Mandrake Linux Security Advisory : gzip (MDKSA-2003:068)

Low Nessus Plugin ID 14051


The remote Mandrake Linux host is missing a security update.


A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. Patches have been applied to make use of mktemp to generate unique filenames, and properly make use of noclobber in the script. Likewise, a fix for gzexe which had been applied previously was incomplete. It has been fixed to make full use of mktemp everywhere a temporary file is created.

The znew problem was initially reported by Michal Zalewski and was again reported more recently to Debian by Paul Szabo.


Update the affected gzip package.

See Also

Plugin Details

Severity: Low

ID: 14051

File Name: mandrake_MDKSA-2003-068.nasl

Version: $Revision: 1.18 $

Type: local

Published: 2004/07/31

Modified: 2013/05/31

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:gzip, cpe:/o:mandrakesoft:mandrake_linux:8.2, cpe:/o:mandrakesoft:mandrake_linux:9.0, cpe:/o:mandrakesoft:mandrake_linux:9.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2003/06/16

Reference Information

CVE: CVE-1999-1332, CVE-2003-0367

MDKSA: 2003:068