Vulnerabilities > CVE-2005-0988

047910
CVSS 3.7 - LOW
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_63BD4BADDFFE11D9B8750001020EED82.NASL
    descriptionProblem Description Two problems related to extraction of files exist in gzip : The first problem is that gzip does not properly sanitize filenames containing
    last seen2020-06-01
    modified2020-06-02
    plugin id18960
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18960
    titleFreeBSD : gzip -- directory traversal and permission race vulnerabilities (63bd4bad-dffe-11d9-b875-0001020eed82)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18960);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:37");
    
      script_cve_id("CVE-2005-0988", "CVE-2005-1228");
      script_xref(name:"FreeBSD", value:"SA-05:11.gzip");
    
      script_name(english:"FreeBSD : gzip -- directory traversal and permission race vulnerabilities (63bd4bad-dffe-11d9-b875-0001020eed82)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Problem Description Two problems related to extraction of files exist
    in gzip :
    
    The first problem is that gzip does not properly sanitize filenames
    containing '/' when uncompressing files using the -N command line
    option.
    
    The second problem is that gzip does not set permissions on newly
    extracted files until after the file has been created and the file
    descriptor has been closed. Impact The first problem can allow an
    attacker to overwrite arbitrary local files when uncompressing a file
    using the -N command line option.
    
    The second problem can allow a local attacker to change the
    permissions of arbitrary local files, on the same partition as the one
    the user is uncompressing a file on, by removing the file the user is
    uncompressing and replacing it with a hardlink before the uncompress
    operation is finished. Workaround Do not use the -N command line
    option on untrusted files and do not uncompress files in directories
    where untrusted users have write access."
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=111271860708210"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=111402732406477"
      );
      # https://vuxml.freebsd.org/freebsd/63bd4bad-dffe-11d9-b875-0001020eed82.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0d3bece7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gzip");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/06/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"gzip<1.3.5_2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-262-01.NASL
    descriptionNew gzip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix possible security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22421
    published2006-09-22
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22421
    titleSlackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : gzip (SSA:2006-262-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2006-262-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22421);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2005-0758", "CVE-2005-0988", "CVE-2005-1228", "CVE-2006-4334", "CVE-2006-4335", "CVE-2006-4336", "CVE-2006-4337", "CVE-2006-4338");
      script_xref(name:"SSA", value:"2006-262-01");
    
      script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : gzip (SSA:2006-262-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New gzip packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
    10.1, 10.2, and -current to fix possible security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?366c264f"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected gzip package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:gzip");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++;
    
    if (slackware_check(osver:"10.0", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++;
    
    if (slackware_check(osver:"10.1", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++;
    
    if (slackware_check(osver:"10.2", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"gzip", pkgver:"1.3.5", pkgarch:"i486", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2006-004.NASL
    descriptionThe remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit
    last seen2020-06-01
    modified2020-06-02
    plugin id22125
    published2006-08-01
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22125
    titleMac OS X Multiple Vulnerabilities (Security Update 2006-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22125);
      script_version("1.23");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2005-0488", "CVE-2005-0988", "CVE-2005-1228", "CVE-2005-2335", "CVE-2005-3088",
                    "CVE-2005-4348", "CVE-2006-0321", "CVE-2006-0392", "CVE-2006-0393", "CVE-2006-1472",
                    "CVE-2006-1473", "CVE-2006-3459", "CVE-2006-3461", "CVE-2006-3462", "CVE-2006-3465",
                    "CVE-2006-3495", "CVE-2006-3496", "CVE-2006-3497", "CVE-2006-3498", "CVE-2006-3499",
                    "CVE-2006-3500", "CVE-2006-3501", "CVE-2006-3502", "CVE-2006-3503", "CVE-2006-3504",
                    "CVE-2006-3505");
      script_bugtraq_id(19289);
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2006-004)");
      script_summary(english:"Check for Security Update 2006-004");
    
      script_set_attribute(attribute:"synopsis", value:"The remote operating system is missing a vendor-supplied patch.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running Apple Mac OS X, but lacks
    Security Update 2006-004.
    
    This security update contains fixes for the following
    applications :
    
    AFP Server
    Bluetooth
    Bom
    DHCP
    dyld
    fetchmail
    gnuzip
    ImageIO
    LaunchServices
    OpenSSH
    telnet
    WebKit");
     # http://web.archive.org/web/20070728033955/http://docs.info.apple.com/article.html?artnum=304063
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e97e41a");
      script_set_attribute(attribute:"solution", value:
    "Mac OS X 10.4 :
    
    http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientintel.html
    http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientppc.html
    
    Mac OS X 10.3 :
    
    http://www.apple.com/support/downloads/securityupdate20060041039client.html
    http://www.apple.com/support/downloads/securityupdate20060041039server.html");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_family(english:"MacOS X Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages");
      exit(0);
    }
    
    packages = get_kb_item("Host/MacOSX/packages");
    if ( ! packages ) exit(0);
    
    
    uname = get_kb_item("Host/uname");
    if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-7]\.)", string:uname) )
    {
      if (!egrep(pattern:"^SecUpd(Srvr)?(2006-00[467]|2007-00[38])", string:packages)) security_hole(0);
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-357.NASL
    descriptionAn updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18469
    published2005-06-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18469
    titleRHEL 2.1 / 3 / 4 : gzip (RHSA-2005:357)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-116-1.NASL
    descriptionImran Ghory discovered a race condition in the file permission restore code of gzip and gunzip. While a user was compressing or decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause gzip to restore the file permissions to the hard link target instead of to the gzip output file, which could be exploited to gain read or even write access to files of other users. (CAN-2005-0988) Ulf Harnhammar found a path traversal vulnerability when gunzip was used with the -N option. An attacker could exploit this to create files in an arbitrary directory with the permissions of a user if he tricked this user to decompress a specially crafted gzip file using the -N option (which can also happen in systems that automatically process uploaded gzip files). (CAN-2005-1228). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20504
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20504
    titleUbuntu 4.10 / 5.04 : gzip vulnerabilities (USN-116-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-752.NASL
    descriptionTwo problems have been discovered in gzip, the GNU compression utility. The Common Vulnerabilities and Exposures project identifies the following problems. - CAN-2005-0988 Imran Ghory discovered a race condition in the permissions setting code in gzip. When decompressing a file in a directory an attacker has access to, gunzip could be tricked to set the file permissions to a different file the user has permissions to. - CAN-2005-1228 Ulf Harnhammar discovered a path traversal vulnerability in gunzip. When gunzip is used with the -N option an attacker could use this vulnerability to create files in an arbitrary directory with the permissions of the user.
    last seen2020-06-01
    modified2020-06-02
    plugin id18673
    published2005-07-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18673
    titleDebian DSA-752-1 : gzip - several vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-092.NASL
    descriptionSeveral vulnerabilities have been discovered in the gzip package : Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. (CVE-2005-0758) A race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip file allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. (CVE-2005-0988) A directory traversal vulnerability via
    last seen2020-06-01
    modified2020-06-02
    plugin id18308
    published2005-05-19
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18308
    titleMandrake Linux Security Advisory : gzip (MDKSA-2005:092)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200505-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200505-05 (gzip: Multiple vulnerabilities) The gzip and gunzip programs are vulnerable to a race condition when setting file permissions (CAN-2005-0988), as well as improper handling of filename restoration (CAN-2005-1228). The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact : These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id18231
    published2005-05-11
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18231
    titleGLSA-200505-05 : gzip: Multiple vulnerabilities
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-357.NASL
    descriptionAn updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21810
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21810
    titleCentOS 3 / 4 : gzip (CESA-2005:357)

Oval

  • accepted2013-04-29T04:03:54.865-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    descriptionRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.
    familyunix
    idoval:org.mitre.oval:def:10242
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.
    version26
  • accepted2005-08-18T07:37:00.000-04:00
    classvulnerability
    contributors
    nameJay Beale
    organizationBastille Linux
    descriptionRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.
    familyunix
    idoval:org.mitre.oval:def:1169
    statusaccepted
    submitted2005-06-20T12:00:00.000-04:00
    titlegzip Hard Link Attack
    version4
  • accepted2009-08-03T04:00:04.095-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameNabil Ouchn
      organizationSecurity-Database
    • namePai Peng
      organizationHewlett-Packard
    descriptionRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.
    familyunix
    idoval:org.mitre.oval:def:765
    statusaccepted
    submitted2006-09-22T05:52:00.000-04:00
    titleGNU GZip CHMod File Permission Modification Race ConditionWeakness
    version37

Redhat

advisories
rhsa
idRHSA-2005:357
rpms
  • gzip-0:1.3.3-12.rhel3
  • gzip-0:1.3.3-15.rhel4
  • gzip-debuginfo-0:1.3.3-12.rhel3
  • gzip-debuginfo-0:1.3.3-15.rhel4

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.