Summary: | app-arch/unzip: Buffer overflow vulnerability (CVE-2018-18384) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceforge.net/p/infozip/bugs/53/ | ||
Whiteboard: | A3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2020-06-29 18:30:57 UTC
Fedora and openSUSE have this patched: https://src.fedoraproject.org/rpms/unzip/blob/master/f/unzip-6.0-overflow-long- fsize.patch https://build.opensuse.org/package/view_file/openSUSE:Factory/unzip/unzip60-cfactorstr_overflow.patch ping (In reply to Sam James from comment #2) > ping ping We are not affected. Gentoo's unzip package is based on Debian's unzip package (currently at patchlevel 25). Debian applies 07-increase-size-of-cfactorstr.patch which we also do and upstream confirmed that this will mitigate the problem, https://sourceforge.net/p/infozip/bugs/53/#ba07. Closing as INVALID because CVE doesn't apply to Gentoo. |