Vulnerabilities > CVE-2005-0988
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_63BD4BADDFFE11D9B8750001020EED82.NASL description Problem Description Two problems related to extraction of files exist in gzip : The first problem is that gzip does not properly sanitize filenames containing last seen 2020-06-01 modified 2020-06-02 plugin id 18960 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18960 title FreeBSD : gzip -- directory traversal and permission race vulnerabilities (63bd4bad-dffe-11d9-b875-0001020eed82) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(18960); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-0988", "CVE-2005-1228"); script_xref(name:"FreeBSD", value:"SA-05:11.gzip"); script_name(english:"FreeBSD : gzip -- directory traversal and permission race vulnerabilities (63bd4bad-dffe-11d9-b875-0001020eed82)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Problem Description Two problems related to extraction of files exist in gzip : The first problem is that gzip does not properly sanitize filenames containing '/' when uncompressing files using the -N command line option. The second problem is that gzip does not set permissions on newly extracted files until after the file has been created and the file descriptor has been closed. Impact The first problem can allow an attacker to overwrite arbitrary local files when uncompressing a file using the -N command line option. The second problem can allow a local attacker to change the permissions of arbitrary local files, on the same partition as the one the user is uncompressing a file on, by removing the file the user is uncompressing and replacing it with a hardlink before the uncompress operation is finished. Workaround Do not use the -N command line option on untrusted files and do not uncompress files in directories where untrusted users have write access." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=111271860708210" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=111402732406477" ); # https://vuxml.freebsd.org/freebsd/63bd4bad-dffe-11d9-b875-0001020eed82.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0d3bece7" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gzip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/20"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"gzip<1.3.5_2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-262-01.NASL description New gzip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix possible security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 22421 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22421 title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : gzip (SSA:2006-262-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-262-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(22421); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2005-0758", "CVE-2005-0988", "CVE-2005-1228", "CVE-2006-4334", "CVE-2006-4335", "CVE-2006-4336", "CVE-2006-4337", "CVE-2006-4338"); script_xref(name:"SSA", value:"2006-262-01"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : gzip (SSA:2006-262-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New gzip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix possible security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?366c264f" ); script_set_attribute(attribute:"solution", value:"Update the affected gzip package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:gzip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2006/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++; if (slackware_check(osver:"9.0", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++; if (slackware_check(osver:"9.1", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++; if (slackware_check(osver:"10.0", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"current", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2006-004.NASL description The remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit last seen 2020-06-01 modified 2020-06-02 plugin id 22125 published 2006-08-01 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22125 title Mac OS X Multiple Vulnerabilities (Security Update 2006-004) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22125); script_version("1.23"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2005-0488", "CVE-2005-0988", "CVE-2005-1228", "CVE-2005-2335", "CVE-2005-3088", "CVE-2005-4348", "CVE-2006-0321", "CVE-2006-0392", "CVE-2006-0393", "CVE-2006-1472", "CVE-2006-1473", "CVE-2006-3459", "CVE-2006-3461", "CVE-2006-3462", "CVE-2006-3465", "CVE-2006-3495", "CVE-2006-3496", "CVE-2006-3497", "CVE-2006-3498", "CVE-2006-3499", "CVE-2006-3500", "CVE-2006-3501", "CVE-2006-3502", "CVE-2006-3503", "CVE-2006-3504", "CVE-2006-3505"); script_bugtraq_id(19289); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2006-004)"); script_summary(english:"Check for Security Update 2006-004"); script_set_attribute(attribute:"synopsis", value:"The remote operating system is missing a vendor-supplied patch."); script_set_attribute(attribute:"description", value: "The remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit"); # http://web.archive.org/web/20070728033955/http://docs.info.apple.com/article.html?artnum=304063 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e97e41a"); script_set_attribute(attribute:"solution", value: "Mac OS X 10.4 : http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientintel.html http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientppc.html Mac OS X 10.3 : http://www.apple.com/support/downloads/securityupdate20060041039client.html http://www.apple.com/support/downloads/securityupdate20060041039server.html"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apple iOS MobileMail LibTIFF Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-7]\.)", string:uname) ) { if (!egrep(pattern:"^SecUpd(Srvr)?(2006-00[467]|2007-00[38])", string:packages)) security_hole(0); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-357.NASL description An updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 18469 published 2005-06-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18469 title RHEL 2.1 / 3 / 4 : gzip (RHSA-2005:357) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-116-1.NASL description Imran Ghory discovered a race condition in the file permission restore code of gzip and gunzip. While a user was compressing or decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause gzip to restore the file permissions to the hard link target instead of to the gzip output file, which could be exploited to gain read or even write access to files of other users. (CAN-2005-0988) Ulf Harnhammar found a path traversal vulnerability when gunzip was used with the -N option. An attacker could exploit this to create files in an arbitrary directory with the permissions of a user if he tricked this user to decompress a specially crafted gzip file using the -N option (which can also happen in systems that automatically process uploaded gzip files). (CAN-2005-1228). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20504 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20504 title Ubuntu 4.10 / 5.04 : gzip vulnerabilities (USN-116-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-752.NASL description Two problems have been discovered in gzip, the GNU compression utility. The Common Vulnerabilities and Exposures project identifies the following problems. - CAN-2005-0988 Imran Ghory discovered a race condition in the permissions setting code in gzip. When decompressing a file in a directory an attacker has access to, gunzip could be tricked to set the file permissions to a different file the user has permissions to. - CAN-2005-1228 Ulf Harnhammar discovered a path traversal vulnerability in gunzip. When gunzip is used with the -N option an attacker could use this vulnerability to create files in an arbitrary directory with the permissions of the user. last seen 2020-06-01 modified 2020-06-02 plugin id 18673 published 2005-07-12 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18673 title Debian DSA-752-1 : gzip - several vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-092.NASL description Several vulnerabilities have been discovered in the gzip package : Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. (CVE-2005-0758) A race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip file allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. (CVE-2005-0988) A directory traversal vulnerability via last seen 2020-06-01 modified 2020-06-02 plugin id 18308 published 2005-05-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18308 title Mandrake Linux Security Advisory : gzip (MDKSA-2005:092) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200505-05.NASL description The remote host is affected by the vulnerability described in GLSA-200505-05 (gzip: Multiple vulnerabilities) The gzip and gunzip programs are vulnerable to a race condition when setting file permissions (CAN-2005-0988), as well as improper handling of filename restoration (CAN-2005-1228). The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact : These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 18231 published 2005-05-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18231 title GLSA-200505-05 : gzip: Multiple vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-357.NASL description An updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21810 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21810 title CentOS 3 / 4 : gzip (CESA-2005:357)
Oval
accepted 2013-04-29T04:03:54.865-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990
description Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. family unix id oval:org.mitre.oval:def:10242 status accepted submitted 2010-07-09T03:56:16-04:00 title Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. version 26 accepted 2005-08-18T07:37:00.000-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux description Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. family unix id oval:org.mitre.oval:def:1169 status accepted submitted 2005-06-20T12:00:00.000-04:00 title gzip Hard Link Attack version 4 accepted 2009-08-03T04:00:04.095-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Nabil Ouchn organization Security-Database name Pai Peng organization Hewlett-Packard
description Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. family unix id oval:org.mitre.oval:def:765 status accepted submitted 2006-09-22T05:52:00.000-04:00 title GNU GZip CHMod File Permission Modification Race ConditionWeakness version 37
Redhat
advisories |
| ||||
rpms |
|
Statements
contributor | Mark J Cox |
lastmodified | 2007-03-14 |
organization | Red Hat |
statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.58/SCOSA-2005.58.txt
- http://lists.apple.com/archives/security-announce/2006//Aug/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2005-357.html
- http://secunia.com/advisories/18100
- http://secunia.com/advisories/21253
- http://secunia.com/advisories/22033
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101816-1
- http://www.debian.org/security/2005/dsa-752
- http://www.osvdb.org/15487
- http://www.securityfocus.com/archive/1/394965
- http://www.securityfocus.com/bid/12996
- http://www.securityfocus.com/bid/19289
- http://www.us-cert.gov/cas/techalerts/TA06-214A.html
- http://www.vupen.com/english/advisories/2006/3101
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10242
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1169
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A765