Debian Bug report logs -
#913165
zziplib: CVE-2018-7726 CVE-2018-7725
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 7 Nov 2018 18:54:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version zziplib/0.13.62-3.1
Fixed in version zziplib/0.13.62-3.2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Scott Howard <showard@debian.org>:
Bug#913165; Package src:zziplib.
(Wed, 07 Nov 2018 18:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Scott Howard <showard@debian.org>.
(Wed, 07 Nov 2018 18:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zziplib
Severity: important
Tags: security
Please see
https://security-tracker.debian.org/tracker/CVE-2018-7727
https://security-tracker.debian.org/tracker/CVE-2018-7726
https://security-tracker.debian.org/tracker/CVE-2018-7725
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 Nov 2018 19:48:03 GMT) (full text, mbox, link).
Marked as found in versions zziplib/0.13.62-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 Nov 2018 19:48:05 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 25 Feb 2019 19:24:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#913165; Package src:zziplib.
(Sun, 03 Mar 2019 13:36:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Sun, 03 Mar 2019 13:36:16 GMT) (full text, mbox, link).
Message #16 received at 913165@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 zziplib: CVE-2018-7726 CVE-2018-7725
Hi,
On Wed, Nov 07, 2018 at 07:51:10PM +0100, Moritz Muehlenhoff wrote:
> Source: zziplib
> Severity: important
> Tags: security
>
> Please see
> https://security-tracker.debian.org/tracker/CVE-2018-7727
> https://security-tracker.debian.org/tracker/CVE-2018-7726
> https://security-tracker.debian.org/tracker/CVE-2018-7725
From the above I think CVE-2018-7727 is unimportant as the
unzzipcat-mem and unzzipdir-mem tools are not installed into the
binary packages (unless I miss something).
Regards,
Salvatore
Changed Bug title to 'zziplib: CVE-2018-7726 CVE-2018-7725' from 'CVE-2018-7727 CVE-2018-7726 CVE-2018-7725'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 913165-submit@bugs.debian.org.
(Sun, 03 Mar 2019 13:36:16 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 889089-submit@bugs.debian.org.
(Mon, 04 Mar 2019 14:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#913165; Package src:zziplib.
(Mon, 04 Mar 2019 14:21:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Mon, 04 Mar 2019 14:21:11 GMT) (full text, mbox, link).
Message #25 received at 913165@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 889089 + patch
Control: tags 889096 + patch
Control: tags 913165 + patch
Control: tags 923659 + patch
Dear maintainer,
Attached is a (preliminarly) debdiff for a zziplib update fixing some
onf the open CVEs (though not all). I have not yet uploaded it to any
delayed queue.
Regards,
Salvatore
[zziplib-0.13.62-3.2-nmu.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#913165; Package src:zziplib.
(Mon, 04 Mar 2019 22:00:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Mon, 04 Mar 2019 22:00:09 GMT) (full text, mbox, link).
Message #30 received at 913165@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 910335 + patch
Dear maintainer,
Updated debdiff to include as well fixes for #910335.
Regards,
Salvatore
[zziplib-0.13.62-3.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 889089-submit@bugs.debian.org.
(Wed, 06 Mar 2019 22:42:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#913165; Package src:zziplib.
(Wed, 06 Mar 2019 22:42:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Wed, 06 Mar 2019 22:42:13 GMT) (full text, mbox, link).
Message #37 received at 913165@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 889089 + pending
Control: tags 889096 + pending
Control: tags 910335 + pending
Control: tags 913165 + pending
Control: tags 923659 + pending
Dear maintainer,
I've prepared an NMU for zziplib (versioned as 0.13.62-3.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[zziplib-0.13.62-3.2-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 11 Mar 2019 23:09:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Mar 2019 23:09:09 GMT) (full text, mbox, link).
Message #42 received at 913165-close@bugs.debian.org (full text, mbox, reply):
Source: zziplib
Source-Version: 0.13.62-3.2
We believe that the bug you reported is fixed in the latest version of
zziplib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated zziplib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 Mar 2019 22:43:14 +0100
Source: zziplib
Architecture: source
Version: 0.13.62-3.2
Distribution: unstable
Urgency: medium
Maintainer: Scott Howard <showard@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 889089 889096 910335 913165 923659
Changes:
zziplib (0.13.62-3.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Invalid memory access in zzip_disk_fread (CVE-2018-6381) (Closes: #889096)
* Reject the ZIP file and report it as corrupt if the size of the central
directory and/or the offset of start of central directory point beyond the
end of the ZIP file (CVE-2018-6484, CVE-2018-6541, CVE-2018-6869)
(Closes: #889089)
* bus error in zzip_disk_findfirst function in zzip/mmapped.c
(CVE-2018-6540) (Closes: #923659)
* out of bound read in mmapped.c:zzip_disk_fread() causes crash
(CVE-2018-7725) (Closes: #913165)
* Bus error in zip.c:__zzip_parse_root_directory() cause crash via crafted
zip file (CVE-2018-7726) (Closes: #913165)
* Memory leak triggered in the function __zzip_parse_root_directory in zip.c
(CVE-2018-16548) (Closes: #910335)
Checksums-Sha1:
e2ca280645d97a2ebfb615214f059f08ff3b9902 2191 zziplib_0.13.62-3.2.dsc
1d7b30a6a71bc1fa91e331df4920c64a31bf98f4 16416 zziplib_0.13.62-3.2.debian.tar.xz
Checksums-Sha256:
c02427dd520086d8709cbb1b691f469686a74a05aac646d51cee47b4353c15bf 2191 zziplib_0.13.62-3.2.dsc
cbe442563e0e9c1fdb83847442ddd0be5ec72e64689e08ab3b19cabb72650d81 16416 zziplib_0.13.62-3.2.debian.tar.xz
Files:
7cc4e8d59bc763d95e1eb9f42a7628cf 2191 libs optional zziplib_0.13.62-3.2.dsc
08bad4fd3cad2e7b7f38ca5b621377f1 16416 libs optional zziplib_0.13.62-3.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyAS7FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECbwQAIebRYZII6zTG+4qxbEBSb8JMZ9C27ZB
+kcie5p6ny1JpIbXKO1ubX6DGNTpcAU/DC6CgWa4xvHrWAJTqtWuh+g5Sp4Obyw7
qbUuHKX+eyrXCBuoz+wh4vGy7pKyDUVZY2aKJPPAC69go2lNnmMkwL24yN2LZLB9
3+BS+xOUPN5plXbOcgWtabS9I8WOvYoNh4vcxEjyHPtvAK7lB98berr/xaEF2PGx
iy6Dm2yKoj9O1xykaQbsHFBX3CcRR3cyb46J4HyYCmD9fdH82j6Rju3pn90/tY6u
t+d0+3e0fjyW1nO7KqAiZxBrqv9OC0XvrTMouhmw6J+w07z2YxhsRTJ07EAi9wPv
8mQC5LMnP0n6q25OhaGsNIRt4H5S1bySw29hH7Z9gpMNBXiqfuFrRvz1ILaXSZ6N
6ttDk5DXAZ+I+vrg0AQ4DHMXBicrrOg/4YE++6Hp0l/ynl1BtGQe2MU5GNxi3tMv
a1gu3rSmOLxXA98CSTJ1PAcx0BZa4YlpfDDg3+ODyjT5z8PqJgQxK+MvCAq0us4U
VgovKtAsP1+frBhdhc+SrMBHxoMr1aJIiPrU1g0S1CfXlXOQ1tmNmdoFyq1bZ8Sb
P0W3x8YIwO86wNn1AG8w/c1HM6Ifyj+kCu6ZOTuIsc9qPyVuQnffryWOeLDNshaT
PxKbNUOp/ahW
=QfJe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 28 Apr 2019 07:36:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon