flaw may lead to a loss of integrity.

- 时间线

2005-04-04 Unknow
Unknow Unknow

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 1.3.5, or higher, to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

GNU GZip CHMod File Permission Modification Race Condition Weakness
Race Condition Error 12996
No Yes
2005-04-05 12:00:00 2006-08-02 08:46:00
Discovery of this vulnerability is credited to Imran Ghory <imranghory@gmail.com>.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
Sun Solaris 10
SGI ProPack 3.0
SGI Advanced Linux Environment 3.0
SCO Unixware 7.1.4
SCO Open Server 6.0
SCO Open Server 5.0.7
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
GNU gzip 1.3.5
+ Conectiva Linux 10.0
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
GNU gzip 1.3.3
GNU gzip 1.3.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
GNU gzip 1.2.4 a
GNU gzip 1.2.4
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ Slackware Linux 8.0
+ Slackware Linux 7.1
+ Slackware Linux 7.0
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
Gentoo Linux
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
F5 BigIP 4.6.3
F5 BigIP 4.6.2
F5 BigIP 4.6
F5 BigIP 4.5.12
F5 BigIP 4.5.11
F5 BigIP 4.5.10
F5 BigIP 4.5.9
F5 BigIP 4.5.6
F5 BigIP 4.5
F5 BigIP 4.4
F5 BigIP 4.3
F5 BigIP 4.2
F5 BigIP 4.0
F5 3-DNS 4.6.3
F5 3-DNS 4.6.2
F5 3-DNS 4.6
F5 3-DNS 4.5.12
F5 3-DNS 4.5.11
F5 3-DNS 4.5
F5 3-DNS 4.4
F5 3-DNS 4.3
F5 3-DNS 4.2
Cosmicperl Directory Pro 10.0.3
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Network Messaging
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya Intuity LX
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CVLAN
Avaya Converged Communications Server 2.0
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
F5 BigIP 4.7
F5 BigIP 4.5.13
F5 3-DNS 4.7
F5 3-DNS 4.5.13

- 不受影响的程序版本

F5 BigIP 4.7
F5 BigIP 4.5.13
F5 3-DNS 4.7
F5 3-DNS 4.5.13

- 漏洞讨论

The gzip utility is reported prone to a security weakness; the issue occurs only when an archive is extracted into a world- or group-writeable directory. Reportedly, gzip employs non-atomic procedures to write a file and later change the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of target files.

This weakness is reported to affect gzip 1.2.4, 1.3.3, and previous versions.

- 漏洞利用

No exploit is required.

- 解决方案

Please see the referenced advisories for more information.


Sun Solaris 8_sparc

Sun Solaris 10

GNU gzip 1.3.2

GNU gzip 1.3.5

Apple Mac OS X Server 10.3.9

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD FreeBSD 5.3

SCO Open Server 6.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站