ID CVE-2005-1228
Summary Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.
References
Vulnerable Configurations
  • GNU Gzip 1.2.4
    cpe:2.3:a:gnu:gzip:1.2.4
  • GNU Gzip 1.3.3
    cpe:2.3:a:gnu:gzip:1.3.3
CVSS
Base: 5.0 (as of 11-05-2005 - 10:11)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200505-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200505-05 (gzip: Multiple vulnerabilities) The gzip and gunzip programs are vulnerable to a race condition when setting file permissions (CAN-2005-0988), as well as improper handling of filename restoration (CAN-2005-1228). The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact : These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 18231
    published 2005-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18231
    title GLSA-200505-05 : gzip: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-262-01.NASL
    description New gzip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix possible security issues.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 22421
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22421
    title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : gzip (SSA:2006-262-01)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2006-004.NASL
    description The remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 22125
    published 2006-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22125
    title Mac OS X Multiple Vulnerabilities (Security Update 2006-004)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-357.NASL
    description An updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18469
    published 2005-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18469
    title RHEL 2.1 / 3 / 4 : gzip (RHSA-2005:357)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_63BD4BADDFFE11D9B8750001020EED82.NASL
    description Problem Description Two problems related to extraction of files exist in gzip : The first problem is that gzip does not properly sanitize filenames containing '/' when uncompressing files using the -N command line option. The second problem is that gzip does not set permissions on newly extracted files until after the file has been created and the file descriptor has been closed. Impact The first problem can allow an attacker to overwrite arbitrary local files when uncompressing a file using the -N command line option. The second problem can allow a local attacker to change the permissions of arbitrary local files, on the same partition as the one the user is uncompressing a file on, by removing the file the user is uncompressing and replacing it with a hardlink before the uncompress operation is finished. Workaround Do not use the -N command line option on untrusted files and do not uncompress files in directories where untrusted users have write access.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 18960
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18960
    title FreeBSD : gzip -- directory traversal and permission race vulnerabilities (63bd4bad-dffe-11d9-b875-0001020eed82)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-752.NASL
    description Two problems have been discovered in gzip, the GNU compression utility. The Common Vulnerabilities and Exposures project identifies the following problems. - CAN-2005-0988 Imran Ghory discovered a race condition in the permissions setting code in gzip. When decompressing a file in a directory an attacker has access to, gunzip could be tricked to set the file permissions to a different file the user has permissions to. - CAN-2005-1228 Ulf Harnhammar discovered a path traversal vulnerability in gunzip. When gunzip is used with the -N option an attacker could use this vulnerability to create files in an arbitrary directory with the permissions of the user.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18673
    published 2005-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18673
    title Debian DSA-752-1 : gzip - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-092.NASL
    description Several vulnerabilities have been discovered in the gzip package : Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. (CVE-2005-0758) A race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip file allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. (CVE-2005-0988) A directory traversal vulnerability via 'gunzip -N' in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. (CVE-2005-1228) Updated packages are patched to address these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18308
    published 2005-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18308
    title Mandrake Linux Security Advisory : gzip (MDKSA-2005:092)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-357.NASL
    description An updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21810
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21810
    title CentOS 3 / 4 : gzip (CESA-2005:357)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-116-1.NASL
    description Imran Ghory discovered a race condition in the file permission restore code of gzip and gunzip. While a user was compressing or decompressing a file, a local attacker with write permissions in the directory of that file could replace the target file with a hard link. This would cause gzip to restore the file permissions to the hard link target instead of to the gzip output file, which could be exploited to gain read or even write access to files of other users. (CAN-2005-0988) Ulf Harnhammar found a path traversal vulnerability when gunzip was used with the -N option. An attacker could exploit this to create files in an arbitrary directory with the permissions of a user if he tricked this user to decompress a specially crafted gzip file using the -N option (which can also happen in systems that automatically process uploaded gzip files). (CAN-2005-1228). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20504
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20504
    title Ubuntu 4.10 / 5.04 : gzip vulnerabilities (USN-116-1)
oval via4
  • accepted 2013-04-29T04:11:10.109-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.
    family unix
    id oval:org.mitre.oval:def:11057
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.
    version 23
  • accepted 2009-08-03T04:00:02.600-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Nabil Ouchn
      organization Security-Database
    • name Pai Peng
      organization Hewlett-Packard
    description Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.
    family unix
    id oval:org.mitre.oval:def:170
    status accepted
    submitted 2006-09-22T05:52:00.000-04:00
    title Sun Solaris Gzip Race condition and Directory Traversal Issues
    version 33
  • accepted 2005-08-18T07:37:00.000-04:00
    class vulnerability
    contributors
    name Jay Beale
    organization Bastille Linux
    description Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.
    family unix
    id oval:org.mitre.oval:def:382
    status accepted
    submitted 2005-06-20T12:00:00.000-04:00
    title gzip Directory Traversal Vulnerability
    version 4
redhat via4
advisories
rhsa
id RHSA-2005:357
refmap via4
apple APPLE-SA-2006-08-01
bid 19289
bugtraq 20050420 gzip directory traversal vulnerability
cert TA06-214A
confirm http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255
debian DSA-752
osvdb 15721
sco SCOSA-2005.58
secunia
  • 15047
  • 18100
  • 21253
  • 22033
slackware SSA:2006-262
sunalert 101816
vupen ADV-2006-3101
xf gzip-n-directory-traversal(20199)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 17-10-2016 - 23:18
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:30
Back to Top