If a ZIP archive contains binaries with the setuid and/or setgid bit set, unzip preserved those bits when extracting the archive. This could be exploited by tricking the administrator into unzipping an archive with a setuid-root binary into a directory the attacker can access. This allowed the attacker to execute arbitrary commands with root privileges.
The updated version does not preserve setuid, setgid, and sticky bits any more by default. The old behaviour can be explicitly requested now by supplying the option ‘-K’.
1 August 2005
A security issue affects these releases of Ubuntu and its derivatives:
If a ZIP archive contains binaries with the setuid and/or setgid bit set, unzip preserved those bits when extracting the archive. This could be exploited by tricking the administrator into unzipping an archive with a setuid-root binary into a directory the attacker can access. This allowed the attacker to execute arbitrary commands with root privileges.
The updated version does not preserve setuid, setgid, and sticky bits any more by default. The old behaviour can be explicitly requested now by supplying the option ‘-K’.
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
Vulmon