Debian Bug report logs -
#903196
zip: CVE-2018-13410
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#903196; Package src:zip.
(Sat, 07 Jul 2018 12:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>.
(Sat, 07 Jul 2018 12:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zip
Version: 3.0-11
Severity: normal
Tags: security upstream
Hi,
The following vulnerability was published for zip. Note it is really
disputed as security issue, filling this bug only for tracking the
underlying bug in case it get's fixed. A possible attack scenario
would involve an untrusted party which controls the -TT value. Still
fill a but for tracking the bug/issue.
CVE-2018-13410[0]:
| ** <A HREF="https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry">DISPUTED</A> ** Info-ZIP Zip 3.0, when the -T and -TT command-line
| options are used, allows attackers to cause a denial of service
| (invalid free and application crash) or possibly have unspecified other
| impact because of an off-by-one error. NOTE: it is unclear whether
| there are realistic scenarios in which an untrusted party controls the
| -TT value, given that the entire purpose of -TT is execution of
| arbitrary commands.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-13410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13410
[1] http://seclists.org/fulldisclosure/2018/Jul/24
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#903196; Package src:zip.
(Sat, 07 Jul 2018 12:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Sat, 07 Jul 2018 12:39:05 GMT) (full text, mbox, link).
Message #10 received at 903196@bugs.debian.org (full text, mbox, reply):
On Sat, Jul 07, 2018 at 02:19:08PM +0200, Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-13410
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13410
> [1] http://seclists.org/fulldisclosure/2018/Jul/24
Thank you. I'll start by contacting whoever is in charge of
the phpbb discussion forum, because it's currently down :-(
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:42:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon