Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#69739 - [unzip] add patch for CVE-2018-1000035

Attached to Project: Arch Linux
Opened by Conrad Hoffmann (conrausch) - Monday, 22 February 2021, 22:33 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 23 February 2021, 07:15 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity High
Priority Urgent
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:

According to AVG-611 [1], the Arch unzip package is vulnerable to CVE-2018-1000035 [2]. Debian ships a patch [3] for this, see also the respective Debian bug report [4]. Since Arch already ships some Debian patches to unzip, maybe this one could be added and the AVG closed?

The patch applies cleanly. For what it's worth I am attaching the git diff I used for testing.


[1] https://security.archlinux.org/AVG-611
[2] https://security.archlinux.org/CVE-2018-1000035
[3] https://sources.debian.org/data/main/u/unzip/6.0-21+deb9u2/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838

Cheers,
Conrad
This task depends upon

Loading...