Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533748 (CVE-2014-8139) - <app-arch/unzip-6.0_p20: input sanitization errors
Summary: <app-arch/unzip-6.0_p20: input sanitization errors
Alias: CVE-2014-8139
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: 528082
  Show dependency tree
Reported: 2014-12-28 09:29 UTC by Agostino Sarubbo
Modified: 2016-11-01 13:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-28 09:29:42 UTC
From ${URL} :

#2014-011 UnZip input sanitization errors


The UnZip tool is an open source extraction utility for archives compressed in
the zip format.

The unzip command line tool is affected by heap-based buffer overflows within
the CRC32 verification, the test_compr_eb() and the getZip64Data() functions.
The input errors may result in in arbitrary code execution.

A specially crafted zip file, passed to unzip -t, can be used to trigger the

Affected version:

UnZip <= 6.0

Fixed version:

UnZip, N/A

Credit: vulnerability report received from the Google Security Team.

CVE: CVE-2014-8139 (CRC32 heap overflow), CVE-2014-8140 (test_compr_eb),
     CVE-2014-8141 (getZip64Data)


2014-12-03: vulnerability report received
2014-12-03: contacted maintainer
2014-12-03: first patch provided by maintainer
2014-12-04: report provides additional reproducers
2014-12-03: second patch provided by maintainer
2014-12-04: reporter confirms patch
2014-12-10: contacted affected vendors
2014-12-12: assigned CVEs
2014-12-22: advisory release

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-04-03 00:06:36 UTC
fixed w/Debian patchset.  should be fine for stable.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-11-01 13:22:12 UTC
This issue was resolved and addressed in
 GLSA 201611-01 at
by GLSA coordinator Aaron Bauman (b-man).