=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN471
_____________________________________________________________________

DATE                      : 30/11/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris running unzip.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 103150
      * Synopsis: A Security Vulnerability in unzip(1L) May Set Unintended
        Permissions on Extracted Files
      * Category: Security
      * Product: Solaris 9 Operating System, Solaris 10 Operating System,
        Solaris 8 Operating System
      * BugIDs: 6344676
      * Avoidance: Patch, Workaround
      * State: Workaround
      * Date Released: 14-Nov-2007
      * Date Closed:
      * Date Modified: 28-Nov-2007

1. Impact

    A security vulnerability in the unzip(1L) command may set unintended
    permissions on extracted files. This may allow a local unprivileged
    user to execute arbitrary code with the privileges of another user who
    runs the unzip command to extract files from a specially crafted unzip
    archive.

    This issue is also referenced in the following document:

    CVE-2005-0602 at
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0602

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform
      * Solaris 8
      * Solaris 9 without patch 112951-14
      * Solaris 10

    x86 Platform
      * Solaris 8
      * Solaris 9
      * Solaris 10

    Note: This issue affects versions of the unzip(1L) command prior to
    5.52. The following command can be used to determine the version of
    unzip that is installed on a system:
     $ unzip -v
     UnZip 5.32 of 3 November 1997, by Info-ZIP.  Maintained by Greg 
Roelofs.
     Send bug reports to the authors at Zip-Bugs@lists.wku.edu; see README
     for details.
     [...]

3. Symptoms

    This issue is exploited by creating archives which contain executable
    files with a set-id bit set (see chmod(2)). As a result, files that
    are extracted from an archive that has been specially crafted to
    exploit this issue will have this bit set when extracted on
    filesystems which allow this. The ls(1) command can be used to display
    the permissions of a newly extracted file, as in the
    following example:
     $ ls -l test
     -r-sr-xr-x   1 testu staff      10280 Nov  9 17:56 test

    The 's' in the user permissions section of the above output indicates
    this file has the "set-user-id" bit set.

4. Relief/Workaround

    It is recommended that archives from untrusted sources not be
    extracted using the unzip(1L) command until patches can be applied.
    The unzip(1L) command can be disabled entirely by removing executable
    permissions from the file, for example by using the chmod(1) command
    as follows (as the user "root"):
     # chmod a-x /usr/bin/unzip

    A preliminary T-Patch is available for the following release from
    http://sunsolve.sun.com/tpatches:

    x86 Platform
      * Solaris 9 T-patch T114194-11

    This document refers to one or more preliminary temporary patches
    (T-Patches) which are designed to address the concerns identified
    herein. Sun has limited experience with these patches due to their
    preliminary nature. As such, you should only install the patches on
    systems meeting the configurations described above. Sun may release
    full patches at a later date, however, Sun is under no obligation
    whatsoever to create, release, or distribute any such patch.

5. Resolution

    This issue is addressed in the following release:

    SPARC Platform
      * Solaris 9 with patch 112951-14 or later

    A final resolution is pending completion.

Change History

    28-Nov-2007:
      * Updated Contributing Factors and Resolution sections

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================