1 files changed, 132 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-05:11.gzip.asc b/share/security/advisories/FreeBSD-SA-05:11.gzip.asc
new file mode 100644
index 0000000000..6fd27161b3
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-05:11.gzip.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-05:11.gzip                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          gzip directory traversal and permission race vulnerabilities
+
+Category:       contrib
+Module:         gzip
+Announced:      2005-06-09
+Credits:        Ulf Harnhammar, Imran Ghory
+Affects:        All FreeBSD releases
+Corrected:      2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE)
+                2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2)
+                2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
+                2005-06-08 21:29:53 UTC (RELENG_4, 4.11-STABLE)
+                2005-06-08 21:30:43 UTC (RELENG_4_11, 4.11-RELEASE-p10)
+                2005-06-08 21:31:16 UTC (RELENG_4_10, 4.10-RELEASE-p15)
+CVE Name:       CAN-2005-0988, CAN-2005-1228
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit
+<URL:http://www.freebsd.org/security/>.
+
+I.   Background
+
+gzip is a file compression utility.
+
+II.  Problem Description
+
+Two problems related to extraction of files exist in gzip:
+
+The first problem is that gzip does not properly sanitize filenames
+containing "/" when uncompressing files using the -N command line
+option.
+
+The second problem is that gzip does not set permissions on newly
+extracted files until after the file has been created and the file
+descriptor has been closed.
+
+III. Impact
+
+The first problem can allow an attacker to overwrite arbitrary local
+files when uncompressing a file using the -N command line option.
+
+The second problem can allow a local attacker to change the
+permissions of arbitrary local files, on the same partition as the one
+the user is uncompressing a file on, by removing the file the user is
+uncompressing and replacing it with a hardlink before the uncompress
+operation is finished.
+
+IV.  Workaround
+
+Do not use the -N command line option on untrusted files and do not
+uncompress files in directories where untrusted users have write
+access.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
+RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
+dated after the correction date.
+
+2) To patch your present system:
+
+The following patches have been verified to apply to FreeBSD 4.10,
+4.11, 5.3, and 5.4 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch
+# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+# cd /usr/src/gnu/usr.bin/gzip
+# make obj && make depend && make && make install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch                                                           Revision
+  Path
+- -------------------------------------------------------------------------
+RELENG_4
+  src/gnu/usr.bin/gzip/gzip.c                                    1.10.2.1
+RELENG_4_11
+  src/UPDATING                                             1.73.2.91.2.11
+  src/sys/conf/newvers.sh                                  1.44.2.39.2.14
+  src/gnu/usr.bin/gzip/gzip.c                                   1.10.26.1
+RELENG_4_10
+  src/UPDATING                                             1.73.2.90.2.16
+  src/sys/conf/newvers.sh                                  1.44.2.34.2.17
+  src/gnu/usr.bin/gzip/gzip.c                                   1.10.24.1
+RELENG_5
+  src/gnu/usr.bin/gzip/gzip.c                                    1.11.2.1
+RELENG_5_4
+  src/UPDATING                                            1.342.2.24.2.11
+  src/sys/conf/newvers.sh                                   1.62.2.18.2.7
+  src/gnu/usr.bin/gzip/gzip.c                                    1.11.6.1
+RELENG_5_3
+  src/UPDATING                                            1.342.2.13.2.19
+  src/sys/conf/newvers.sh                                  1.62.2.15.2.21
+  src/gnu/usr.bin/gzip/gzip.c                                    1.11.4.1
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
+http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210
+http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477
+
+The latest revision of this advisory is available at
+ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:11.gzip.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.1 (FreeBSD)
+
+iD8DBQFCqBbGFdaIBMps37IRAttLAJ41WPmKXczZAZgrBGBP1GorSM7E1gCfc8w9
+KFbns+zs2umrId0mCg1SjVk=
+=6MzW
+-----END PGP SIGNATURE-----