Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528082 - <app-arch/unzip-6.0_p20: buffer overflow
Summary: <app-arch/unzip-6.0_p20: buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cleanup]
Keywords:
Depends on:
Blocks: CVE-2014-8139 CVE-2014-9636 560416
  Show dependency tree
 
Reported: 2014-11-03 08:09 UTC by Agostino Sarubbo
Modified: 2016-11-01 13:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-03 08:09:59 UTC
From ${URL} :

Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes 
unzip -t:

$ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip
foo/:  mismatching "local" filename (���/UT),
         continuing with "central" filename version
*** Error in `unzip': free(): corrupted unsorted chunks: 0x00000000015d0170 ***

I'm not sure if inclusion of said zip file was intentional, but since 
the cat is already out of the bag, I thought I'll let you know.

[0] https://code.google.com/p/american-fuzzy-lop/
[1] http://lcamtuf.coredump.cx/afl.tgz


the unofficial patch:
http://skylink.dl.sourceforge.net/project/mancha/sec/unzip-6.0_overflow.diff


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hanno Böck gentoo-dev 2014-12-23 09:34:21 UTC
http://www.ocert.org/advisories/ocert-2014-011.html
lists three more security issues:
CVE-2014-8139 (CRC32 heap overflow), CVE-2014-8140 (test_compr_eb), CVE-2014-8141 (getZip64Data)

All are independent of the american fuzzy lop issue. Unfortunately upstream seems to do releases rarely. There are also some issues mentioned in upstream's forum that are a couple of years old and look like they could be security issues:
http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=282&sid=48632af076f5c015cae31c1f37e278c3
Comment 2 SpanKY gentoo-dev 2016-04-03 00:06:40 UTC
those 4 issues should all be fixed in 6.0_p20 by using patches Debian is carrying

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65df71cdc392f85fd95ad5b8ef1508434e2a239
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-04-03 00:50:58 UTC
@arches, please stabilize:

=app-arch/unzip-6.0_p20
Comment 4 Jeroen Roovers gentoo-dev 2016-04-04 02:46:04 UTC
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2016-04-06 12:27:07 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-11 10:40:46 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-04-19 15:32:56 UTC
arm stable
Comment 8 Matt Turner gentoo-dev 2016-05-02 04:02:21 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 07:55:03 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:44 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 12:03:35 UTC
ia64 stable
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-09 02:23:46 UTC
Removing unstable arches from CC

@maintainer(s), please cleanup vulnerable versions.

New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-11-01 13:22:00 UTC
This issue was resolved and addressed in
 GLSA 201611-01 at https://security.gentoo.org/glsa/201611-01
by GLSA coordinator Aaron Bauman (b-man).