Bug 647444 (CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033, CVE-2018-1000034)

Summary:	app-arch/unzip: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	base-system
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [ebuild cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-02-12 19:11:28 UTC

CVE-2018-1000034 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000034):
  An out-of-bounds read exists in InfoZip UnZip version 6.10c22 that allows an
  attacker to perform a denial of service and read sensitive memory.

CVE-2018-1000033 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000033):
  An out-of-bounds read exists in InfoZip UnZip version 6.10c22 that allows an
  attacker to perform a denial of service and read sensitive memory.

CVE-2018-1000032 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000032):
  A heap-based buffer overflow exists in InfoZip UnZip version 6.10c22 that
  allows an attacker to perform a denial of service or to possibly achieve
  code execution.

CVE-2018-1000031 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000031):
  A heap-based buffer overflow exists in InfoZip UnZip version 6.10c22 that
  allows an attacker to perform a denial of service or to possibly achieve
  code execution.

Comment 1 Yury German Gentoo Infrastructure

2019-03-12 06:26:38 UTC

Follow up on this bug please.
From Blocked bug this is fixed in: 

I believe that we got all those fixed in 6.10c23 based on complaints
directly from R. Freingruber (before the CVEs were defined?), except for
the LZMA-related problems (which may be handled by disabling the LZMA
feature until a better LZMA library is obtained).

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 14:19:37 UTC

Doesn't affect our Gentoo's app-arch/unzip.