Description
bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive.
Products
- Bzip Bzip2 0.9.0
- Bzip Bzip2 0.9.0a
- Bzip Bzip2 0.9.0b
- Bzip Bzip2 0.9.0c
- Bzip Bzip2 0.9.5a
- Bzip Bzip2 0.9.5b
- Bzip Bzip2 0.9.5c
- Bzip bzip2 0.9.5d
- bzip bzip2 1.0.1
- Bzip2 1.0
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2002-0759, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2002-0759 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References