According to the announcement on oss-security [1]: InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing password protected ZIP archives. An attacker can exploit this vulnerability to overwrite heap chunks to get arbitrary code execution on the target system. (The other vulnerabilities announced therein seem to not affect versions present in the gentoo tree.) [1] http://openwall.com/lists/oss-security/2018/02/08/1
@maintainter(s), I've emailed upstream with the following: ------------------------------------------------------------- "Hi, from http://openwall.com/lists/oss-security/2018/02/08/1 , it is suggested that a vulnerability exist in UnZip 6.0 described in link as: Heap-based buffer overflow in password protected ZIP archives with a reserved CVE -- (CVE-2018-1000035). Without causing too much noise to your mail server I have to unfortunate duty to verify if: 1) This vulnerability/bug is known to you. 2) Verify if the CVE is also known to you. 3) It is possible for you to publish a response on your site. Please review the link and details with consideration that this vulnerability is publicly disclosed with no affirmative upstream acknowledgment." ------------------------------------------------------------- because it is unclear if the CVE and Vulnerability are in fact known to them. Nothing much else to do here until a response. @Ian Zimmerman, thanks.
Update: Upstream reply: --begin-reply-- > > 1) This vulnerability/bug is known to you. Yes. > 2) Verify if the CVE is also known to you. It is now. > 3) It is possible for you to publish a response on your site. I'm not sure how we would do that. > Please review the link and details with consideration that this is > made publicly disclosed with no affirmative upstream acknowledgment. I believe that we got all those fixed in 6.10c23 based on complaints directly from R. Freingruber (before the CVEs were defined?), except for the LZMA-related problems (which may be handled by disabling the LZMA feature until a better LZMA library is obtained). http://antinode.info/ftp/info-zip/unzip610c23.zip There should also be a modified fileio.c for UnZip 6.0: http://antinode.info/ftp/info-zip/unzip60/fileio.c If more needs to be done, then please let us know. --end-reply-- So, now we have bug 647444, with fixed (CVE-2018-1000035) in 6.10c23. or (6.0_p23, not yet in tree).
patch is in _p22 from Debian upstream. 20-cve-2018-1000035-unzip-buffer-overflow.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf679e99554488d9d20c3cecaf4063733f70e6f commit fbf679e99554488d9d20c3cecaf4063733f70e6f Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-10 15:46:38 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-08-10 17:07:29 +0000 app-arch/unzip: bump to Debian patchset 25 Bug: https://bugs.gentoo.org/647008 Bug: https://bugs.gentoo.org/691566 Signed-off-by: Aaron Bauman <bman@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/12670 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/unzip/Manifest | 1 + app-arch/unzip/unzip-6.0_p25.ebuild | 86 +++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-58 at https://security.gentoo.org/glsa/202003-58 by GLSA coordinator Thomas Deutschmann (whissi).
