gzip -- insecure temporary files

ID DSA-308
Type debian
Reporter Debian
Modified 2003-06-06T00:00:00


Paul Szabo discovered that znew, a script included in the gzip package, creates its temporary files without taking precautions to avoid a symlink attack (CAN-2003-0367).

The gzexe script has a similar vulnerability which was patched in an earlier release but inadvertently reverted.

For the stable distribution (woody) both problems have been fixed in version 1.3.2-3woody1.

For the old stable distribution (potato) CAN-2003-0367 has been fixed in version 1.2.4-33.2. This version is not vulnerable to CVE-1999-1332 due to an earlier patch.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you update your gzip package.