Debian Bug report logs -
#776589
unzip: CVE-2014-9636 heap overflow via mismatched block sizes
Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Thu, 29 Jan 2015 16:54:02 UTC
Severity: normal
Tags: patch, security, upstream
Found in versions unzip/6.0-4, unzip/6.0-13
Fixed in versions unzip/6.0-15, unzip/6.0-8+deb7u2, unzip/6.0-4+deb6u2
Done: Thorsten Alteholz <debian@alteholz.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#776589; Package unzip.
(Thu, 29 Jan 2015 16:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>.
(Thu, 29 Jan 2015 16:54:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: unzip
Version: 6.0-13
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch
*** /tmp/tmp7DfOwv/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: heap overflow via mismatched block sizes
- debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
uncompressed block sizes match when using STORED method in extract.c.
- CVE-2014-9636
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers utopic-updates
APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-30-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[unzip_6.0-13ubuntu2.debdiff (text/x-diff, attachment)]
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Jan 2015 17:00:24 GMT) (full text, mbox, link).
Reply sent
to Santiago Vila <sanvila@debian.org>:
You have taken responsibility.
(Thu, 29 Jan 2015 18:06:13 GMT) (full text, mbox, link).
Notification sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer.
(Thu, 29 Jan 2015 18:06:13 GMT) (full text, mbox, link).
Message #12 received at 776589-close@bugs.debian.org (full text, mbox, reply):
Source: unzip
Source-Version: 6.0-15
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 776589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Jan 2015 18:39:52 +0100
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-15
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
unzip - De-archiver for .zip files
Closes: 776589
Changes:
unzip (6.0-15) unstable; urgency=medium
.
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
Checksums-Sha1:
2d038d4bcd7d137899646ebc9274fc3749e84961 1311 unzip_6.0-15.dsc
8a049e0d903f58d439aa7e0f6c45afeedec4022a 14140 unzip_6.0-15.debian.tar.xz
1aa126a6d12994460bad85eca1f69671271cc6fc 161076 unzip_6.0-15_amd64.deb
Checksums-Sha256:
e0b97d254cb2261dd93df9a461d736472bdc082216d7f0ee5f99ed71263d38cf 1311 unzip_6.0-15.dsc
a33731552f52583e82d40465f1a6496ff4df3a5f9c1c33862a02b2d293561fcd 14140 unzip_6.0-15.debian.tar.xz
7f76a2a59a09afa7910eead74f0ed51d00392fcbc4ef1a73e5bd45cbb527bf6c 161076 unzip_6.0-15_amd64.deb
Files:
ad5d13642adb55aa422af32d1c5ddde7 1311 utils optional unzip_6.0-15.dsc
42a3daaecd6d4af4ea47c6668bb949a1 14140 utils optional unzip_6.0-15.debian.tar.xz
7ec9a16aa0cfafa1de6e84227869952a 161076 utils optional unzip_6.0-15_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUynFiAAoJEEHOfwufG4symBIH/3dbm/Ovx1V9JP05DNHBlc09
j1KxyFK4U5EpWyCZ31H5Sc2tQ54NVeVocEsCFm9bj1z1KCyD/r+B9/DxFTJqgi6c
sl/fE/gw4MVX848mWEADYKsEZAkDCgzf6a+w3Gy9bwGP7SYMzKdA54T9nsQ6O6zQ
Z7DoLk2tCP2jL52yuZEf75Zl80Cl1isQ3L2rNcIl6lB+0bbJCgwolnQhZ3r23mKX
jjku7UP1F/AQGMIdOEyC2d5/VHvfgmNerJCYLiVwNKuz0FBoE976kPLDsyyW+Ul+
HRMdJRf/HXEIfgEJ+Z8plUF3aheavfTpagNE85zj079zCJ5mlX514ACQBplOiGo=
=D4fT
-----END PGP SIGNATURE-----
Marked as found in versions unzip/6.0-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Jan 2015 18:42:05 GMT) (full text, mbox, link).
Reply sent
to Santiago Vila <sanvila@debian.org>:
You have taken responsibility.
(Thu, 05 Feb 2015 19:36:14 GMT) (full text, mbox, link).
Notification sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer.
(Thu, 05 Feb 2015 19:36:14 GMT) (full text, mbox, link).
Message #19 received at 776589-close@bugs.debian.org (full text, mbox, reply):
Source: unzip
Source-Version: 6.0-8+deb7u2
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 776589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Feb 2015 23:48:28 +0100
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-8+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
unzip - De-archiver for .zip files
Closes: 775640 776589
Changes:
unzip (6.0-8+deb7u2) wheezy-security; urgency=high
.
* Security upload.
* CVE-2014-9636: Fix heap overflow. Ensure that compressed
and uncompressed block sizes match when using STORED method
in extract.c. Closes: #776589.
* CVE-2014-8139: Update patch. The old one was not right
and had regressions with executable jar files. Closes: #775640
Checksums-Sha1:
8400b0fb5fad43ef83065d59a4330ee3a0d0b179 1676 unzip_6.0-8+deb7u2.dsc
f62b356bf40fcbf0e1143f99ed90860583c3ddbc 14193 unzip_6.0-8+deb7u2.debian.tar.gz
013a77751cd3d1e29adbd36978204631925ad5db 194898 unzip_6.0-8+deb7u2_amd64.deb
Checksums-Sha256:
b46313d05ee5cd7576390e8d21afe905f3b4eb08fa80ec97f1c2bf9197834123 1676 unzip_6.0-8+deb7u2.dsc
667c03e6b9ec219444f8a43c09532412d5e088f7c1803d673af899af34ebd6ab 14193 unzip_6.0-8+deb7u2.debian.tar.gz
aa7091a39b99cde48e1ed0ae930518b64ff215fbbf4a124b761bf386c3d38b8f 194898 unzip_6.0-8+deb7u2_amd64.deb
Files:
38b882234bc2a7b9350028f8ee09367c 1676 utils optional unzip_6.0-8+deb7u2.dsc
4fa58132df8930e551a5087f281149d4 14193 utils optional unzip_6.0-8+deb7u2.debian.tar.gz
0fe74b198d91d63fefbb3094c43313a3 194898 utils optional unzip_6.0-8+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJU0JetAAoJEAVMuPMTQ89ET+AP/36uVn5JvpaVAx7Ru9ZyT9V4
Vdwb1zubwU0wE9ldMeeuukS81+rXiwtNr0M77MjK2OULxSTf1Uw+BHy2+9p0AXm8
fCJsmmDckgkROaXDoIlRH5aPS9jaXSmYyBPM/P8X0iHxkDFsJvgl6J39ZYqBAXz9
w0ImGPiYuLivn/oSbDsqlMKU69CaA4uHXD8ETvFCBYE8v8uid2ZK+dzR+vA3/o6r
mW8MsjWd/dQbfo9+PF4qYOKQcegyRInk1TAZmUgIhxpNGKwPVe7U846pcYc6OlVu
W31pCTxNxiME1sSh+Vef5ZI4afWS3Qjq3hZqEaofOjjyDqETVhmku/hjmjUb6bPD
ec4qEUMswBGeuI3cmuS7vJCdHCvapNNEQkhQ3ZASs+xcOaqi5OkZETuvQvdowkZW
fxO7EIOivqn0S2IqB1H31QP366Z/x2DhMkz107wIMFdlkXNbWm9NGajgH+UUtPF0
tbW4LeGUhRQ/hgS6ZCtsqrmAxCPPK6FuAVPsZzqC3fJMrV+jnCktB374z8qx3MJ8
b1PxpBvbLN4YwD1JJlnTb3w+JmtH9gIbjFX59LBXf6YI5ELyWCxjBfYdW3Lays/J
iKym+98gY2AbNgiLJd6s6aevY5hqrp/2yFlzqIqcy9ooSujFj2cgimrad6sXwh4K
+Ce2HA0JHsi/+jnhwc2g
=dAGc
-----END PGP SIGNATURE-----
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Sat, 07 Feb 2015 13:36:09 GMT) (full text, mbox, link).
Notification sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer.
(Sat, 07 Feb 2015 13:36:09 GMT) (full text, mbox, link).
Message #24 received at 776589-close@bugs.debian.org (full text, mbox, reply):
Source: unzip
Source-Version: 6.0-4+deb6u2
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 776589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Feb 2015 14:01:00 +0100
Source: unzip
Binary: unzip
Architecture: source i386
Version: 6.0-4+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
unzip - De-archiver for .zip files
Closes: 775640 776589
Changes:
unzip (6.0-4+deb6u2) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* CVE-2014-9636: Fix heap overflow. Ensure that compressed
and uncompressed block sizes match when using STORED method
in extract.c. Closes: #776589.
* CVE-2014-8139: Update patch. The old one was not right
and had regressions with executable jar files. Closes: #775640
Checksums-Sha1:
eaa193a11e74ba1ab2b870a78507c7337a2ba170 1765 unzip_6.0-4+deb6u2.dsc
abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz
a0b32c1c58714babb2562036be9a065fa87e2244 13557 unzip_6.0-4+deb6u2.debian.tar.gz
c2d3cb8da49de64baf15e3329834a2f9c1bc1071 179114 unzip_6.0-4+deb6u2_i386.deb
Checksums-Sha256:
e8387ebdb75a8d6805ac195087e6d894ce7c08130ea086004ee9a9d8e0a21c11 1765 unzip_6.0-4+deb6u2.dsc
036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845 unzip_6.0.orig.tar.gz
615becff579078cbb0690b227b94163d0b6a182fe75e7019b6c0c7a199a84e76 13557 unzip_6.0-4+deb6u2.debian.tar.gz
360f8b392ad196362405c45e968031bea6944c220ad41734c44ceabcd6f1b453 179114 unzip_6.0-4+deb6u2_i386.deb
Files:
62e292ce3ef11c975c3337fa849d00a5 1765 utils optional unzip_6.0-4+deb6u2.dsc
62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz
bcfeba432fc18fcee541812165dc5e22 13557 utils optional unzip_6.0-4+deb6u2.debian.tar.gz
39d8465cc067cf00f278f0cb9a50d508 179114 utils optional unzip_6.0-4+deb6u2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJU1hNfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH2m0P/AoDQklgUX4fEsrk4h7ouPfY
UPoyZg2F/EtBkLLoZ/6UCq6Y8rCMekGsHC3uRSjL0k7cTah5ns1E59LhQlnqtF7n
SqmFq1ACxqv4KBk65h/tJ1slbAExkfZ8RyFrsnrkpXodZNKVOnfDcH1PR4NG2bqc
4buZfEO3RMnw58H47s1iCRDf8lzMWABXep82O59ZwJ74AGS85C9nWH9Txgto5qy4
gTO2bBsu/oUvEfhUDm4NHVP2ickJ881xJpm3WJGxNV8aNGdc5SQhldBovOcje8y3
7dWgTpRtkWWHdLiwVyt8kXzQKCYUbcDvheVzP4vkddqIPNBE6rCgWh62LzbdkGgJ
02otd7SyYMp+1FIvNtIRuMSZVJBth8lH9cj2spgzueN4oYGPu0dRRDku5F/Hr89K
70kuKXI2SkHwKeFLTr9l/u9NEeQmLzBpVJ4nUJtwss+K4q+z8wDxD+IqYC0dEdqU
KZC+3/aSQ6/pBlopw19xkhAXjYA7ImD1k62TYLS9ZmbrPuH8PXACh8B3KuTlqFPa
VNHRqfD53kCoCwZ5stELjbPhkAcK8UlGS/sljK1sOqqu6O42rjzS8iVneaxmZtZb
Czn1ZECgBPM1B4NFMMK4U8x5aIt7pk+RVX19f66kCPDQ5w8fADdVFt4IUSK24xHy
tL6wi1JDk1GRR5iOdNGw
=RoIR
-----END PGP SIGNATURE-----
Message #25 received at 776589-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi.
Please take note of http://seclists.org/oss-sec/2015/q1/513
--mancha
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Mar 2015 07:27:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:51:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon