Debian Bug report logs -
#889838
unzip: CVE-2018-1000035: Heap-based buffer overflow in password protected ZIP archives
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>
:
Bug#889838
; Package src:unzip
.
(Wed, 07 Feb 2018 17:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>
.
(Wed, 07 Feb 2018 17:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: unzip
Version: 6.0-16
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for unzip.
CVE-2018-1000035[0]:
Heap-based buffer overflow in password protected ZIP archives
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035
[1] https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>
:
Bug#889838
; Package src:unzip
.
(Thu, 08 Feb 2018 00:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>
:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>
.
(Thu, 08 Feb 2018 00:39:03 GMT) (full text, mbox, link).
Message #12 received at 889838@bugs.debian.org (full text, mbox, reply):
forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
thanks
Hello Salvatore. Thanks for the report. I've just forwarded it
upstream as a first step.
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>
:
Bug#889838
; Package src:unzip
.
(Fri, 08 Feb 2019 21:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>
.
(Fri, 08 Feb 2019 21:45:03 GMT) (full text, mbox, link).
Message #17 received at 889838@bugs.debian.org (full text, mbox, reply):
On Thu, Feb 08, 2018 at 01:29:07AM +0100, Santiago Vila wrote:
> forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
> thanks
>
> Hello Salvatore. Thanks for the report. I've just forwarded it
> upstream as a first step.
Was there any outcome/result?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>
:
Bug#889838
; Package src:unzip
.
(Fri, 08 Feb 2019 21:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>
.
(Fri, 08 Feb 2019 21:45:05 GMT) (full text, mbox, link).
Message #22 received at 889838@bugs.debian.org (full text, mbox, reply):
On Thu, Feb 08, 2018 at 01:29:07AM +0100, Santiago Vila wrote:
> forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
> thanks
>
> Hello Salvatore. Thanks for the report. I've just forwarded it
> upstream as a first step.
SuSE fixed this with the patch linked from https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-1000035
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>
:
Bug#889838
; Package src:unzip
.
(Fri, 08 Feb 2019 21:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>
:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>
.
(Fri, 08 Feb 2019 21:51:06 GMT) (full text, mbox, link).
Message #27 received at 889838@bugs.debian.org (full text, mbox, reply):
On Fri, Feb 08, 2019 at 10:40:12PM +0100, Moritz Mühlenhoff wrote:
> On Thu, Feb 08, 2018 at 01:29:07AM +0100, Santiago Vila wrote:
> > forwarded 889838 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
> > thanks
> >
> > Hello Salvatore. Thanks for the report. I've just forwarded it
> > upstream as a first step.
>
> Was there any outcome/result?
The phpBB forum in the forwarded line above disappeared from earth,
so I have to contact them privately using an email address which they
dislike very much to be shown in public. Maybe I offer to host a phpbb
forum on my own if they can't, as there is currently no sane way to
mark an issue as "forwarded".
I'll take a look at the suse patch in your other email and will
probably go ahead without upstream if the patch is clean enough.
Thanks.
Reply sent
to Santiago Vila <sanvila@debian.org>
:
You have taken responsibility.
(Sat, 09 Feb 2019 17:39:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 09 Feb 2019 17:39:06 GMT) (full text, mbox, link).
Message #32 received at 889838-close@bugs.debian.org (full text, mbox, reply):
Source: unzip
Source-Version: 6.0-22
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Feb 2019 18:12:00 +0100
Source: unzip
Architecture: source
Version: 6.0-22
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Closes: 889838
Changes:
unzip (6.0-22) unstable; urgency=medium
.
* Fix buffer overflow in password protected ZIP archives. Closes: #889838.
Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
* Rules-Requires-Root: no.
Checksums-Sha1:
4af9e076ed0b3abd5ddee18fa8e3f8639bb7418b 1344 unzip_6.0-22.dsc
a59b77b7e3b6e5dbcb32a19df6656d506797c68b 18212 unzip_6.0-22.debian.tar.xz
9b0c7e461ad5e1cd86d79f2e77027b93ac817393 4596 unzip_6.0-22_source.buildinfo
Checksums-Sha256:
22cf3115ada5ad5e9c232d8bc39e4452a1891f75e64e95053f696e80938e94c7 1344 unzip_6.0-22.dsc
f3c80c1e3917d59cb2fe72f0431159c919f2df7fc96f5b539c91cc96fc02ecfa 18212 unzip_6.0-22.debian.tar.xz
f496b07f19f427e49ec022bc41ff19676c41b887282f78d8b2ea775b1a137b95 4596 unzip_6.0-22_source.buildinfo
Files:
281e654f5bc5080f32d30db38b18bfcb 1344 utils optional unzip_6.0-22.dsc
a0c128f25ad6e13e86f625a782af54f2 18212 utils optional unzip_6.0-22.debian.tar.xz
e8f0a6c647d374e378e632e4a7258674 4596 utils optional unzip_6.0-22_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAlxfCv0ACgkQQc5/C58b
izKPXAf9FtLg1hC8niRdE9y6PYPmKXX5RJXUALb7Hh8EpBAd+uCOKVogGqeGetsZ
T3ky1rmG/ONE/6IyuOU3ADV1a08W+vw2Hn8am5uu2/l503wcZriJ3pQOSYzusfQ7
6cpq3l6N2ITQW85UDUy76zPGXOW1jzPISgYs3T+OAulHTqSx5+lIZn3g/o5tXBmf
x2qjy59UjCFlpAxqdmwFMfupru3Bjs2mpx57gxf30kY4zDm95LxRXwVGxxqkc6rZ
ZffkNmXeHlQNP+WbCDJEegTYO8tltUDvBF/IrO1QfSXz6I5lZJ6y65pUmZ2iLTE6
kYVJ+9PINe0ZVerOjxLPkjcEl6N6fA==
=QpIB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 21 Mar 2019 07:29:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:50:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.