{"id": "UBUNTU_USN-191-1.NASL", "bulletinFamily": "scanner", "title": "Ubuntu 4.10 / 5.04 : unzip vulnerability (USN-191-1)", "description": "Imran Ghory found a race condition in the handling of output files.\nWhile a file was unpacked by unzip, a local attacker with write\npermissions to the target directory could exploit this to change the\npermissions of arbitrary files of the unzip user.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2006-01-15T00:00:00", "modified": "2006-01-15T00:00:00", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/20605", "reporter": "Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.", "references": [], "cvelist": ["CVE-2005-2475"], "type": "nessus", "lastseen": "2021-01-20T15:25:24", "edition": 25, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2475"]}, {"type": "ubuntu", "idList": ["USN-191-1"]}, {"type": "osvdb", "idList": ["OSVDB:18530"]}, {"type": "openvas", "idList": ["OPENVAS:55306", "OPENVAS:56143", "OPENVAS:55899"]}, {"type": "debian", "idList": ["DEBIAN:DSA-903-1:72F3A", "DEBIAN:DSA-903-2:432E3"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2007-0203.NASL", "SL_20070501_UNZIP_ON_SL4_X.NASL", "REDHAT-RHSA-2007-0203.NASL", "MANDRAKE_MDKSA-2005-197.NASL", "FREEBSD_PKG_9750CF22216D11DABC01000E0C2E438A.NASL", "DEBIAN_DSA-903.NASL", "ORACLELINUX_ELSA-2007-0203.NASL"]}, {"type": "freebsd", "idList": ["9750CF22-216D-11DA-BC01-000E0C2E438A"]}, {"type": "centos", "idList": ["CESA-2007:0203"]}, {"type": "oraclelinux", "idList": ["ELSA-2007-0203"]}, {"type": "redhat", "idList": ["RHSA-2007:0203"]}], "modified": "2021-01-20T15:25:24", "rev": 2}, "score": {"value": 4.7, "vector": "NONE", "modified": "2021-01-20T15:25:24", "rev": 2}, "vulnersScore": 4.7}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-191-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20605);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-2475\");\n script_bugtraq_id(14450);\n script_xref(name:\"USN\", value:\"191-1\");\n\n script_name(english:\"Ubuntu 4.10 / 5.04 : unzip vulnerability (USN-191-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Imran Ghory found a race condition in the handling of output files.\nWhile a file was unpacked by unzip, a local attacker with write\npermissions to the target directory could exploit this to change the\npermissions of arbitrary files of the unzip user.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected unzip package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10|5\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10 / 5.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"unzip\", pkgver:\"5.51-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"unzip\", pkgver:\"5.51-2ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"unzip\");\n}\n", "naslFamily": "Ubuntu Local Security Checks", "pluginID": "20605", "cpe": ["cpe:/o:canonical:ubuntu_linux:5.04", "cpe:/o:canonical:ubuntu_linux:4.10", "p-cpe:/a:canonical:ubuntu_linux:unzip"], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T05:24:37", "description": "Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.", "edition": 4, "cvss3": {}, "published": "2005-08-05T04:00:00", "title": "CVE-2005-2475", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2475"], "modified": "2017-10-11T01:30:00", "cpe": ["cpe:/a:info-zip:unzip:5.52"], "id": "CVE-2005-2475", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2475", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:info-zip:unzip:5.52:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-09T19:40:37", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475"], "description": "Imran Ghory found a race condition in the handling of output files. \nWhile a file was unpacked by unzip, a local attacker with write \npermissions to the target directory could exploit this to change the \npermissions of arbitrary files of the unzip user.", "edition": 5, "modified": "2005-09-30T00:00:00", "published": "2005-09-30T00:00:00", "id": "USN-191-1", "href": "https://ubuntu.com/security/notices/USN-191-1", "title": "unzip vulnerability", "type": "ubuntu", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:15", "bulletinFamily": "software", "cvelist": ["CVE-2005-2475"], "edition": 1, "description": "## Vulnerability Description\nUnZip contains a flaw that may allow a malicious local user to change permissions of arbitrary files on the system. The issue is triggered via a hard link attack on a file while it is being decompressed. It is possible that the flaw may allow arbitrary file permission modification resulting in a loss of confidentiality and integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nUnZip contains a flaw that may allow a malicious local user to change permissions of arbitrary files on the system. The issue is triggered via a hard link attack on a file while it is being decompressed. It is possible that the flaw may allow arbitrary file permission modification resulting in a loss of confidentiality and integrity.\n## References:\nVendor URL: http://www.info-zip.org/pub/infozip/UnZip.html\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-191-1)\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2005/0053/)\n[Secunia Advisory ID:17045](https://secuniaresearch.flexerasoftware.com/advisories/17045/)\n[Secunia Advisory ID:17006](https://secuniaresearch.flexerasoftware.com/advisories/17006/)\n[Secunia Advisory ID:16309](https://secuniaresearch.flexerasoftware.com/advisories/16309/)\n[Secunia Advisory ID:16985](https://secuniaresearch.flexerasoftware.com/advisories/16985/)\n[Secunia Advisory ID:17653](https://secuniaresearch.flexerasoftware.com/advisories/17653/)\n[Secunia Advisory ID:17342](https://secuniaresearch.flexerasoftware.com/advisories/17342/)\n[Secunia Advisory ID:25098](https://secuniaresearch.flexerasoftware.com/advisories/25098/)\nRedHat RHSA: RHSA-2007:0203\nOther Advisory URL: http://www.debian.org/security/2005/dsa-903\nOther Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:197\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0024.html\n[CVE-2005-2475](https://vulners.com/cve/CVE-2005-2475)\nBugtraq ID: 14450\n", "modified": "2005-08-01T08:37:53", "published": "2005-08-01T08:37:53", "href": "https://vulners.com/osvdb/OSVDB:18530", "id": "OSVDB:18530", "type": "osvdb", "title": "UnZip Race Condition Arbitrary File Permission Modification", "cvss": {"score": 1.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475"], "description": "The remote host is missing an update to unzip\nannounced via advisory DSA 903-1.\n\nImran Ghory discovered a race condition in the permissions setting\ncode in unzip. When decompressing a file in a directory an attacker\nhas access to, unzip could be tricked to set the file permissions to a\ndifferent file the user has permissions to.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody4.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:55899", "href": "http://plugins.openvas.org/nasl.php?oid=55899", "type": "openvas", "title": "Debian Security Advisory DSA 903-1 (unzip)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_903_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 903-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 5.52-1sarge2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 5.52-4.\n\nWe recommend that you upgrade your unzip package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20903-1\";\ntag_summary = \"The remote host is missing an update to unzip\nannounced via advisory DSA 903-1.\n\nImran Ghory discovered a race condition in the permissions setting\ncode in unzip. When decompressing a file in a directory an attacker\nhas access to, unzip could be tricked to set the file permissions to a\ndifferent file the user has permissions to.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody4.\";\n\n\nif(description)\n{\n script_id(55899);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:07:13 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-2475\");\n script_bugtraq_id(14450);\n script_tag(name:\"cvss_base\", value:\"1.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:N/A:N\");\n script_name(\"Debian Security Advisory DSA 903-1 (unzip)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"unzip\", ver:\"5.50-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"unzip\", ver:\"5.52-1sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 1.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-24T12:50:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475"], "description": "The remote host is missing an update to unzip\nannounced via advisory DSA 903-2.\n\nThe unzip update in DSA 903 contained a regression so that symbolic\nlinks that are resolved later in a zip archive aren't supported\nanymore. This update corrects this behaviour. For completeness,\nbelow plese find the original advisory text:\n\nImran Ghory discovered a race condition in the permissions setting\ncode in unzip. When decompressing a file in a directory an\nattacker has access to, unzip could be tricked to set the file\npermissions to a different file the user has permissions to.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody5.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56143", "href": "http://plugins.openvas.org/nasl.php?oid=56143", "type": "openvas", "title": "Debian Security Advisory DSA 903-2 (unzip)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_903_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 903-2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 5.52-1sarge3.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 5.52-6.\n\nWe recommend that you upgrade your unzip package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20903-2\";\ntag_summary = \"The remote host is missing an update to unzip\nannounced via advisory DSA 903-2.\n\nThe unzip update in DSA 903 contained a regression so that symbolic\nlinks that are resolved later in a zip archive aren't supported\nanymore. This update corrects this behaviour. For completeness,\nbelow plese find the original advisory text:\n\nImran Ghory discovered a race condition in the permissions setting\ncode in unzip. When decompressing a file in a directory an\nattacker has access to, unzip could be tricked to set the file\npermissions to a different file the user has permissions to.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody5.\";\n\n\nif(description)\n{\n script_id(56143);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:07:13 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-2475\");\n script_bugtraq_id(14450);\n script_tag(name:\"cvss_base\", value:\"1.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:N/A:N\");\n script_name(\"Debian Security Advisory DSA 903-2 (unzip)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"unzip\", ver:\"5.50-1woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"unzip\", ver:\"5.52-1sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 1.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-10-04T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:55306", "href": "http://plugins.openvas.org/nasl.php?oid=55306", "type": "openvas", "title": "FreeBSD Ports: unzip, zh-unzip, ko-unzip", "sourceData": "#\n#VID 9750cf22-216d-11da-bc01-000e0c2e438a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n unzip\n zh-unzip\n ko-unzip\n\nCVE-2005-2475\nRace condition in Unzip 5.52 allows local users to modify permissions\nof arbitrary files via a hard link attack on a file while it is being\ndecompressed, whose permissions are changed by Unzip after the\ndecompression is complete.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=112300046224117\nhttp://www.vuxml.org/freebsd/9750cf22-216d-11da-bc01-000e0c2e438a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(55306);\n script_version(\"$Revision: 4203 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-10-04 07:30:30 +0200 (Tue, 04 Oct 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-2475\");\n script_bugtraq_id(14450);\n script_tag(name:\"cvss_base\", value:\"1.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:N/A:N\");\n script_name(\"FreeBSD Ports: unzip, zh-unzip, ko-unzip\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"unzip\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.52_2\")<0) {\n txt += 'Package unzip version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"zh-unzip\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.52_2\")<0) {\n txt += 'Package zh-unzip version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ko-unzip\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.52_2\")<0) {\n txt += 'Package ko-unzip version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 1.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-07T10:47:53", "description": "Imran Ghory reports a vulnerability within unzip. The vulnerability is\ncaused by a race condition between extracting an archive and changing\nthe permissions of the extracted files. This would give an attacker\nenough time to remove a file and hardlink it to another file owned by\nthe user running unzip. When unzip changes the permissions of the file\nit could give the attacker access to files that normally would not\nhave been accessible for others.", "edition": 25, "published": "2006-05-13T00:00:00", "title": "FreeBSD : unzip -- permission race vulnerability (9750cf22-216d-11da-bc01-000e0c2e438a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475"], "modified": "2006-05-13T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ko-unzip", "p-cpe:/a:freebsd:freebsd:unzip", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:zh-unzip"], "id": "FREEBSD_PKG_9750CF22216D11DABC01000E0C2E438A.NASL", "href": "https://www.tenable.com/plugins/nessus/21480", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21480);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-2475\");\n script_bugtraq_id(14450);\n\n script_name(english:\"FreeBSD : unzip -- permission race vulnerability (9750cf22-216d-11da-bc01-000e0c2e438a)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Imran Ghory reports a vulnerability within unzip. The vulnerability is\ncaused by a race condition between extracting an archive and changing\nthe permissions of the extracted files. This would give an attacker\nenough time to remove a file and hardlink it to another file owned by\nthe user running unzip. When unzip changes the permissions of the file\nit could give the attacker access to files that normally would not\nhave been accessible for others.\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=112300046224117\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=112300046224117\"\n );\n # https://vuxml.freebsd.org/freebsd/9750cf22-216d-11da-bc01-000e0c2e438a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39e76123\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ko-unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zh-unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/05/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"unzip<5.52_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zh-unzip<5.52_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-unzip<5.52_2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T10:03:40", "description": "The unzip update in DSA 903 contained a regression so that symbolic\nlinks that are resolved later in a zip archive aren't supported\nanymore. This update corrects this behaviour. For completeness,\nbelow please find the original advisory text :\n\n Imran Ghory discovered a race condition in the permissions setting\n code in unzip. When decompressing a file in a directory an attacker\n has access to, unzip could be tricked to set the file permissions to\n a different file the user has permissions to.", "edition": 26, "published": "2006-10-14T00:00:00", "title": "Debian DSA-903-2 : unzip - race condition", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:unzip"], "id": "DEBIAN_DSA-903.NASL", "href": "https://www.tenable.com/plugins/nessus/22769", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-903. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22769);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-2475\");\n script_bugtraq_id(14450);\n script_xref(name:\"DSA\", value:\"903\");\n\n script_name(english:\"Debian DSA-903-2 : unzip - race condition\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The unzip update in DSA 903 contained a regression so that symbolic\nlinks that are resolved later in a zip archive aren't supported\nanymore. This update corrects this behaviour. For completeness,\nbelow please find the original advisory text :\n\n Imran Ghory discovered a race condition in the permissions setting\n code in unzip. When decompressing a file in a directory an attacker\n has access to, unzip could be tricked to set the file permissions to\n a different file the user has permissions to.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321927\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343680\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-903\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the unzip package.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody5.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 5.52-1sarge3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"unzip\", reference:\"5.50-1woody5\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"unzip\", reference:\"5.52-1sarge3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:25:07", "description": "Updated unzip packages that fix two security issues and various bugs\nare now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nThe unzip utility is used to list, test, or extract files from a zip\narchive.\n\nA race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\n\nAs well, this update adds support for files larger than 2GB.\n\nAll users of unzip should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.", "edition": 27, "published": "2013-06-29T00:00:00", "title": "CentOS 4 : unzip (CESA-2007:0203)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "modified": "2013-06-29T00:00:00", "cpe": ["cpe:/o:centos:centos:4", "p-cpe:/a:centos:centos:unzip"], "id": "CENTOS_RHSA-2007-0203.NASL", "href": "https://www.tenable.com/plugins/nessus/67039", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2007:0203 and \n# CentOS Errata and Security Advisory 2007:0203 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67039);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-2475\", \"CVE-2005-4667\");\n script_bugtraq_id(14450);\n script_xref(name:\"RHSA\", value:\"2007:0203\");\n\n script_name(english:\"CentOS 4 : unzip (CESA-2007:0203)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated unzip packages that fix two security issues and various bugs\nare now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nThe unzip utility is used to list, test, or extract files from a zip\narchive.\n\nA race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\n\nAs well, this update adds support for files larger than 2GB.\n\nAll users of unzip should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2007-May/013709.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?735512e5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected unzip package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 4.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"unzip-5.51-9.EL4.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"unzip\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:51:29", "description": "Unzip 5.51 and earlier does not properly warn the user when extracting\nsetuid or setgid files, which may allow local users to gain\nprivileges. (CVE-2005-0602)\n\nImran Ghory found a race condition in the handling of output files.\nWhile a file was unpacked by unzip, a local attacker with write\npermissions to the target directory could exploit this to change the\npermissions of arbitrary files of the unzip user. This affects\nversions of unzip 5.52 and lower (CVE-2005-2475)\n\nThe updated packages have been patched to address these issues.", "edition": 24, "published": "2005-11-02T00:00:00", "title": "Mandrake Linux Security Advisory : unzip (MDKSA-2005:197)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475", "CVE-2005-0602"], "modified": "2005-11-02T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:10.1", "p-cpe:/a:mandriva:linux:unzip", "cpe:/o:mandriva:linux:2006", "x-cpe:/o:mandrakesoft:mandrake_linux:le2005"], "id": "MANDRAKE_MDKSA-2005-197.NASL", "href": "https://www.tenable.com/plugins/nessus/20125", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2005:197. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20125);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-0602\", \"CVE-2005-2475\");\n script_xref(name:\"MDKSA\", value:\"2005:197\");\n\n script_name(english:\"Mandrake Linux Security Advisory : unzip (MDKSA-2005:197)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unzip 5.51 and earlier does not properly warn the user when extracting\nsetuid or setgid files, which may allow local users to gain\nprivileges. (CVE-2005-0602)\n\nImran Ghory found a race condition in the handling of output files.\nWhile a file was unpacked by unzip, a local attacker with write\npermissions to the target directory could exploit this to change the\npermissions of arbitrary files of the unzip user. This affects\nversions of unzip 5.52 and lower (CVE-2005-2475)\n\nThe updated packages have been patched to address these issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected unzip package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:mandrakesoft:mandrake_linux:le2005\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.1\", reference:\"unzip-5.51-1.2.101mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.2\", reference:\"unzip-5.51-1.2.102mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK2006.0\", reference:\"unzip-5.52-1.2.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:43:58", "description": "From Red Hat Security Advisory 2007:0203 :\n\nUpdated unzip packages that fix two security issues and various bugs\nare now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nThe unzip utility is used to list, test, or extract files from a zip\narchive.\n\nA race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\n\nAs well, this update adds support for files larger than 2GB.\n\nAll users of unzip should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.", "edition": 25, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 : unzip (ELSA-2007-0203)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:unzip", "cpe:/o:oracle:linux:4"], "id": "ORACLELINUX_ELSA-2007-0203.NASL", "href": "https://www.tenable.com/plugins/nessus/67473", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2007:0203 and \n# Oracle Linux Security Advisory ELSA-2007-0203 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67473);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2005-2475\", \"CVE-2005-4667\");\n script_bugtraq_id(14450);\n script_xref(name:\"RHSA\", value:\"2007:0203\");\n\n script_name(english:\"Oracle Linux 4 : unzip (ELSA-2007-0203)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2007:0203 :\n\nUpdated unzip packages that fix two security issues and various bugs\nare now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nThe unzip utility is used to list, test, or extract files from a zip\narchive.\n\nA race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\n\nAs well, this update adds support for files larger than 2GB.\n\nAll users of unzip should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2007-May/000142.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected unzip package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"unzip-5.51-9.EL4.5\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"unzip-5.51-9.EL4.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"unzip\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:05:48", "description": "Updated unzip packages that fix two security issues and various bugs\nare now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nThe unzip utility is used to list, test, or extract files from a zip\narchive.\n\nA race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\n\nAs well, this update adds support for files larger than 2GB.\n\nAll users of unzip should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.", "edition": 28, "published": "2007-05-02T00:00:00", "title": "RHEL 4 : unzip (RHSA-2007:0203)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "modified": "2007-05-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:4", "p-cpe:/a:redhat:enterprise_linux:unzip"], "id": "REDHAT-RHSA-2007-0203.NASL", "href": "https://www.tenable.com/plugins/nessus/25135", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2007:0203. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(25135);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2005-2475\", \"CVE-2005-4667\");\n script_bugtraq_id(14450);\n script_xref(name:\"RHSA\", value:\"2007:0203\");\n\n script_name(english:\"RHEL 4 : unzip (RHSA-2007:0203)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated unzip packages that fix two security issues and various bugs\nare now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nThe unzip utility is used to list, test, or extract files from a zip\narchive.\n\nA race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\n\nAs well, this update adds support for files larger than 2GB.\n\nAll users of unzip should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-2475\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-4667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2007:0203\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected unzip package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2007:0203\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", reference:\"unzip-5.51-9.EL4.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"unzip\");\n }\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:43:42", "description": "A race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)", "edition": 25, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : unzip on SL4.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20070501_UNZIP_ON_SL4_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60171", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60171);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2005-2475\", \"CVE-2005-4667\");\n\n script_name(english:\"Scientific Linux Security Update : unzip on SL4.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Scientific Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition was found in Unzip. Local users could use this flaw\nto modify permissions of arbitrary files via a hard link attack on a\nfile while it was being decompressed (CVE-2005-2475)\n\nA buffer overflow was found in Unzip command line argument handling.\nIf a user could be tricked into running Unzip with a specially crafted\nlong file name, an attacker could execute arbitrary code with that\nuser's privileges. (CVE-2005-4667)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0705&L=scientific-linux-errata&T=0&P=1218\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3b4cf63c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected unzip package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL4\", reference:\"unzip-5.51-9.EL4.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:52", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475"], "description": "\nImran Ghory reports a vulnerability within unzip. The\n\t vulnerability is caused by a race condition between\n\t extracting an archive and changing the permissions of the\n\t extracted files. This would give an attacker enough time to\n\t remove a file and hardlink it to another file owned by the\n\t user running unzip. When unzip changes the permissions of\n\t the file it could give the attacker access to files that\n\t normally would not have been accessible for others.\n", "edition": 4, "modified": "2005-08-02T00:00:00", "published": "2005-08-02T00:00:00", "id": "9750CF22-216D-11DA-BC01-000E0C2E438A", "href": "https://vuxml.freebsd.org/freebsd/9750cf22-216d-11da-bc01-000e0c2e438a.html", "title": "unzip -- permission race vulnerability", "type": "freebsd", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2019-05-30T02:22:01", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 903-2 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJanuary 12th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : unzip\nVulnerability : race condition\nProblem type : local\nDebian-specific: no\nCVE ID : CAN-2005-2475\nBugTraq ID : 14450\nDebian Bugs : 321927 343680\n\nThe unzip update in DSA 903 contained a regression so that symbolic\nlinks that are resolved later in a zip archive aren&#x27;t supported\nanymore. This update corrects this behaviour. For completeness,\nbelow plese find the original advisory text:\n\n Imran Ghory discovered a race condition in the permissions setting\n code in unzip. When decompressing a file in a directory an\n attacker has access to, unzip could be tricked to set the file\n permissions to a different file the user has permissions to.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody5.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 5.52-1sarge3.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 5.52-6.\n\nWe recommend that you upgrade your unzip package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5.dsc\n Size/MD5 checksum: 571 75e2923b74af607785cbefbbea79d1ab\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5.diff.gz\n Size/MD5 checksum: 6484 73efae47dcd377abb934e36805c16190\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50.orig.tar.gz\n Size/MD5 checksum: 1068379 6d27bcdf9b51d0ad0f78161d0f99582e\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_alpha.deb\n Size/MD5 checksum: 160482 94b0a5e18d78866d92f375d6b93a22c3\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_arm.deb\n Size/MD5 checksum: 139374 bd8cc4c654c901b5c320b2cdbf09f31b\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_i386.deb\n Size/MD5 checksum: 122808 1d5669290431fb7fe83f688447b22d84\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_ia64.deb\n Size/MD5 checksum: 191010 1cd02c151f46b5f7872a7de3079ebc2a\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_hppa.deb\n Size/MD5 checksum: 146954 ee23ad6e2c40d38e4655be1f2666489d\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_m68k.deb\n Size/MD5 checksum: 119578 7765363163750bed7e72472bee09afc4\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_mips.deb\n Size/MD5 checksum: 142950 97af77c03fb69936407c86394fb846a5\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_mipsel.deb\n Size/MD5 checksum: 143422 98a0ab0fd751c246ebd50e5c62886217\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_powerpc.deb\n Size/MD5 checksum: 136368 b2bea065ae91032fe987aaf120e08ad9\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_s390.deb\n Size/MD5 checksum: 137044 151da2fddaaca890dbf5166140f23881\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_sparc.deb\n Size/MD5 checksum: 147498 022e8ca1cecf20178edd68296fd973aa\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3.dsc\n Size/MD5 checksum: 528 b6e01dbb89f9130fa16650b16f4d4e32\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3.diff.gz\n Size/MD5 checksum: 5387 807b5d9e8efa85e8caab673eff38aff7\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52.orig.tar.gz\n Size/MD5 checksum: 1140291 9d23919999d6eac9217d1f41472034a9\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_alpha.deb\n Size/MD5 checksum: 175506 90375091fd0c2577518bfd7db2202272\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_amd64.deb\n Size/MD5 checksum: 154876 7129ee6610e6ec0320141bb7aaa5288e\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_arm.deb\n Size/MD5 checksum: 155430 3fb2c5576d1709c6d7cc1b89d61a50b8\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_i386.deb\n Size/MD5 checksum: 144934 0e860597ffe259038f7bb8e1ce2630df\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_ia64.deb\n Size/MD5 checksum: 206648 d261bf8a2e3c8fce3d0898355a7420db\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_hppa.deb\n Size/MD5 checksum: 162840 91d7d512b915757bf7c7e3e8640efa0c\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_m68k.deb\n Size/MD5 checksum: 133734 878d1597bd5ef623a6bc70f6446654a4\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_mips.deb\n Size/MD5 checksum: 163396 5cbe0e22136949f240031502ea07d456\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_mipsel.deb\n Size/MD5 checksum: 163966 4066fa1e97bad61c47be9b6ffa47179f\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_powerpc.deb\n Size/MD5 checksum: 157388 25c3d9d685ec411e5b53cc0e8002ca8e\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_s390.deb\n Size/MD5 checksum: 156494 bfeb0b1d801266334e6a46f0818a9e6f\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_sparc.deb\n Size/MD5 checksum: 154952 e1e42335312202d8b3f0727e9d78fda9\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n\n", "edition": 2, "modified": "2006-01-12T00:00:00", "published": "2006-01-12T00:00:00", "id": "DEBIAN:DSA-903-2:432E3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00009.html", "title": "[SECURITY] [DSA 903-2] New unzip packages fix unauthorised permissions modification", "type": "debian", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-12T00:51:28", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 903-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nNovember 21st, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : unzip\nVulnerability : race condition\nProblem type : local\nDebian-specific: no\nCVE ID : CAN-2005-2475\nBugTraq ID : 14450\nDebian Bug : 321927\n\nImran Ghory discovered a race condition in the permissions setting\ncode in unzip. When decompressing a file in a directory an attacker\nhas access to, unzip could be tricked to set the file permissions to a\ndifferent file the user has permissions to.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 5.50-1woody4.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 5.52-1sarge2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 5.52-4.\n\nWe recommend that you upgrade your unzip package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4.dsc\n Size/MD5 checksum: 571 684b8e8a520bfb6fa00ed477e1df9f0e\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4.diff.gz\n Size/MD5 checksum: 6099 44a7e7bb15dd3ab02a7e001cdaa0ca79\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50.orig.tar.gz\n Size/MD5 checksum: 1068379 6d27bcdf9b51d0ad0f78161d0f99582e\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_alpha.deb\n Size/MD5 checksum: 160404 4031c211175ee7c728f8cc42334ae816\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_arm.deb\n Size/MD5 checksum: 139336 7ebcf2fc5f4cc97000954c05bd80966b\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_i386.deb\n Size/MD5 checksum: 122764 2369eed1365bb4f6aadd09ac75c9693b\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_ia64.deb\n Size/MD5 checksum: 190982 a0e88f9c1279d3b2c7941690e439ff65\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_hppa.deb\n Size/MD5 checksum: 146928 7cfae9b95228d90ca3a1d83bda79655b\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_m68k.deb\n Size/MD5 checksum: 119542 f3b8481fb06596dc6fc84aeefd7e5bbf\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_mips.deb\n Size/MD5 checksum: 142948 dc037b7fa6f703ca7a1b140d2c19911e\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_mipsel.deb\n Size/MD5 checksum: 143390 3630211263e9245e1773913a2474a9ff\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_powerpc.deb\n Size/MD5 checksum: 136326 0aa9b78a55e11796693b906f0900ac64\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_s390.deb\n Size/MD5 checksum: 137018 cfd3ef68d1c6d2ecde54c1a67a6c3adc\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_sparc.deb\n Size/MD5 checksum: 147472 3f90c2488e0bf3aa6b3f0ec8acd815d9\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2.dsc\n Size/MD5 checksum: 528 84e70559fc6ca7a2a9331f31f462b548\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2.diff.gz\n Size/MD5 checksum: 4970 69b3a1be17c376bf4419201f4d1ec8a5\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52.orig.tar.gz\n Size/MD5 checksum: 1140291 9d23919999d6eac9217d1f41472034a9\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_alpha.deb\n Size/MD5 checksum: 175420 841029027991b860df6215c994b7c3b6\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_amd64.deb\n Size/MD5 checksum: 154804 c3a1cf3a9e5f63af998df54898e4d88f\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_arm.deb\n Size/MD5 checksum: 155356 7d0ea21c83b7c01c74c3822abd5f022c\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_i386.deb\n Size/MD5 checksum: 144864 320a080d0cfbf93a47e75469d95f84e9\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_ia64.deb\n Size/MD5 checksum: 206580 ba92d4f8810bc7a44ab7c8957f23222a\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_hppa.deb\n Size/MD5 checksum: 162756 fd86bf652a165e4f8d390faae9568514\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_m68k.deb\n Size/MD5 checksum: 133674 da733ceba3d7467b46a5ec4ba92d4acc\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_mips.deb\n Size/MD5 checksum: 163318 773c63ffc83a536d8809757d5a8a8b4a\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_mipsel.deb\n Size/MD5 checksum: 163892 18f2898f965b04c40d72d92c91243dfd\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_powerpc.deb\n Size/MD5 checksum: 157286 822fb6f064c6a298659f4966034a76fb\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_s390.deb\n Size/MD5 checksum: 156410 7bb65d46d779040eeaddab1ff916c039\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_sparc.deb\n Size/MD5 checksum: 154876 763b24730efd2ac6a334f8d1af1706be\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n\n", "edition": 6, "modified": "2005-11-21T00:00:00", "published": "2005-11-21T00:00:00", "id": "DEBIAN:DSA-903-1:72F3A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00303.html", "title": "[SECURITY] [DSA 903-1] New unzip packages fix unauthorised permissions modification", "type": "debian", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "centos": [{"lastseen": "2019-12-20T18:26:55", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "description": "**CentOS Errata and Security Advisory** CESA-2007:0203\n\n\nThe unzip utility is used to list, test, or extract files from a zip archive.\r\n\r\nA race condition was found in Unzip. Local users could use this flaw to\r\nmodify permissions of arbitrary files via a hard link attack on a file\r\nwhile it was being decompressed (CVE-2005-2475)\r\n\r\nA buffer overflow was found in Unzip command line argument handling.\r\nIf a user could be tricked into running Unzip with a specially crafted long\r\nfile name, an attacker could execute arbitrary code with that user's\r\nprivileges. (CVE-2005-4667)\r\n\r\nAs well, this update adds support for files larger than 2GB.\r\n\r\nAll users of unzip should upgrade to these updated packages, which\r\ncontain backported patches that resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2007-May/025747.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-May/025767.html\n\n**Affected packages:**\nunzip\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2007-0203.html", "edition": 4, "modified": "2007-05-04T22:48:06", "published": "2007-05-02T08:59:05", "href": "http://lists.centos.org/pipermail/centos-announce/2007-May/025747.html", "id": "CESA-2007:0203", "title": "unzip security update", "type": "centos", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:57", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "description": " [5.51-9.EL4.5]\n - Resolves: #230558 \n problem in patch4 (unzipped file permissions)\n \n [ 5.51-8.EL4.5]\n - fix problem with ~4GB files which are not compressed\n \n [5.51-7.EL4.5]\n - fix 164927 - TOCTOU issue in unzip\n - fix 178960 - unzip long filename buffer overflow\n - fix 199104 - add large file support\n (return Lon's ~4GB patch - fixed symlink problem) ", "edition": 4, "modified": "2007-05-17T00:00:00", "published": "2007-05-17T00:00:00", "id": "ELSA-2007-0203", "href": "http://linux.oracle.com/errata/ELSA-2007-0203.html", "title": "Low unzip security and bug fix update ", "type": "oraclelinux", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:50", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2475", "CVE-2005-4667"], "description": "The unzip utility is used to list, test, or extract files from a zip archive.\r\n\r\nA race condition was found in Unzip. Local users could use this flaw to\r\nmodify permissions of arbitrary files via a hard link attack on a file\r\nwhile it was being decompressed (CVE-2005-2475)\r\n\r\nA buffer overflow was found in Unzip command line argument handling.\r\nIf a user could be tricked into running Unzip with a specially crafted long\r\nfile name, an attacker could execute arbitrary code with that user's\r\nprivileges. (CVE-2005-4667)\r\n\r\nAs well, this update adds support for files larger than 2GB.\r\n\r\nAll users of unzip should upgrade to these updated packages, which\r\ncontain backported patches that resolve these issues.", "modified": "2017-09-08T11:51:54", "published": "2007-05-01T04:00:00", "id": "RHSA-2007:0203", "href": "https://access.redhat.com/errata/RHSA-2007:0203", "type": "redhat", "title": "(RHSA-2007:0203) Low: unzip security and bug fix update", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}]}