FS#69739 - [unzip] add patch for CVE-2018-1000035

Attached to Project: Arch Linux
Opened by Conrad Hoffmann (conrausch) - Monday, 22 February 2021, 22:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 03 November 2021, 13:34 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity High
Priority Urgent
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

According to AVG-611 [1], the Arch unzip package is vulnerable to CVE-2018-1000035 [2]. Debian ships a patch [3] for this, see also the respective Debian bug report [4]. Since Arch already ships some Debian patches to unzip, maybe this one could be added and the AVG closed?

The patch applies cleanly. For what it's worth I am attaching the git diff I used for testing.


[1] https://security.archlinux.org/AVG-611
[2] https://security.archlinux.org/CVE-2018-1000035
[3] https://sources.debian.org/data/main/u/unzip/6.0-21+deb9u2/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838

Cheers,
Conrad
This task depends upon

Closed by  Jonas Witschel (diabonas)
Wednesday, 03 November 2021, 13:34 GMT
Reason for closing:  Fixed
Additional comments about closing:  unzip 6.0-15 in [testing]

Loading...