Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#44171 - [unzip][CVE-2014-9636] Denial of Service

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Friday, 13 March 2015, 15:09 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 15 March 2015, 05:50 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No



unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.

This task depends upon

Closed by  Gaetan Bisson (vesath)
Sunday, 15 March 2015, 05:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  unzip-6.0-10 in [extra]
Comment by Levente Polyak (anthraxx) - Friday, 13 March 2015, 16:21 GMT
I have attached a patch which fixes CVE-2014-9636 (note that this is the fixed version used by fedora and debian, the first version submited at redhat was flawed and did not fix the issue totally).
Also note that this patch also includes overflow-long-fsize.patch, which is a missing hardening patch fixing a single byte overflow (also applied by fedora etc).

I have 3 test cases that cause a segfault via overflow and 1 regression test, all fine with applying the attached patch onto the current state.
Comment by Gaetan Bisson (vesath) - Sunday, 15 March 2015, 04:47 GMT
Thanks a lot!
Comment by Levente Polyak (anthraxx) - Sunday, 15 March 2015, 05:42 GMT
@vesath: You're welcome! I rerun all tests on 6.0-10 and can confirm that the pkgrel 10 fixes all issues. Thanks for the update.
Comment by Gaetan Bisson (vesath) - Sunday, 15 March 2015, 05:49 GMT