Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 528082

Summary: <app-arch/unzip-6.0_p20: buffer overflow
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cleanup]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 533748, 537424, 560416    

Description Agostino Sarubbo gentoo-dev 2014-11-03 08:09:59 UTC
From ${URL} :

Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes 
unzip -t:

$ unzip -qt afl-0.43b/docs/samples/
foo/:  mismatching "local" filename (���/UT),
         continuing with "central" filename version
*** Error in `unzip': free(): corrupted unsorted chunks: 0x00000000015d0170 ***

I'm not sure if inclusion of said zip file was intentional, but since 
the cat is already out of the bag, I thought I'll let you know.


the unofficial patch:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hanno Böck gentoo-dev 2014-12-23 09:34:21 UTC
lists three more security issues:
CVE-2014-8139 (CRC32 heap overflow), CVE-2014-8140 (test_compr_eb), CVE-2014-8141 (getZip64Data)

All are independent of the american fuzzy lop issue. Unfortunately upstream seems to do releases rarely. There are also some issues mentioned in upstream's forum that are a couple of years old and look like they could be security issues:
Comment 2 SpanKY gentoo-dev 2016-04-03 00:06:40 UTC
those 4 issues should all be fixed in 6.0_p20 by using patches Debian is carrying
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-04-03 00:50:58 UTC
@arches, please stabilize:

Comment 4 Jeroen Roovers gentoo-dev 2016-04-04 02:46:04 UTC
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2016-04-06 12:27:07 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-11 10:40:46 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-04-19 15:32:56 UTC
arm stable
Comment 8 Matt Turner gentoo-dev 2016-05-02 04:02:21 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 07:55:03 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:44 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 12:03:35 UTC
ia64 stable
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-09 02:23:46 UTC
Removing unstable arches from CC

@maintainer(s), please cleanup vulnerable versions.

New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-11-01 13:22:00 UTC
This issue was resolved and addressed in
 GLSA 201611-01 at
by GLSA coordinator Aaron Bauman (b-man).