FS#43862 : [unzip][CVE-2015-1315] heap-based buffer overflow vulnerability

FS#43862 - [unzip][CVE-2015-1315] heap-based buffer overflow vulnerability

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Tuesday, 17 February 2015, 19:20 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 20 February 2015, 07:34 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Gaetan Bisson (vesath)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Remi Gacogne (rgacogne) (2015-02-18) Christian Rebischke (Shibumi) (2015-02-17)
Private	No

Details

Summary
=======

unzip is vulnerable to a heap-based buffer overflow.
This vulnerability could possibly lead to arbitrary code execution.
The vulnerable code lies in the patch: 06-unzip60-alt-iconv-utf8

Does the unzip-archlinux version contain this patch too?
Furthermore the code present in the unzip-beta:

Info-ZIP beta/development release version 6.10b

Please checkout the references for more information

References
===========
http://www.openwall.com/lists/oss-security/2015/02/17/4
http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz
file debian/patches/06-unzip60-alt-iconv-utf8

This task depends upon

Closed by Gaetan Bisson (vesath)
Friday, 20 February 2015, 07:34 GMT
Reason for closing: Works for me
Additional comments about closing: Our version is not affected.

Comment by Remi Gacogne (rgacogne) - Wednesday, 18 February 2015, 08:57 GMT

As far as I can tell, our version is not impacted because we use the 6.0 info-zip (not the 6.10 beta) _and_ we do not apply the vulnerable "06-unzip60-alt-iconv-utf8" patch.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#43862 - [unzip][CVE-2015-1315] heap-based buffer overflow vulnerability

Details

Loading...