FreeBSD : gzip -- directory traversal and permission race vulnerabilities (63bd4bad-dffe-11d9-b875-0001020eed82)

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Problem Description Two problems related to extraction of files exist
in gzip :

The first problem is that gzip does not properly sanitize filenames
containing '/' when uncompressing files using the -N command line
option.

The second problem is that gzip does not set permissions on newly
extracted files until after the file has been created and the file
descriptor has been closed. Impact The first problem can allow an
attacker to overwrite arbitrary local files when uncompressing a file
using the -N command line option.

The second problem can allow a local attacker to change the
permissions of arbitrary local files, on the same partition as the one
the user is uncompressing a file on, by removing the file the user is
uncompressing and replacing it with a hardlink before the uncompress
operation is finished. Workaround Do not use the -N command line
option on untrusted files and do not uncompress files in directories
where untrusted users have write access.

See also :

http://marc.info/?l=bugtraq&m=111271860708210
http://marc.info/?l=bugtraq&m=111402732406477
http://www.nessus.org/u?dc2f1765

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 18960 (freebsd_pkg_63bd4baddffe11d9b8750001020eed82.nasl)

Bugtraq ID:

CVE ID: CVE-2005-0988
CVE-2005-1228

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now