Info

Disclosure

Jan 28, 1998

Discovery

Unknown

Dates

Exploit

Jan 28, 1998

Solution

Unknown

Description

gzip contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when the gzexe script creates temp files insecurely. It is possible that the flaw may allow arbitrary file overwriting resulting in a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Race Condition
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds to correct this issue. However, SGI has released a patch to address this vulnerability.

Products

GNU

gzip

1.3.2-3

References

Secunia Advisory ID: 10750 11939
CVE ID: 1999-1332 (see also: NVD)
ISS X-Force ID: 7241
Bugtraq ID: 7845
Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc http://article.gmane.org/gmane.linux.gentoo.announce/376
http://www.debian.org/security/2003/dsa-308
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_1/0140.html
Vendor URL: http://www.gzip.org/

Credit

Michal Zalewski - lcamtufboss.staszic.waw.pl -

Direct URL: http://osvdb.org/3812