Mandrake Linux Security Advisory : unzip (MDKSA-2003:073-1)
Low Nessus Plugin ID 14056
SynopsisThe remote Mandrake Linux host is missing a security update.
DescriptionA vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two '.' characters. These invalid characters are filtered which results in a '..' sequence.
The patch applied to these packages prevents unzip from writing to parent directories unless the '-:' command line option is used.
Ben Laurie found that the original patch used to fix this issue missed a case where the path component included a quoted slash. An updated patch was used to build these packages.
SolutionUpdate the affected unzip package.