Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 730166 (CVE-2018-18384) - app-arch/unzip: Buffer overflow vulnerability (CVE-2018-18384)
Summary: app-arch/unzip: Buffer overflow vulnerability (CVE-2018-18384)
Status: RESOLVED INVALID
Alias: CVE-2018-18384
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/infozip/bug...
Whiteboard: A3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-29 18:30 UTC by John Helmert III
Modified: 2020-11-16 19:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 18:30:57 UTC
Description:

Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 16:59:48 UTC
ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 18:54:17 UTC
(In reply to Sam James from comment #2)
> ping

ping
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-16 19:08:50 UTC
We are not affected. Gentoo's unzip package is based on Debian's unzip package (currently at patchlevel 25).

Debian applies 07-increase-size-of-cfactorstr.patch which we also do and upstream confirmed that this will mitigate the problem, https://sourceforge.net/p/infozip/bugs/53/#ba07.

Closing as INVALID because CVE doesn't apply to Gentoo.