rPath Security Advisory: 2006-0170-1
Published: 2006-09-19
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
    Indirect User Deterministic Unauthorized Access
Updated Versions:
    gzip=/conary.rpath.com@rpl:devel//1/1.3.5-4-0.1

References:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
    https://issues.rpath.com/browse/RPL-615

Description:
    Previous versions of the gzip package contain multiple vulnerabilities
    that enable user-complicit unauthorized access when a user attempts to
    gunzip intentionally malformed gzip files.  Some network services will
    automatically run the gunzip program in some contexts, which may then
    enable direct unauthorized access to the user account that provides
    the network service.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/