Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647008 (CVE-2018-1000035) - <app-arch/unzip-6.0_p25: Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)
Summary: <app-arch/unzip-6.0_p25: Heap-based buffer overflow in password protected ZIP...
Status: IN_PROGRESS
Alias: CVE-2018-1000035
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable blocked cve]
Keywords:
Depends on: CVE-2019-13232
Blocks:
  Show dependency tree
 
Reported: 2018-02-08 16:23 UTC by Ian Zimmerman
Modified: 2019-10-26 14:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2018-02-08 16:23:24 UTC
According to the announcement on oss-security [1]:

InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing
password protected ZIP archives. An attacker can exploit this vulnerability
to overwrite heap chunks to get arbitrary code execution on the target system.

(The other vulnerabilities announced therein seem to not affect versions present in the gentoo tree.)

[1]
http://openwall.com/lists/oss-security/2018/02/08/1
Comment 1 D'juan McDonald (domhnall) 2018-06-22 02:38:39 UTC
@maintainter(s), I've emailed upstream with the following:

-------------------------------------------------------------
 "Hi, from http://openwall.com/lists/oss-security/2018/02/08/1 , it is suggested that a vulnerability exist in UnZip 6.0 described in link as:

Heap-based buffer overflow in password protected ZIP archives

with a reserved CVE --  (CVE-2018-1000035).

Without causing too much noise to your mail server I have to unfortunate duty to verify if:
1) This vulnerability/bug is known to you.

2) Verify if the CVE is also known to you.

3) It is possible for you to publish a response on your site.

Please review the link and details with consideration that this vulnerability  is publicly disclosed with no affirmative upstream acknowledgment."
-------------------------------------------------------------
because it is unclear if the CVE and Vulnerability are in fact known to them.  Nothing much else to do here until a response. @Ian Zimmerman, thanks.
Comment 2 D'juan McDonald (domhnall) 2018-06-24 00:02:19 UTC
Update:

Upstream reply:
--begin-reply--
> 
> 1) This vulnerability/bug is known to you.

   Yes.

> 2) Verify if the CVE is also known to you.

   It is now.

> 3) It is possible for you to publish a response on your site.

   I'm not sure how we would do that.

> Please review the link and details with consideration that this is
> made publicly disclosed with no affirmative upstream acknowledgment.

I believe that we got all those fixed in 6.10c23 based on complaints
directly from R. Freingruber (before the CVEs were defined?), except for
the LZMA-related problems (which may be handled by disabling the LZMA
feature until a better LZMA library is obtained).

      http://antinode.info/ftp/info-zip/unzip610c23.zip

   There should also be a modified fileio.c for UnZip 6.0:

      http://antinode.info/ftp/info-zip/unzip60/fileio.c

   If more needs to be done, then please let us know.
--end-reply--

So, now we have bug 647444, with fixed (CVE-2018-1000035) in 6.10c23. or (6.0_p23, not yet in tree).
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-30 01:51:43 UTC
patch is in _p22 from Debian upstream.

20-cve-2018-1000035-unzip-buffer-overflow.patch
Comment 4 Larry the Git Cow gentoo-dev 2019-08-10 17:12:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf679e99554488d9d20c3cecaf4063733f70e6f

commit fbf679e99554488d9d20c3cecaf4063733f70e6f
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-08-10 15:46:38 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-08-10 17:07:29 +0000

    app-arch/unzip: bump to Debian patchset 25
    
    Bug: https://bugs.gentoo.org/647008
    Bug: https://bugs.gentoo.org/691566
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/12670
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/unzip/Manifest             |  1 +
 app-arch/unzip/unzip-6.0_p25.ebuild | 86 +++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)