Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#10067 - unzip 5.52-3 potential arbitrary code execution
Attached to Project:
Arch Linux
Opened by Paul Bredbury (brebs) - Thursday, 03 April 2008, 00:17 GMT
Last edited by Dan McGee (toofishes) - Saturday, 05 April 2008, 14:08 GMT
Opened by Paul Bredbury (brebs) - Thursday, 03 April 2008, 00:17 GMT
Last edited by Dan McGee (toofishes) - Saturday, 05 April 2008, 14:08 GMT
|
DetailsHi, unzip 5.52-3 has a potential security flaw:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0888 http://bugs.gentoo.org/show_bug.cgi?id=213761 Download the patch: wget -O unzip-5.5.2-CVE-2008-0888.patch http://bugs.gentoo.org/attachment.cgi?id=146443 For reassurance, this exact patch is in Ubuntu: http://packages.ubuntu.com/hardy/unzip (unzip_5.52-10ubuntu2.diff.gz) Enclosed is the required PKGBUILD diff. 
PKGBUILD.diff
(0.9 KiB)
|
This task depends upon
Closed by Dan McGee (toofishes)
Saturday, 05 April 2008, 14:08 GMT
Reason for closing: Fixed
Additional comments about closing: fixed in unzip-5.52-4
Saturday, 05 April 2008, 14:08 GMT
Reason for closing: Fixed
Additional comments about closing: fixed in unzip-5.52-4
Comment by Dan McGee (toofishes) -
Thursday, 03 April 2008, 18:33 GMT
I'll try and address this tonight or tomorrow. Thanks for pointing it out.