znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. References: http://www.debian.org/security/2003/dsa-308 http://www.mandriva.com/security/advisories?name=MDKSA-2003:068 http://www.openpkg.org/security/OpenPKG-SA-2003.031-gzip.html http://www.securityfocus.com/bid/7872 http://www.turbolinux.com/security/TLSA-2003-38.txt
Created gzip tracking bugs for this issue: Affects: fedora-all [bug 1850890]
This was fixed some 15+ years ago and does not affect current Red Hat Enterprise Linux or Fedora versions.
Created attachment 1698899 [details] gzip-1.3.5-openbsd-owl-tmp.patch The version of the patch as included in Red Hat Enterprise Linux 5 version of gzip. A subset of it is also included in later gzip version in Red Hat Enterprise Linux 6 and 7.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2003-0367