Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives

Related Vulnerabilities: CVE-2018-1000035  

Source

Debian Bug report logs - #889838
unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives

version graph

Package: src:unzip; Maintainer for src:unzip is Santiago Vila <sanvila@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 7 Feb 2018 17:54:02 UTC

Severity: important

Tags: security, upstream

Found in version unzip/6.0-16

Fixed in version unzip/6.0-22

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#889838; Package src:unzip. (Wed, 07 Feb 2018 17:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>. (Wed, 07 Feb 2018 17:54:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives
Date: Wed, 07 Feb 2018 18:50:29 +0100
Source: unzip
Version: 6.0-16
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for unzip.

CVE-2018-1000035[0]:
Heap-based buffer overflow in password protected ZIP archives

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000035
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035
[1] https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

Regards,
Salvatore

Set Bug forwarded-to-address to 'http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548'. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. (Thu, 08 Feb 2018 00:33:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#889838; Package src:unzip. (Thu, 08 Feb 2018 00:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Thu, 08 Feb 2018 00:39:03 GMT) (full text, mbox, link).

Message #12 received at 889838@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>
To: Salvatore Bonaccorso <carnil@debian.org>, 889838@bugs.debian.org
Subject: Re: Bug#889838: unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives
Date: Thu, 8 Feb 2018 01:29:07 +0100
forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
thanks

Hello Salvatore. Thanks for the report. I've just forwarded it
upstream as a first step.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#889838; Package src:unzip. (Fri, 08 Feb 2019 21:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Fri, 08 Feb 2019 21:45:03 GMT) (full text, mbox, link).

Message #17 received at 889838@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Santiago Vila <sanvila@unex.es>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 889838@bugs.debian.org
Subject: Re: Bug#889838: unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives
Date: Fri, 8 Feb 2019 22:40:12 +0100
On Thu, Feb 08, 2018 at 01:29:07AM +0100, Santiago Vila wrote:
> forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
> thanks
> 
> Hello Salvatore. Thanks for the report. I've just forwarded it
> upstream as a first step.

Was there any outcome/result?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#889838; Package src:unzip. (Fri, 08 Feb 2019 21:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Fri, 08 Feb 2019 21:45:05 GMT) (full text, mbox, link).

Message #22 received at 889838@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Santiago Vila <sanvila@unex.es>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 889838@bugs.debian.org
Subject: Re: Bug#889838: unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives
Date: Fri, 8 Feb 2019 22:41:05 +0100
On Thu, Feb 08, 2018 at 01:29:07AM +0100, Santiago Vila wrote:
> forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
> thanks
> 
> Hello Salvatore. Thanks for the report. I've just forwarded it
> upstream as a first step.

SuSE fixed this with the patch linked from https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-1000035

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#889838; Package src:unzip. (Fri, 08 Feb 2019 21:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Fri, 08 Feb 2019 21:51:06 GMT) (full text, mbox, link).

Message #27 received at 889838@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 889838@bugs.debian.org
Subject: Re: Bug#889838: unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives
Date: Fri, 8 Feb 2019 22:47:30 +0100
On Fri, Feb 08, 2019 at 10:40:12PM +0100, Moritz Mühlenhoff wrote:
> On Thu, Feb 08, 2018 at 01:29:07AM +0100, Santiago Vila wrote:
> > forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
> > thanks
> > 
> > Hello Salvatore. Thanks for the report. I've just forwarded it
> > upstream as a first step.
> 
> Was there any outcome/result?

The phpBB forum in the forwarded line above disappeared from earth,
so I have to contact them privately using an email address which they
dislike very much to be shown in public. Maybe I offer to host a phpbb
forum on my own if they can't, as there is currently no sane way to
mark an issue as "forwarded".

I'll take a look at the suse patch in your other email and will
probably go ahead without upstream if the patch is clean enough.

Thanks.

Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. (Sat, 09 Feb 2019 17:39:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 09 Feb 2019 17:39:06 GMT) (full text, mbox, link).

Message #32 received at 889838-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>
To: 889838-close@bugs.debian.org
Subject: Bug#889838: fixed in unzip 6.0-22
Date: Sat, 09 Feb 2019 17:38:03 +0000
Source: unzip
Source-Version: 6.0-22

We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 09 Feb 2019 18:12:00 +0100
Source: unzip
Architecture: source
Version: 6.0-22
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Closes: 889838
Changes:
 unzip (6.0-22) unstable; urgency=medium
 .
   * Fix buffer overflow in password protected ZIP archives. Closes: #889838.
     Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
   * Rules-Requires-Root: no.
Checksums-Sha1:
 4af9e076ed0b3abd5ddee18fa8e3f8639bb7418b 1344 unzip_6.0-22.dsc
 a59b77b7e3b6e5dbcb32a19df6656d506797c68b 18212 unzip_6.0-22.debian.tar.xz
 9b0c7e461ad5e1cd86d79f2e77027b93ac817393 4596 unzip_6.0-22_source.buildinfo
Checksums-Sha256:
 22cf3115ada5ad5e9c232d8bc39e4452a1891f75e64e95053f696e80938e94c7 1344 unzip_6.0-22.dsc
 f3c80c1e3917d59cb2fe72f0431159c919f2df7fc96f5b539c91cc96fc02ecfa 18212 unzip_6.0-22.debian.tar.xz
 f496b07f19f427e49ec022bc41ff19676c41b887282f78d8b2ea775b1a137b95 4596 unzip_6.0-22_source.buildinfo
Files:
 281e654f5bc5080f32d30db38b18bfcb 1344 utils optional unzip_6.0-22.dsc
 a0c128f25ad6e13e86f625a782af54f2 18212 utils optional unzip_6.0-22.debian.tar.xz
 e8f0a6c647d374e378e632e4a7258674 4596 utils optional unzip_6.0-22_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAlxfCv0ACgkQQc5/C58b
izKPXAf9FtLg1hC8niRdE9y6PYPmKXX5RJXUALb7Hh8EpBAd+uCOKVogGqeGetsZ
T3ky1rmG/ONE/6IyuOU3ADV1a08W+vw2Hn8am5uu2/l503wcZriJ3pQOSYzusfQ7
6cpq3l6N2ITQW85UDUy76zPGXOW1jzPISgYs3T+OAulHTqSx5+lIZn3g/o5tXBmf
x2qjy59UjCFlpAxqdmwFMfupru3Bjs2mpx57gxf30kY4zDm95LxRXwVGxxqkc6rZ
ZffkNmXeHlQNP+WbCDJEegTYO8tltUDvBF/IrO1QfSXz6I5lZJ6y65pUmZ2iLTE6
kYVJ+9PINe0ZVerOjxLPkjcEl6N6fA==
=QpIB
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 21 Mar 2019 07:29:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:50:14 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started