602048 – (CVE-2016-9844) <app-arch/unzip-6.0_p21-r2: buffer overflow in ZipInfo (CVE-2016-9844)

Bug 602048 (CVE-2016-9844) - <app-arch/unzip-6.0_p21-r2: buffer overflow in ZipInfo (CVE-2016-9844)

Summary: <app-arch/unzip-6.0_p21-r2: buffer overflow in ZipInfo (CVE-2016-9844)

Status:	RESOLVED FIXED

Alias:	CVE-2016-9844

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	A4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-12-08 23:42 UTC by Ian Zimmerman
Modified:	2019-08-10 14:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch constrcuted according to the discussion on oss-security (cve-2016-9844.patch,618 bytes, patch) 2016-12-08 23:43 UTC, Ian Zimmerman	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Zimmerman 2016-12-08 23:42:14 UTC

According to the posting on oss-security [1]:

Alexis Vanden Eijnde has discovered a zipinfo buffer overflow...

I shall attach a patch (constructed locally because upstream has no public VCS) after I submit this report.

[1]
https://marc.info/?l=oss-security&m=148095466614279&w=2


Reproducible: Always

Comment 1 Ian Zimmerman 2016-12-08 23:43:49 UTC

Created attachment 455550 [details, diff]
patch constrcuted according to the discussion on oss-security

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-03-30 01:35:22 UTC

Patch is in the Debian patchset which Gentoo ships:

19-cve-2016-9844-zipinfo-buffer-overflow.patch

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2019-05-01 02:59:26 UTC

@base-system, please clean vulnerable