SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Gzip Vendors:   Sun
gzip on Sun Solaris May Let Local Users Access Files Processed By gzip
SecurityTracker Alert ID:  1011502
SecurityTracker URL:  http://securitytracker.com/id/1011502
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 2 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.3
Description:   A vulnerability was reported in the gzip(1) command on Sun Solaris. A local user may be able to access the files of other users that were processed using gzip.

Sun reported that when a target local user executes the command with the '-f' ('-force') command line option, permissions may be changed on hard linked files. As a result, another local user may be able to access files that are owned by the target user.

Solaris 8 is affected.

Solaris 7 and Solaris 9 are not affected.
Impact:   A local user may be able to view or edit files belonging to a target user if the files were processed by the target user with gzip (in a certain mode).
Solution:   Sun has issued the following fixes:

SPARC Platform

* Solaris 8 with patch 112668-02 or later

x86 Platform

* Solaris 8 with patch 112669-02 or later
Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-57600-1 (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (Solaris - SunOS)

Message History:   None.

 Source Message Contents
Date:  Sat, 2 Oct 2004 02:27:39 -0400
Subject:  http://sunsolve.sun.com/search/document.do?assetkey=1-26-57600-1



Sun reported a vulnerability in the gzip(1) command on Sun Solaris.  Versions prior to
1.3 are vulnerable.

When a target local user executes the command with the '-f' ('-force') command line 
option, permissions may be changed on hard linked files.  As a result, a local user may
be able to view files that are owned by the target user.

Solaris 8 is affected.

Solaris 7 and Solaris 9 are not affected.

Sun has issued the following fixes:

SPARC Platform

    * Solaris 8 with patch 112668-02 or later 

x86 Platform

    * Solaris 8 with patch 112669-02 or later 

-----


    * Sun Alert ID: 57600
    * Synopsis: The gzip(1) Command May Change the Permissions of Hard Linked Files on Solaris 8 Systems
    * Category: Security
    * Product: Solaris
    * BugIDs: 4793452
    * Avoidance: Workaround, Patch
    * State: Resolved
    * Date Released: 01-Oct-2004
    * Date Closed: 01-Oct-2004
    * Date Modified:


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC