From ${URL} : Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes unzip -t: $ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip foo/: mismatching "local" filename (���/UT), continuing with "central" filename version *** Error in `unzip': free(): corrupted unsorted chunks: 0x00000000015d0170 *** I'm not sure if inclusion of said zip file was intentional, but since the cat is already out of the bag, I thought I'll let you know. [0] https://code.google.com/p/american-fuzzy-lop/ [1] http://lcamtuf.coredump.cx/afl.tgz the unofficial patch: http://skylink.dl.sourceforge.net/project/mancha/sec/unzip-6.0_overflow.diff @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
http://www.ocert.org/advisories/ocert-2014-011.html lists three more security issues: CVE-2014-8139 (CRC32 heap overflow), CVE-2014-8140 (test_compr_eb), CVE-2014-8141 (getZip64Data) All are independent of the american fuzzy lop issue. Unfortunately upstream seems to do releases rarely. There are also some issues mentioned in upstream's forum that are a couple of years old and look like they could be security issues: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=282&sid=48632af076f5c015cae31c1f37e278c3
those 4 issues should all be fixed in 6.0_p20 by using patches Debian is carrying https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65df71cdc392f85fd95ad5b8ef1508434e2a239
@arches, please stabilize: =app-arch/unzip-6.0_p20
Stable for HPPA PPC64.
amd64 stable
x86 stable
arm stable
alpha stable
ppc stable
sparc stable
ia64 stable
Removing unstable arches from CC @maintainer(s), please cleanup vulnerable versions. New GLSA request filed.
This issue was resolved and addressed in GLSA 201611-01 at https://security.gentoo.org/glsa/201611-01 by GLSA coordinator Aaron Bauman (b-man).