Summary: | <app-arch/unzip-6.0_p25: Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ian Zimmerman <nobrowser> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 691566 | ||
Bug Blocks: |
Description
Ian Zimmerman
2018-02-08 16:23:24 UTC
@maintainter(s), I've emailed upstream with the following: ------------------------------------------------------------- "Hi, from http://openwall.com/lists/oss-security/2018/02/08/1 , it is suggested that a vulnerability exist in UnZip 6.0 described in link as: Heap-based buffer overflow in password protected ZIP archives with a reserved CVE -- (CVE-2018-1000035). Without causing too much noise to your mail server I have to unfortunate duty to verify if: 1) This vulnerability/bug is known to you. 2) Verify if the CVE is also known to you. 3) It is possible for you to publish a response on your site. Please review the link and details with consideration that this vulnerability is publicly disclosed with no affirmative upstream acknowledgment." ------------------------------------------------------------- because it is unclear if the CVE and Vulnerability are in fact known to them. Nothing much else to do here until a response. @Ian Zimmerman, thanks. Update: Upstream reply: --begin-reply-- > > 1) This vulnerability/bug is known to you. Yes. > 2) Verify if the CVE is also known to you. It is now. > 3) It is possible for you to publish a response on your site. I'm not sure how we would do that. > Please review the link and details with consideration that this is > made publicly disclosed with no affirmative upstream acknowledgment. I believe that we got all those fixed in 6.10c23 based on complaints directly from R. Freingruber (before the CVEs were defined?), except for the LZMA-related problems (which may be handled by disabling the LZMA feature until a better LZMA library is obtained). http://antinode.info/ftp/info-zip/unzip610c23.zip There should also be a modified fileio.c for UnZip 6.0: http://antinode.info/ftp/info-zip/unzip60/fileio.c If more needs to be done, then please let us know. --end-reply-- So, now we have bug 647444, with fixed (CVE-2018-1000035) in 6.10c23. or (6.0_p23, not yet in tree). patch is in _p22 from Debian upstream. 20-cve-2018-1000035-unzip-buffer-overflow.patch The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf679e99554488d9d20c3cecaf4063733f70e6f commit fbf679e99554488d9d20c3cecaf4063733f70e6f Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-10 15:46:38 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-08-10 17:07:29 +0000 app-arch/unzip: bump to Debian patchset 25 Bug: https://bugs.gentoo.org/647008 Bug: https://bugs.gentoo.org/691566 Signed-off-by: Aaron Bauman <bman@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/12670 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/unzip/Manifest | 1 + app-arch/unzip/unzip-6.0_p25.ebuild | 86 +++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) New GLSA request filed. This issue was resolved and addressed in GLSA 202003-58 at https://security.gentoo.org/glsa/202003-58 by GLSA coordinator Thomas Deutschmann (whissi). |