Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#73542 - [unzip] [security] CVE-2021-4217
Attached to Project:
Arch Linux
Opened by T.J. Townsend (blakkheim) - Friday, 28 January 2022, 18:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 16 February 2022, 17:15 GMT
Opened by T.J. Townsend (blakkheim) - Friday, 28 January 2022, 18:33 GMT
Last edited by Jonas Witschel (diabonas) - Wednesday, 16 February 2022, 17:15 GMT
|
DetailsDescription:
The unzip package is vulnerable to CVE-2021-4217. Since upstream is long gone, there is no official fix. Additional info: An unvetted patch is available at the launchpad link below if someone familiar with the codebase can review it and decide if it properly fixes the bug. https://bugs.launchpad.net/bugs/1957077 https://bugzilla.redhat.com/show_bug.cgi?id=2044583 |
This task depends upon
Closed by Jonas Witschel (diabonas)
Wednesday, 16 February 2022, 17:15 GMT
Reason for closing: Fixed
Additional comments about closing: unzip 6.0-17
Wednesday, 16 February 2022, 17:15 GMT
Reason for closing: Fixed
Additional comments about closing: unzip 6.0-17
Comment by Jonas Witschel (diabonas) -
Wednesday, 16 February 2022, 17:14 GMT
Thank you for the report! The first part (to fileio.c) of the proposed patch https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch for this issue is already covered by https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-valgrind.patch so Arch is not affected by this. The second part to process.c looks good to me, and after applying it the reproducer does not manage to crash unzip any more. I have applied it as https://github.com/archlinux/svntogit-packages/blob/packages/unzip/trunk/unzip-6.0_CVE-2021-4217.patch and released unzip 6.0-17.