Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647444 (CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033, CVE-2018-1000034) - app-arch/unzip: Multiple vulnerabilities
Summary: app-arch/unzip: Multiple vulnerabilities
Status: RESOLVED INVALID
Alias: CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033, CVE-2018-1000034
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-12 19:11 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-26 14:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-12 19:11:28 UTC
CVE-2018-1000034 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000034):
  An out-of-bounds read exists in InfoZip UnZip version 6.10c22 that allows an
  attacker to perform a denial of service and read sensitive memory.

CVE-2018-1000033 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000033):
  An out-of-bounds read exists in InfoZip UnZip version 6.10c22 that allows an
  attacker to perform a denial of service and read sensitive memory.

CVE-2018-1000032 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000032):
  A heap-based buffer overflow exists in InfoZip UnZip version 6.10c22 that
  allows an attacker to perform a denial of service or to possibly achieve
  code execution.

CVE-2018-1000031 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000031):
  A heap-based buffer overflow exists in InfoZip UnZip version 6.10c22 that
  allows an attacker to perform a denial of service or to possibly achieve
  code execution.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 06:26:38 UTC
Follow up on this bug please.
From Blocked bug this is fixed in: 

I believe that we got all those fixed in 6.10c23 based on complaints
directly from R. Freingruber (before the CVEs were defined?), except for
the LZMA-related problems (which may be handled by disabling the LZMA
feature until a better LZMA library is obtained).
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-10-26 14:19:37 UTC
Doesn't affect our Gentoo's app-arch/unzip.