Updated unzip and tar packages that fix vulnerabilities are now available

Updated unzip and tar packages are available for IBM iSeries and pSeries
systems. These packages resolve vulnerabilities allowing arbitrary files
to be overwritten during archive extraction.

The unzip and tar utilities are used for manipulating archives, which are
multiple files stored inside of a single file.

A directory traversal vulnerability in unzip version 5.42 and earlier, as
well as GNU tar 1.13.19 and earlier, allows attackers to overwrite
arbitrary files during archive extraction via a ".." (dot dot) in an
extracted filename. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2001-1267 and CAN-2001-1268 to
this issue.

In addition, unzip version 5.42 and earlier also allows attackers to
overwrite arbitrary files during archive extraction via filenames in the
archive that begin with the "/" (slash) character. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2001-1269 to this issue.

During testing of the fix to GNU tar, it was discovered that GNU tar
1.13.25 was still vulnerable to a modified version of the same problem. Red
Hat has provided a patch to tar 1.13.25 to correct this problem. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2002-0399 to this issue.

GNU tar 1.13.19 and other versions before 1.13.25 allow remote attackers
to overwrite arbitrary files via a symlink attack, as the result of a
modification that effectively disabled the security check. This issue
affects only Red Hat Linux 7.1 and 7.2. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2002-1216 to
this issue.

A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0282 to this issue.

This erratum also includes a patch ensuring that non-printable characters
do not make it possible for a malicious .zip file to write to parent
directories unless the "-:" command line parameter is specified.

Users of unzip and tar are advised to upgrade to these errata packages,
which contain patched versions of unzip and GNU tar that are not vulnerable
to these issues.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0282
http://online.securityfocus.com/archive/1/196445
http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175

characters, control, path, tar, unpack, unzip