RHEL 2.1 : unzip (RHSA-2002:138)

2004-07-0600:00:00

www.tenable.com

The unzip and tar utilities contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction.

The unzip and tar utilities are used for dealing with archives, which are multiple files stored inside of a single file.

A directory traversal vulnerability in unzip version 5.42 and earlier, as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite arbitrary files during archive extraction via a ‘…’ (dot dot) in an extracted filename (CVE-2001-1267, CVE-2001-1268). In addition, unzip version 5.42 and earlier also allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the ‘/’ (slash) character (CVE-2001-1269).

During testing of the fix to GNU tar, we discovered that GNU tar 1.13.25 was still vulnerable to a modified version of the same problem. Red Hat has provided a patch to tar 1.3.25 to correct this problem (CVE-2002-0399).

Users of unzip and tar are advised to upgrade to these errata packages, containing unzip version 5.50 and a patched version of GNU tar 1.13.25, which are not vulnerable to these issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2002:138. The text 
# itself is copyright (C) Red Hat, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(12312);
  script_version("1.26");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2001-1267", "CVE-2001-1268", "CVE-2001-1269", "CVE-2002-0399", "CVE-2002-1216");
  script_xref(name:"RHSA", value:"2002:138");

  script_name(english:"RHEL 2.1 : unzip (RHSA-2002:138)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The unzip and tar utilities contain vulnerabilities which can allow
arbitrary files to be overwritten during archive extraction.

The unzip and tar utilities are used for dealing with archives, which
are multiple files stored inside of a single file.

A directory traversal vulnerability in unzip version 5.42 and earlier,
as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite
arbitrary files during archive extraction via a '..' (dot dot) in an
extracted filename (CVE-2001-1267, CVE-2001-1268). In addition, unzip
version 5.42 and earlier also allows attackers to overwrite arbitrary
files during archive extraction via filenames in the archive that
begin with the '/' (slash) character (CVE-2001-1269).

During testing of the fix to GNU tar, we discovered that GNU tar
1.13.25 was still vulnerable to a modified version of the same
problem. Red Hat has provided a patch to tar 1.3.25 to correct this
problem (CVE-2002-0399).

Users of unzip and tar are advised to upgrade to these errata
packages, containing unzip version 5.50 and a patched version of GNU
tar 1.13.25, which are not vulnerable to these issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2001-1267"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2001-1268"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2001-1269"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2002-0399"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2002-1216"
  );
  # http://online.securityfocus.com/archive/1/196445
  script_set_attribute(
    attribute:"see_also",
    value:"https://online.securityfocus.com/archive/1/196445"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2002:138"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected tar and / or unzip packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tar");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:unzip");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2002/10/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2002:138";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"tar-1.13.25-4.AS21.0")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"unzip-5.50-2")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tar / unzip");
  }
}

VendorProductVersionCPE
redhatenterprise_linuxtarp-cpe:/a:redhat:enterprise_linux:tar
redhatenterprise_linuxunzipp-cpe:/a:redhat:enterprise_linux:unzip
redhatenterprise_linux2.1cpe:/o:redhat:enterprise_linux:2.1

Vendor	Product	Version	CPE
redhat	enterprise_linux	tar	p-cpe:/a:redhat:enterprise_linux:tar
redhat	enterprise_linux	unzip	p-cpe:/a:redhat:enterprise_linux:unzip
redhat	enterprise_linux	2.1	cpe:/o:redhat:enterprise_linux:2.1