A directory traversal bug exists in multiple versions of gzip. When compressing a file, gzip saves its original name but not its path inside the compressed file. When using gunzip's "-N" option, the original name found inside the compressed file will be used as the name to save the decompressed file with. "gunzip -N" doesn't check if the original name inside the compressed file has any "/" characters in it. This makes it possible to create a malicious compressed file that when decompressed with "gunzip -N" will create a file at an arbitrary location in the file system. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255
This issue should also affect RHEL2.1 and RHEL3
The new versions (gzip-1.3.3-11.rhel3, gzip-1.3.3-15.rhel4, gzip-1.3-17.rhel2) released. Ivana Varekova
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-357.html