Bug 730166 (CVE-2018-18384)

Summary:	app-arch/unzip: Buffer overflow vulnerability (CVE-2018-18384)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	base-system
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://sourceforge.net/p/infozip/bugs/53/
Whiteboard:	A3 [noglsa cve]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2020-06-29 18:30:57 UTC

Description:

Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.

Comment 1 John Helmert III archtester

2020-06-29 18:33:24 UTC

Fedora and openSUSE have this patched:

https://src.fedoraproject.org/rpms/unzip/blob/master/f/unzip-6.0-overflow-long-
fsize.patch
https://build.opensuse.org/package/view_file/openSUSE:Factory/unzip/unzip60-cfactorstr_overflow.patch

Comment 2 Sam James archtester

2020-07-27 16:59:48 UTC

ping

Comment 3 Sam James archtester

2020-11-16 18:54:17 UTC

(In reply to Sam James from comment #2)
> ping

ping

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2020-11-16 19:08:50 UTC

We are not affected. Gentoo's unzip package is based on Debian's unzip package (currently at patchlevel 25).

Debian applies 07-increase-size-of-cfactorstr.patch which we also do and upstream confirmed that this will mitigate the problem, https://sourceforge.net/p/infozip/bugs/53/#ba07.

Closing as INVALID because CVE doesn't apply to Gentoo.