Info-ZIP UnZip Encoded Character Hostile Destination Path Vulnerability

Info-ZIP UnZip Encoded Character Hostile Destination Path Vulnerability

Solution:
Debian have reported that fixes released in the original Debian advisory (DSA 344-1) may not have sufficiently addressed this issue. A revised advisory (DSA 344-2) has been released. Please see the referenced advisory for further details regarding obtaining and applying fixes.

Mandrake has released an updated advisory MDKSA-2003:073-1 with updated fixes to address this issue. See the attached advisory for further details. Users are advised to upgrade as soon as possible.

Conectiva has released a security advisory (CLA-2003:724) containing fixes to address this issue. Users are advised to upgrade as soon as possible.

Immunix has released a security advisory (IMNX-2003-7+-017-01) containing fixes to address this issue. Users are advised to upgrade as soon as possible.

RedHat fixes for this issue have been made available. See the attached advisory for further details.

Conectiva has released a security advisory (CLA-2003:672) containing fixes to address this issue. Users are advised to upgrade as soon as possible.

Mandrake has released advisory MDKSA-2003:073 with fixes to address this issue.

OpenPKG has released advisory OpenPKG-SA-2003.033 to address this issue.

Gentoo has released advisory 200307-02 to address this issue. Vulnerable users are advised to execute the following commands to update affected systems:

emerge sync
emerge unzip
emerge clean

Yellow Dog has released an advisory (YDU-20030710-1) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Turbolinux has released an advisory (TLSA-2003-42.txt) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Sun has released a fix for Sun Linux 5.0.6.

Sun has also released updated packages for Sun Cobalt Qube3, RaQ4, and RaQXTR.

SCO has released an advisory (CSSA-2003-031.0) for OpenLinux that addresses this issue.

SCO OpenLinux Workstation 3.1.1

SCO unzip-5.40-6MR.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-03 1.0/RPMS/unzip-5.40-6MR.i386.rpm

SCO OpenLinux Server 3.1.1

SCO unzip-5.40-6MR.i386.rpm
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-031.0/R PMS/unzip-5.40-6MR.i386.rpm

Info-ZIP UnZip 5.50

Conectiva unzip-5.50-13860U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/unzip-5.50-13860U90_1cl.i38 6.rpm

Conectiva unzip-5.50-194.i586.rpm
ftp://ul.conectiva.com.br/updates/1.0/RPMS.core/unzip-5.50-194.i586.rp m

Conectiva unzip-5.50-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/unzip-5.50-1U70_2cl.i386. rpm

Conectiva unzip-5.50-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/unzip-5.50-1U80_2cl.i386.rp m

Debian unzip_5.50-1woody1_alpha.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_alpha.deb

Debian unzip_5.50-1woody1_arm.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_arm.deb

Debian unzip_5.50-1woody1_hppa.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_hppa.deb

Debian unzip_5.50-1woody1_i386.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_i386.deb

Debian unzip_5.50-1woody1_ia64.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_ia64.deb

Debian unzip_5.50-1woody1_m68k.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_m68k.deb

Debian unzip_5.50-1woody1_mips.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_mips.deb

Debian unzip_5.50-1woody1_mipsel.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_mipsel.deb

Debian unzip_5.50-1woody1_powerpc.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_powerpc.deb

Debian unzip_5.50-1woody1_s390.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_s390.deb

Debian unzip_5.50-1woody1_sparc.deb
Debian GNU/Linux 3.0 alias woody.
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 1_sparc.deb

Debian unzip_5.50-1woody2_alpha.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_alpha.deb

Debian unzip_5.50-1woody2_arm.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_arm.deb

Debian unzip_5.50-1woody2_hppa.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_hppa.deb

Debian unzip_5.50-1woody2_i386.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_i386.deb

Debian unzip_5.50-1woody2_ia64.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_ia64.deb

Debian unzip_5.50-1woody2_m68k.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_m68k.deb

Debian unzip_5.50-1woody2_mips.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_mips.deb

Debian unzip_5.50-1woody2_mipsel.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_mipsel.deb

Debian unzip_5.50-1woody2_powerpc.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_powerpc.deb

Debian unzip_5.50-1woody2_s390.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_s390.deb

Debian unzip_5.50-1woody2_sparc.deb
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody 2_sparc.deb

Immunix unzip-5.50-11_imnx_1.i386.rpm
ImmunixOS 7+
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/unzip-5.50-11_im nx_1.i386.rpm

Mandrake unzip-5.50-4.1mdk.i586.rpm
Corporate 2.1
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.i586.rpm
Mandrake Linux 8.2
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.i586.rpm
Mandrake Linux 9.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.i586.rpm
Mandrake Linux 9.1
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.i586.rpm
Multi Network Firewall 8.2
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.ppc.rpm
Mandrake Linux 8.2/PPC
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.ppc.rpm
Mandrake Linux 9.1/PPC
http://www.mandrakesecure.net/en/ftp.php

Mandrake unzip-5.50-4.1mdk.x86_64.rpm
Corporate Server 2.1/x86_64
http://www.mandrakesecure.net/en/ftp.php

OpenPKG infozip-1.1.0-1.1.1.src.rpm
ftp://ftp.openpkg.org/release/1.1/UPD/infozip-1.1.0-1.1.1.src.rpm

OpenPKG infozip-1.2.0-1.2.1.src.rpm
ftp://ftp.openpkg.org/release/1.2/UPD/infozip-1.2.0-1.2.1.src.rpm

OpenPKG infozip-20030710-20030710.src.rpm
ftp://ftp.openpkg.org/current/SRC/infozip-20030710-20030710.src.rpm

Slackware infozip-5.50-i386-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/i nfozip-5.50-i386-2.tgz

Slackware infozip-5.50-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/in fozip-5.50-i486-2.tgz

Sun Qube3-All-Security-4.0.1-16561.pkg
http://sunsolve.sun.com/pub-cgi/show.pl?target=cobalt/qube3.eng&nav=pa tchpage

Sun RaQ4-All-Security-2.0.1-16561.pkg
http://sunsolve.sun.com/pub-cgi/show.pl?target=cobalt/raq4.eng&nav=pat chpage

Sun RaQXTR-All-Security-1.0.1-16561.pkg
http://sunsolve.sun.com/pub-cgi/show.pl?target=cobalt/raqxtr.eng&nav=p atchpage

TurboLinux unzip-5.50-4.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServ er/6/ja/updates/unzip-5.50-4.i386.rpm

TurboLinux unzip-5.50-4.i586.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/upd ates/RPMS/unzip-5.50-4.i586.rpm