FS#69739 - [unzip] add patch for CVE-2018-1000035
Attached to Project:
Arch Linux
Opened by Conrad Hoffmann (conrausch) - Monday, 22 February 2021, 22:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 03 November 2021, 13:34 GMT
Opened by Conrad Hoffmann (conrausch) - Monday, 22 February 2021, 22:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 03 November 2021, 13:34 GMT
|
Details
Description:
According to AVG-611 [1], the Arch unzip package is vulnerable to CVE-2018-1000035 [2]. Debian ships a patch [3] for this, see also the respective Debian bug report [4]. Since Arch already ships some Debian patches to unzip, maybe this one could be added and the AVG closed? The patch applies cleanly. For what it's worth I am attaching the git diff I used for testing. [1] https://security.archlinux.org/AVG-611 [2] https://security.archlinux.org/CVE-2018-1000035 [3] https://sources.debian.org/data/main/u/unzip/6.0-21+deb9u2/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838 Cheers, Conrad |
This task depends upon
Closed by Jonas Witschel (diabonas)
Wednesday, 03 November 2021, 13:34 GMT
Reason for closing: Fixed
Additional comments about closing: unzip 6.0-15 in [testing]
Wednesday, 03 November 2021, 13:34 GMT
Reason for closing: Fixed
Additional comments about closing: unzip 6.0-15 in [testing]