Debian Bug report logs -
#889089
zziplib: CVE-2018-6484: Bus error in __zzip_fetch_disk_trailer
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Scott Howard <showard@debian.org>:
Bug#889089; Package src:zziplib.
(Thu, 01 Feb 2018 21:00:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Scott Howard <showard@debian.org>.
(Thu, 01 Feb 2018 21:00:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zziplib
Version: 0.13.62-3
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for zziplib.
CVE-2018-6484[0]:
| In ZZIPlib 0.13.67, there is a memory alignment error and bus error in
| the __zzip_fetch_disk_trailer function of zzip/zip.c. Remote attackers
| could leverage this vulnerability to cause a denial of service via a
| crafted zip file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-6484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6484
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 12 Feb 2018 17:35:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#889089; Package src:zziplib.
(Sun, 03 Mar 2019 12:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Sun, 03 Mar 2019 12:09:05 GMT) (full text, mbox, link).
Message #14 received at 889089@bugs.debian.org (full text, mbox, reply):
Furthermore CVE-2018-6869 is fixed with the same upstream commit
https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#889089; Package src:zziplib.
(Mon, 04 Mar 2019 14:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Mon, 04 Mar 2019 14:21:06 GMT) (full text, mbox, link).
Message #19 received at 889089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 889089 + patch
Control: tags 889096 + patch
Control: tags 913165 + patch
Control: tags 923659 + patch
Dear maintainer,
Attached is a (preliminarly) debdiff for a zziplib update fixing some
onf the open CVEs (though not all). I have not yet uploaded it to any
delayed queue.
Regards,
Salvatore
[zziplib-0.13.62-3.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 889089-submit@bugs.debian.org.
(Mon, 04 Mar 2019 14:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#889089; Package src:zziplib.
(Mon, 04 Mar 2019 22:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Mon, 04 Mar 2019 22:00:03 GMT) (full text, mbox, link).
Message #26 received at 889089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 910335 + patch
Dear maintainer,
Updated debdiff to include as well fixes for #910335.
Regards,
Salvatore
[zziplib-0.13.62-3.2-nmu.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Scott Howard <showard@debian.org>:
Bug#889089; Package src:zziplib.
(Wed, 06 Mar 2019 22:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Howard <showard@debian.org>.
(Wed, 06 Mar 2019 22:42:02 GMT) (full text, mbox, link).
Message #31 received at 889089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 889089 + pending
Control: tags 889096 + pending
Control: tags 910335 + pending
Control: tags 913165 + pending
Control: tags 923659 + pending
Dear maintainer,
I've prepared an NMU for zziplib (versioned as 0.13.62-3.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[zziplib-0.13.62-3.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 889089-submit@bugs.debian.org.
(Wed, 06 Mar 2019 22:42:02 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 11 Mar 2019 23:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Mar 2019 23:09:03 GMT) (full text, mbox, link).
Message #38 received at 889089-close@bugs.debian.org (full text, mbox, reply):
Source: zziplib
Source-Version: 0.13.62-3.2
We believe that the bug you reported is fixed in the latest version of
zziplib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated zziplib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 Mar 2019 22:43:14 +0100
Source: zziplib
Architecture: source
Version: 0.13.62-3.2
Distribution: unstable
Urgency: medium
Maintainer: Scott Howard <showard@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 889089 889096 910335 913165 923659
Changes:
zziplib (0.13.62-3.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Invalid memory access in zzip_disk_fread (CVE-2018-6381) (Closes: #889096)
* Reject the ZIP file and report it as corrupt if the size of the central
directory and/or the offset of start of central directory point beyond the
end of the ZIP file (CVE-2018-6484, CVE-2018-6541, CVE-2018-6869)
(Closes: #889089)
* bus error in zzip_disk_findfirst function in zzip/mmapped.c
(CVE-2018-6540) (Closes: #923659)
* out of bound read in mmapped.c:zzip_disk_fread() causes crash
(CVE-2018-7725) (Closes: #913165)
* Bus error in zip.c:__zzip_parse_root_directory() cause crash via crafted
zip file (CVE-2018-7726) (Closes: #913165)
* Memory leak triggered in the function __zzip_parse_root_directory in zip.c
(CVE-2018-16548) (Closes: #910335)
Checksums-Sha1:
e2ca280645d97a2ebfb615214f059f08ff3b9902 2191 zziplib_0.13.62-3.2.dsc
1d7b30a6a71bc1fa91e331df4920c64a31bf98f4 16416 zziplib_0.13.62-3.2.debian.tar.xz
Checksums-Sha256:
c02427dd520086d8709cbb1b691f469686a74a05aac646d51cee47b4353c15bf 2191 zziplib_0.13.62-3.2.dsc
cbe442563e0e9c1fdb83847442ddd0be5ec72e64689e08ab3b19cabb72650d81 16416 zziplib_0.13.62-3.2.debian.tar.xz
Files:
7cc4e8d59bc763d95e1eb9f42a7628cf 2191 libs optional zziplib_0.13.62-3.2.dsc
08bad4fd3cad2e7b7f38ca5b621377f1 16416 libs optional zziplib_0.13.62-3.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyAS7FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECbwQAIebRYZII6zTG+4qxbEBSb8JMZ9C27ZB
+kcie5p6ny1JpIbXKO1ubX6DGNTpcAU/DC6CgWa4xvHrWAJTqtWuh+g5Sp4Obyw7
qbUuHKX+eyrXCBuoz+wh4vGy7pKyDUVZY2aKJPPAC69go2lNnmMkwL24yN2LZLB9
3+BS+xOUPN5plXbOcgWtabS9I8WOvYoNh4vcxEjyHPtvAK7lB98berr/xaEF2PGx
iy6Dm2yKoj9O1xykaQbsHFBX3CcRR3cyb46J4HyYCmD9fdH82j6Rju3pn90/tY6u
t+d0+3e0fjyW1nO7KqAiZxBrqv9OC0XvrTMouhmw6J+w07z2YxhsRTJ07EAi9wPv
8mQC5LMnP0n6q25OhaGsNIRt4H5S1bySw29hH7Z9gpMNBXiqfuFrRvz1ILaXSZ6N
6ttDk5DXAZ+I+vrg0AQ4DHMXBicrrOg/4YE++6Hp0l/ynl1BtGQe2MU5GNxi3tMv
a1gu3rSmOLxXA98CSTJ1PAcx0BZa4YlpfDDg3+ODyjT5z8PqJgQxK+MvCAq0us4U
VgovKtAsP1+frBhdhc+SrMBHxoMr1aJIiPrU1g0S1CfXlXOQ1tmNmdoFyq1bZ8Sb
P0W3x8YIwO86wNn1AG8w/c1HM6Ifyj+kCu6ZOTuIsc9qPyVuQnffryWOeLDNshaT
PxKbNUOp/ahW
=QfJe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 15 Apr 2019 07:33:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:05:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon