zoo archiver overflow

ID SSA-2006-142-02
Type slackware
Reporter Slackware Linux Project
Modified 2006-05-22T15:14:45


New bin packages are available for Slackware 10.2 and -current to fix a security issue with the zoo archive program. A non-security- related upgrade to the newest version of "eject" was also done.

Here are the details from the Slackware 10.2 ChangeLog:

patches/packages/bin-10.2-i486-2_10.2.tgz: Upgraded to eject-2.1.4 to fix problems with 2.6 kernels (bugfix). Patched a security problem in zoo's fullpath() function that was reported by Jean-Sebastien Guay-Leroux. At first this didn't seem like much as zoo is old and hardly used, but there are virus scanning programs that scan zoo archives. It is a possible problem on any system running zoo like this in an automated way, and (of course) could also cause problems if a user were to open a malicious zoo archive manually. (though I'd be pretty suspicious if someone were to mail me anything using "zoo" in 2006...) ( Security fix )

Where to find the new packages:

Updated package for Slackware 10.2: ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/bin-10.2-i486-2_10.2.tgz

Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bin-11.0-i486-1.tgz

MD5 signatures:

Slackware 10.2 package: 0847080265c36315c106cdeaaa8be326 bin-10.2-i486-2_10.2.tgz

Slackware -current package: 615f7396cdf0762c92ba8d866d5625cf bin-11.0-i486-1.tgz

Installation instructions:

Upgrade the package as root: > upgradepkg bin-10.2-i486-2_10.2.tgz