N-041: Sun Linux Vulnerabilities in "unzip" and GNU "tar" Commands

[***** Start Sun Alert ID: 47800  *****]


Sun Alert ID: 47800 
Synopsis: Sun Linux Vulnerabilities in "unzip" and GNU "tar" Commands 
Category: Security  
Product: Sun Linux 
BugIDs: 16170 
Avoidance: Workaround, Patch, Upgrade 
State: Resolved 
Date Released: 10-Oct-2002, 04-Feb-2003 
Date Closed: 04-Feb-2003 
Date Modified: 04-Feb-2003 


1. Impact 

A local unprivileged user may be able to gain unauthorized root access and/or 
overwrite any file on the system if a privileged user extracts a tar or zip archive 
which contains a ".." (dot dot) in the filename. 


For more information see: 

  http://online.securityfocus.com/archive/1/196445 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1268 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1269 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0399 


2. Contributing Factors 

This issue can occur in the following releases: 

Sun Linux 

  Sun Linux 5.0 with tar 1.13.19-6 
  Sun Linux 5.0 with unzip version 5.42 or earlier 
  Sun Linux 5.0 with GNU tar 1.13.19 or earlier 

Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server. 


Cobalt 

  Qube 3 
  RaQ 3 
  RaQ 4 
  RaQ 550 
  RaQ XTR 


3. Symptoms 

There are no reliable symptoms that would show the described issue has been exploited 
to gain unauthorized root access to a system. 


Solution Summary Top 

4. Relief/Workaround 

Verify zip or tar archives using the options as follows: 

	tar -tvf .tar                                                      
Or for compressed files: 

	tar -tvzf .tar.                                                 
Or for zip files: 

	unzip -l .zip                                                      
If multiple "../" entries are not present, the archive is safe. 


5. Resolution 

This issue is addressed in the following releases: 

Sun Linux 

  Sun Linux 5.0 tar-1.13.25-4.7.1.i386.rpm 
  Sun Linux 5.0 unzip-5.50-2.i386.rpm 
  Sun Linux 5.0 tar-1.13.25-4.7.1.src.rpm 
  Sun Linus 5.0 unzip-5.50-2.src.rpm 

The above patches are available at: 
http://sunsolve.sun.com/patches/linux/security.html 

Cobalt 

  Qube3-All-Security-4.0.1-16170.pkg 
  RaQ3-All-Security-5.0.1-16170.pkg 
  RaQ4-All-Security-2.0.2-16170.pkg 
  RaQ550-All-Security-0.0.1-16170.pkg 
  RaQXTR-All-Security-1.0.1-16170.pkg 

The above patches are available at:
http://sunsolve.sun.com/patches/cobalt/. 

Change History 

04-Feb-2003: 

State Resolved (and Closed) 
Updated Contributing Factors and Resolution sections 

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun 
Alert notification may contain information provided by third parties. The issues 
described in this Sun Alert notification may or may not impact your system(s). Sun 
makes no representations, warranties, or guarantees as to the information contained 
herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION 
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, 
ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO 
EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL 
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. 
This Sun Alert notification contains Sun proprietary and confidential information. It 
is being provided to you pursuant to the provisions of your agreement to purchase 
services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. 
This Sun Alert notification may only be used for the purposes contemplated by these 
agreements. 

Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 
U.S.A. All rights reserved. 

[***** End Sun Alert ID: 47800  *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/