FS#73542 - [unzip] [security] CVE-2021-4217
Attached to Project:
Arch Linux
Opened by T.J. Townsend (blakkheim) - Friday, 28 January 2022, 18:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 16 February 2022, 17:15 GMT
Opened by T.J. Townsend (blakkheim) - Friday, 28 January 2022, 18:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 16 February 2022, 17:15 GMT
|
Details
Description:
The unzip package is vulnerable to CVE-2021-4217. Since upstream is long gone, there is no official fix. Additional info: An unvetted patch is available at the launchpad link below if someone familiar with the codebase can review it and decide if it properly fixes the bug. https://bugs.launchpad.net/bugs/1957077 https://bugzilla.redhat.com/show_bug.cgi?id=2044583 |
This task depends upon
Closed by Jonas Witschel (diabonas)
Wednesday, 16 February 2022, 17:15 GMT
Reason for closing: Fixed
Additional comments about closing: unzip 6.0-17
Wednesday, 16 February 2022, 17:15 GMT
Reason for closing: Fixed
Additional comments about closing: unzip 6.0-17
Comment by
Jonas Witschel (diabonas) -
Wednesday, 16 February 2022, 17:14 GMT
Thank you for the report! The first part (to fileio.c) of the
proposed patch
https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
for this issue is already covered by
https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-valgrind.patch
so Arch is not affected by this. The second part to process.c
looks good to me, and after applying it the reproducer does not
manage to crash unzip any more. I have applied it as
https://github.com/archlinux/svntogit-packages/blob/packages/unzip/trunk/unzip-6.0_CVE-2021-4217.patch
and released unzip 6.0-17.