• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow Vulnerability

Solution:
Slackware has released an advisory (SSA:2005-121-01) and fixes to address this issue. Please see the referenced advisory for more information.

Ubuntu has released an advisory (USN-18-1) to address this issue. Please see the referenced advisory for more information.

RedHat Fedora has released advisory FEDORA-2004-399 along with fixes for this issue in their Fedora Core 2 packages. Please see the referenced advisory for more information.

RedHat Fedora has released advisory FEDORA-2004-400 along with fixes for this issue in their Fedora Core 3 packages. Please see the referenced advisory for more information.

Gentoo Linux has released advisory (GLSA 200411-16) dealing with this issue. Gentoo advises that all zip users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/zip-2.3-r4"

For more information please see the referenced Gentoo advisory.

Mandrake has released advisory MDKSA-2004:141 to address this issue. Please see the referenced advisory for further information on obtaining and applying fixes.

SUSE has released an advisory (SUSE-SR:2004:003) that address this and various other issues. Please see the referenced advisory for more information.

Red Hat has released advisory RHSA-2004:634-08 to address this issue in Red Hat Enterprise Linux. Please see the advisory in Web references for more information.

Debian has released an advisory DSA 624-1 to address this issue. Please see the referenced advisory for more information.

SGI has released advisory 20050101-01-U to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages. Please see the referenced advisory for more information.

Avaya has released advisory ASA-2005-019 to document the affected versions of Avaya products. Please see the referenced advisory for further information.

Turbolinux has released advisory Turbolinux Security Announcement 31/Jan/2005 to address various issues. Please see the referenced advisory for more information.

Fedora has released an advisory (Fedora Legacy Update Advisory FLSA:2255) to address this issue in Red Hat Linux 7.3 - i386, Red Hat Linux 9 - i386, and Fedora Core 1 - i386. Please see the referenced advisory for more information.


Slackware Linux -current

• Slackware infozip-5.52-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/in fozip-5.52-i486-1.tgz

Slackware Linux 10.0

• Slackware infozip-5.52-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ infozip-5.52-i486-1.tgz

Slackware Linux 10.1

• Slackware infozip-5.52-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/ infozip-5.52-i486-1.tgz

Info-ZIP Zip 2.3

• Debian zip_2.30-5woody2_alpha.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_al pha.deb


• Debian zip_2.30-5woody2_arm.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_ar m.deb


• Debian zip_2.30-5woody2_hppa.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_hp pa.deb


• Debian zip_2.30-5woody2_i386.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_i3 86.deb


• Debian zip_2.30-5woody2_ia64.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_ia 64.deb


• Debian zip_2.30-5woody2_m68k.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_m6 8k.deb


• Debian zip_2.30-5woody2_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_mi ps.deb


• Debian zip_2.30-5woody2_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_mi psel.deb


• Debian zip_2.30-5woody2_powerpc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_po werpc.deb


• Debian zip_2.30-5woody2_s390.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_s3 90.deb


• Debian zip_2.30-5woody2_sparc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/z/zip/zip_2.30-5woody2_sp arc.deb


• Fedora zip-2.3-26.2.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora zip-2.3-26.2.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora zip-2.3-26.3.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora zip-2.3-26.3.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora zip-debuginfo-2.3-26.2.i386.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora zip-debuginfo-2.3-26.2.x86_64.rpm
  RedHat Fedora Core 2
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


• Fedora zip-debuginfo-2.3-26.3.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora zip-debuginfo-2.3-26.3.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Mandrake zip-2.3-11.1.100mdk.amd64.rpm
  Mandrake Linux 10.0/AMD64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-11.1.100mdk.i586.rpm
  Mandrake Linux 10.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-11.1.101mdk.i586.rpm
  Mandrake Linux 10.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-11.1.101mdk.x86_64.rpm
  Mandrake Linux 10.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-11.1.92mdk.amd64.rpm
  Mandrake Linux 9.2/AMD64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-11.1.92mdk.i586.rpm
  Mandrake Linux 9.2
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-9.1.C21mdk.i586.rpm
  Mandrake Corporate Server 2.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake zip-2.3-9.1.C21mdk.x86_64.rpm
  Mandrake Corporate Server 2.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• RedHat zip-2.3-26.1.0.7.3.legacy.i386.rpm
  http://download.fedoralegacy.org/redhat/7.3/updates/i386/zip-2.3-26.1. 0.7.3.legacy.i386.rpm


• RedHat zip-2.3-26.1.0.9.legacy.i386.rpm
  http://download.fedoralegacy.org/redhat/9/updates/i386/zip-2.3-26.1.0. 9.legacy.i386.rpm


• RedHat zip-2.3-26.1.1.legacy.i386.rpm
  http://download.fedoralegacy.org/fedora/1/updates/i386/zip-2.3-26.1.1. legacy.i386.rpm


• SuSE zip-2.3-732.4.i586.patch.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/zip-2.3-732.4.i58 6.patch.rpm


• SuSE zip-2.3-732.4.x86_64.patch.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/zip-2.3-732.4 .x86_64.patch.rpm


• SuSE zip-2.3-734.2.x86_64.patch.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/zip-2.3-734.2 .x86_64.patch.rpm


• SuSE zip-2.3-739.i586.patch.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/zip-2.3-739.i586. patch.rpm


• SuSE zip-2.3-739.i586.patch.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/zip-2.3-739.i586. patch.rpm


• SuSE zip-2.3-739.i586.patch.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/zip-2.3-739.i586. patch.rpm


• SuSE zip-2.3-739.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/zip-2.3-739.i586. rpm


• SuSE zip-2.3-739.x86_64.patch.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/zip-2.3-739.x 86_64.patch.rpm


• SuSE zip-2.3-732.4.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/zip-2.3-732.4.i58 6.rpm


• SuSE zip-2.3-732.4.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/zip-2.3-732.4 .x86_64.rpm


• SuSE zip-2.3-734.2.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/zip-2.3-734.2 .x86_64.rpm


• SuSE zip-2.3-739.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/zip-2.3-739.i586. rpm


• SuSE zip-2.3-739.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/zip-2.3-739.i586. rpm


• SuSE zip-2.3-739.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/zip-2.3-739.x 86_64.rpm


• TurboLinux zip-2.3-5.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/zip-2.3-5.i586.rpm


• TurboLinux zip-2.3-5.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/zip-2.3-5.i586.rpm


• TurboLinux zip-2.3-5.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd ates/RPMS/zip-2.3-5.i586.rpm


• TurboLinux zip-2.3-5.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/upd ates/RPMS/zip-2.3-5.i586.rpm


• TurboLinux zip-2.3-5.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/zip-2.3-5.i586.rpm


• TurboLinux zip-2.3-5.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 8/updates/RPMS/zip-2.3-5.i586.rpm


• Ubuntu zip_2.30-6ubuntu0.1_amd64.deb
  Ubuntu 4.10 (Warty Warthog)
  http://security.ubuntu.com/ubuntu/pool/main/z/zip/zip_2.30-6ubuntu0.1_ amd64.deb


• Ubuntu zip_2.30-6ubuntu0.1_i386.deb
  Ubuntu 4.10 (Warty Warthog)
  http://security.ubuntu.com/ubuntu/pool/main/z/zip/zip_2.30-6ubuntu0.1_ i386.deb


• Ubuntu zip_2.30-6ubuntu0.1_powerpc.deb
  Ubuntu 4.10 (Warty Warthog)
  http://security.ubuntu.com/ubuntu/pool/main/z/zip/zip_2.30-6ubuntu0.1_ powerpc.deb

SGI ProPack 3.0

• SGI patch10131.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/3/patch101 31.tar.gz

Slackware Linux 8.1

• Slackware infozip-5.52-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/i nfozip-5.52-i486-1.tgz

Slackware Linux 9.0

• Slackware infozip-5.52-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/i nfozip-5.52-i486-1.tgz

Slackware Linux 9.1

• Slackware infozip-5.52-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/i nfozip-5.52-i486-1.tgz