Summary: | <app-arch/unzip-6.0_p21-r2: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Andrey Ovcharov <sudormrfhalt> |
Component: | Current packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, jstein |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
18-cve-2014-9913-unzip-buffer-overflow.patch 19-cve-2016-9844-zipinfo-buffer-overflow.patch cve-2014-9636.patch |
Created attachment 475064 [details, diff]
18-cve-2014-9913-unzip-buffer-overflow.patch
Created attachment 475066 [details, diff]
19-cve-2016-9844-zipinfo-buffer-overflow.patch
Created attachment 475068 [details, diff]
cve-2014-9636.patch
Thank you again. Debian patchset 21 is out there. https://packages.qa.debian.org/u/unzip/news/20161211T210812Z.html The 2 CVE's removed are tracked in other bugs. 18-cve-2014-9913-unzip-buffer-overflow.patch No fix in the patchset for CVE-2015-1315. Would need to apply the patch from this bug. CVE-2014-9913 is fixed in Debian patchset 21 CVE-2015-1315: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1315 The vulnerable function was introduced via a patch (06-unzip60-alt-iconv-utf8) which Gentoo does not ship. |
Created attachment 475062 [details, diff] 06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch app-arch/unzip-6.0_p20: Multiple vulnerabilities CVE-2014-9636, CVE-2014-9913, CVE-2015-1315, CVE-2016-9844