Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 730166 (CVE-2018-18384) - app-arch/unzip: Buffer overflow vulnerability (CVE-2018-18384)
Summary: app-arch/unzip: Buffer overflow vulnerability (CVE-2018-18384)
Status: RESOLVED INVALID
Alias: CVE-2018-18384
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://sourceforge.net/p/infozip/bug...
Whiteboard: A3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-29 18:30 UTC by John Helmert III
Modified: 2020-11-16 19:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 18:30:57 UTC 
Description:

Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 16:59:48 UTC 
ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 18:54:17 UTC 
(In reply to Sam James from comment #2)
> ping

ping
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-16 19:08:50 UTC 
We are not affected. Gentoo's unzip package is based on Debian's unzip package (currently at patchlevel 25).

Debian applies 07-increase-size-of-cfactorstr.patch which we also do and upstream confirmed that this will mitigate the problem, https://sourceforge.net/p/infozip/bugs/53/#ba07.

Closing as INVALID because CVE doesn't apply to Gentoo.