FS#47039 - [unzip] 6.0-11 regression with 0-byte sized files inside a password protected zip-file
Attached to Project:
Arch Linux
Opened by Levente Polyak (anthraxx) - Wednesday, 11 November 2015, 18:48 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 17 April 2016, 07:01 GMT
Opened by Levente Polyak (anthraxx) - Wednesday, 11 November 2015, 18:48 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 17 April 2016, 07:01 GMT
|
Details
Hey, the security patch 'csiz-underflow.patch' with version
6.0-11 introduced a small regression when extracting
zip-files that are password protected and have a 0-byte size
file.
The small regression introduced with the security patch has also been fixed by ubuntu [0][1] and debian [2][3]. A test file for the regression can be found in the ubuntu bug report comments [4] (but because of security of cause only test that inside a chroot or better an isolated VM) I have attached either a patch for the patch (*smile*) or the already fixed patch. cheers, Levente [0] https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1513293 [1] https://launchpadlibrarian.net/225619775/unzip_6.0-13ubuntu3.1_6.0-13ubuntu3.2.diff.gz [2] https://lists.debian.org/debian-security-announce/2015/msg00298.html [3] https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u2.debdiff [4] https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1513293/comments/13 |
csiz-underflow.patch-fixup.pa...
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Sunday, 17 April 2016, 07:01 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 6.0-12.
Sunday, 17 April 2016, 07:01 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 6.0-12.