FS#43862 - [unzip][CVE-2015-1315] heap-based buffer overflow vulnerability
Attached to Project:
Arch Linux
Opened by Christian Rebischke (Shibumi) - Tuesday, 17 February 2015, 19:20 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 20 February 2015, 07:34 GMT
Opened by Christian Rebischke (Shibumi) - Tuesday, 17 February 2015, 19:20 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 20 February 2015, 07:34 GMT
|
Details
Summary
======= unzip is vulnerable to a heap-based buffer overflow. This vulnerability could possibly lead to arbitrary code execution. The vulnerable code lies in the patch: 06-unzip60-alt-iconv-utf8 Does the unzip-archlinux version contain this patch too? Furthermore the code present in the unzip-beta: Info-ZIP beta/development release version 6.10b Please checkout the references for more information References =========== http://www.openwall.com/lists/oss-security/2015/02/17/4 http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz file debian/patches/06-unzip60-alt-iconv-utf8 |
This task depends upon
Closed by Gaetan Bisson (vesath)
Friday, 20 February 2015, 07:34 GMT
Reason for closing: Works for me
Additional comments about closing: Our version is not affected.
Friday, 20 February 2015, 07:34 GMT
Reason for closing: Works for me
Additional comments about closing: Our version is not affected.
Comment by Remi Gacogne (rgacogne) -
Wednesday, 18 February 2015, 08:57 GMT
As far as I can tell, our version is not impacted because we use
the 6.0 info-zip (not the 6.10 beta) _and_ we do not apply the
vulnerable "06-unzip60-alt-iconv-utf8" patch.