620470 – (CVE-2014-9913, CVE-2015-1315) <app-arch/unzip-6.0_p21-r2: Multiple vulnerabilities

Bug 620470 (CVE-2014-9913, CVE-2015-1315) - <app-arch/unzip-6.0_p21-r2: Multiple vulnerabilities

Summary: <app-arch/unzip-6.0_p21-r2: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2014-9913, CVE-2015-1315

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A4 [noglsa cve]
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2017-06-03 05:27 UTC by Andrey Ovcharov
Modified:	2019-08-10 15:08 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch (06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch,14.13 KB, patch) 2017-06-03 05:27 UTC, Andrey Ovcharov	Details \| Diff
18-cve-2014-9913-unzip-buffer-overflow.patch (18-cve-2014-9913-unzip-buffer-overflow.patch,1.35 KB, patch) 2017-06-03 05:27 UTC, Andrey Ovcharov	Details \| Diff
19-cve-2016-9844-zipinfo-buffer-overflow.patch (19-cve-2016-9844-zipinfo-buffer-overflow.patch,1.14 KB, patch) 2017-06-03 05:28 UTC, Andrey Ovcharov	Details \| Diff
cve-2014-9636.patch (cve-2014-9636.patch,1.56 KB, patch) 2017-06-03 05:28 UTC, Andrey Ovcharov	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrey Ovcharov 2017-06-03 05:27:02 UTC

Created attachment 475062 [details, diff]
06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch

app-arch/unzip-6.0_p20: Multiple vulnerabilities CVE-2014-9636, CVE-2014-9913, CVE-2015-1315, CVE-2016-9844

Comment 1 Andrey Ovcharov 2017-06-03 05:27:42 UTC

Created attachment 475064 [details, diff]
18-cve-2014-9913-unzip-buffer-overflow.patch

Comment 2 Andrey Ovcharov 2017-06-03 05:28:07 UTC

Created attachment 475066 [details, diff]
19-cve-2016-9844-zipinfo-buffer-overflow.patch

Comment 3 Andrey Ovcharov 2017-06-03 05:28:29 UTC

Created attachment 475068 [details, diff]
cve-2014-9636.patch

Comment 4 Jonas Stein gentoo-dev

2017-06-03 08:14:54 UTC

Thank you again.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2017-11-21 13:14:48 UTC

Debian patchset 21 is out there.

https://packages.qa.debian.org/u/unzip/news/20161211T210812Z.html

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2018-01-25 22:28:21 UTC

The 2 CVE's removed are tracked in other bugs.

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-03-30 01:40:48 UTC

18-cve-2014-9913-unzip-buffer-overflow.patch

No fix in the patchset for CVE-2015-1315.  Would need to apply the patch from this bug.

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 15:08:11 UTC

CVE-2014-9913 is fixed in Debian patchset 21

CVE-2015-1315:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1315

The vulnerable function was introduced via a patch (06-unzip60-alt-iconv-utf8) which Gentoo does not ship.