Mandrake Linux Security Advisory : gzip (MDKSA-2004:142)
Low Nessus Plugin ID 15915
SynopsisThe remote Mandrake Linux host is missing a security update.
DescriptionThe Trustix developers found some insecure temporary file creation problems in the zdiff, znew, and gzeze supplemental scripts in the gzip package. These flaws could allow local users to overwrite files via a symlink attack.
A similar problem was fixed last year (CVE-2003-0367) in which this same problem was found in znew. At that time, Mandrakesoft also used mktemp to correct the problems in gzexe. This update uses mktemp to handle temporary files in the zdiff script.
SolutionUpdate the affected gzip package.