Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620470 (CVE-2014-9913, CVE-2015-1315) - <app-arch/unzip-6.0_p21-r2: Multiple vulnerabilities
Summary: <app-arch/unzip-6.0_p21-r2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2014-9913, CVE-2015-1315
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa cve]
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2017-06-03 05:27 UTC by Andrey Ovcharov
Modified: 2019-08-10 15:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch (06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch,14.13 KB, patch)
2017-06-03 05:27 UTC, Andrey Ovcharov
Details | Diff
18-cve-2014-9913-unzip-buffer-overflow.patch (18-cve-2014-9913-unzip-buffer-overflow.patch,1.35 KB, patch)
2017-06-03 05:27 UTC, Andrey Ovcharov
Details | Diff
19-cve-2016-9844-zipinfo-buffer-overflow.patch (19-cve-2016-9844-zipinfo-buffer-overflow.patch,1.14 KB, patch)
2017-06-03 05:28 UTC, Andrey Ovcharov
Details | Diff
cve-2014-9636.patch (cve-2014-9636.patch,1.56 KB, patch)
2017-06-03 05:28 UTC, Andrey Ovcharov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Ovcharov 2017-06-03 05:27:02 UTC
Created attachment 475062 [details, diff]
06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch

app-arch/unzip-6.0_p20: Multiple vulnerabilities CVE-2014-9636, CVE-2014-9913, CVE-2015-1315, CVE-2016-9844
Comment 1 Andrey Ovcharov 2017-06-03 05:27:42 UTC
Created attachment 475064 [details, diff]
18-cve-2014-9913-unzip-buffer-overflow.patch
Comment 2 Andrey Ovcharov 2017-06-03 05:28:07 UTC
Created attachment 475066 [details, diff]
19-cve-2016-9844-zipinfo-buffer-overflow.patch
Comment 3 Andrey Ovcharov 2017-06-03 05:28:29 UTC
Created attachment 475068 [details, diff]
cve-2014-9636.patch
Comment 4 Jonas Stein gentoo-dev 2017-06-03 08:14:54 UTC
Thank you again.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-11-21 13:14:48 UTC
Debian patchset 21 is out there.

https://packages.qa.debian.org/u/unzip/news/20161211T210812Z.html
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-25 22:28:21 UTC
The 2 CVE's removed are tracked in other bugs.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-30 01:40:48 UTC
18-cve-2014-9913-unzip-buffer-overflow.patch

No fix in the patchset for CVE-2015-1315.  Would need to apply the patch from this bug.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-10 15:08:11 UTC
CVE-2014-9913 is fixed in Debian patchset 21

CVE-2015-1315:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1315

The vulnerable function was introduced via a patch (06-unzip60-alt-iconv-utf8) which Gentoo does not ship.