gzip gzexe Insecure Temp File Creation

1998-01-28T08:14:37
ID OSVDB:3812
Type osvdb
Reporter Michal Zalewski(lcamtuf@boss.staszic.waw.pl)
Modified 1998-01-28T08:14:37

Description

Vulnerability Description

gzip contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when the gzexe script creates temp files insecurely. It is possible that the flaw may allow arbitrary file overwriting resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds to correct this issue. However, SGI has released a patch to address this vulnerability.

Short Description

gzip contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when the gzexe script creates temp files insecurely. It is possible that the flaw may allow arbitrary file overwriting resulting in a loss of integrity.

References:

Vendor URL: http://www.gzip.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:10750 Secunia Advisory ID:11939 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_1/0140.html ISS X-Force ID: 7241 CVE-1999-1332 Bugtraq ID: 7845