Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#43862 - [unzip][CVE-2015-1315] heap-based buffer overflow vulnerability

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Tuesday, 17 February 2015, 19:20 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 20 February 2015, 07:34 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No



unzip is vulnerable to a heap-based buffer overflow.
This vulnerability could possibly lead to arbitrary code execution.
The vulnerable code lies in the patch: 06-unzip60-alt-iconv-utf8

Does the unzip-archlinux version contain this patch too?
Furthermore the code present in the unzip-beta:

Info-ZIP beta/development release version 6.10b

Please checkout the references for more information

file debian/patches/06-unzip60-alt-iconv-utf8
This task depends upon

Closed by  Gaetan Bisson (vesath)
Friday, 20 February 2015, 07:34 GMT
Reason for closing:  Works for me
Additional comments about closing:  Our version is not affected.
Comment by Remi Gacogne (rgacogne) - Wednesday, 18 February 2015, 08:57 GMT
As far as I can tell, our version is not impacted because we use the 6.0 info-zip (not the 6.10 beta) _and_ we do not apply the vulnerable "06-unzip60-alt-iconv-utf8" patch.