Fedora has issued an advisory on September 22: https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167145.html Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated unzip packages fix security vulnerabilities: The unzip program is susceptible to heap overflow and denial of service issues when fed invalid input. It has been patched to correct these issues. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167145.html ======================== Updated packages in core/updates_testing: ======================== unzip-6.0-13.1.mga5 from unzip-6.0-13.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing MGA5 x64. Some references for followers. THE one that matters is: http://seclists.org/oss-sec/2015/q3/512 which contains link to two test files & the unzip instructions for them: 1) http://seclists.org/oss-sec/2015/q3/att-512/sigsegv_zip.bin [download as sigsegv.zip] $ unzip -p -P x sigsegv.zip 2) http://seclists.org/oss-sec/2015/q3/att-512/sigxcpu_zip.bin [download as sigxcpu.zip] $ unzip sigxcpu.zip BEFORE the update: unzip-6.0-13.mga5 1) Output ends with " continuing with "compressed" size value error: zipfile probably corrupt (segmentation violation) Segmentation fault" 2)
CC: (none) => lewyssmith
2) continued... $ unzip sigxcpu.zip Archive: sigxcpu.zip caution: zipfile comment truncated warning [sigxcpu.zip]: 26 extra bytes at beginning or within zipfile (attempting to process anyway) error [sigxcpu.zip]: reported length of central directory is -26 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... skipping: 8öHá `bzip2' method not supported Â: ucsize 2 <> csize 0 for STORED entry continuing with "compressed" size value extracting:  bad CRC 00000000 (should be 00000003) file #2: bad zipfile offset (local header sig): 83 inflating: oO~MD error: invalid compressed data to inflate JÃ¥Â: ucsize 3 <> csize 4 for STORED entry continuing with "compressed" size value extracting: Jå bad CRC 6193e2f2 (should be 00000004) AFTER the update: unzip-6.0-13.1.mga5 1) $ unzip -p -P x sigsegv.zip Output ends with " continuing with "compressed" size value skipping: ^»Â.Là hp unable to get password file #5: bad zipfile offset (EOF): 203 file #6: bad zipfile offset (EOF): 251 note: didn't find end-of-central-dir signature at end of central dir. (please check that you have transferred or created the zipfile in the appropriate BINARY mode and that you have compiled UnZip properly)" so the segmentation fault is cured. OK. 2) $ unzip sigxcpu.zip Archive: sigxcpu.zip caution: zipfile comment truncated warning [sigxcpu.zip]: 26 extra bytes at beginning or within zipfile (attempting to process anyway) error [sigxcpu.zip]: reported length of central directory is -26 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... skipping: 8öHá `bzip2' method not supported Â: ucsize 2 <> csize 0 for STORED entry continuing with "compressed" size value replace Â? [y]es, [n]o, [A]ll, [N]one, [r]ename: file #2: bad zipfile offset (local header sig): 83 replace oO~MD? [y]es, [n]o, [A]ll, [N]one, [r]ename: n JÃ¥Â: ucsize 3 <> csize 4 for STORED entry continuing with "compressed" size value replace JÃ¥Â? [y]es, [n]o, [A]ll, [N]one, [r]ename: n [ends] Output identical to pre-update as far as: "continuing with "compressed" size value" then differs, so something has changed; believe as OK.
Whiteboard: (none) => MGA5-64-OK
Testing mga5 32 The 'replace ? [y]es, [n]o,' etc seems to show if the file already exists, guessing you didn't delete the unzipped garbage data before the 2nd attempt. I didn't either. Tried again after deleting it though and the output for that one appears identical before and after updating. No noticeable DoS on 10yr old laptop before or after. Adding the OK but unable to reproduce the infinite loop with bzip2, possibly due to.. skipping: 8öHá `bzip2' method not supported
Whiteboard: MGA5-64-OK => has_procedure mga5-32-ok MGA5-64-OK
Validating. Advisory uploaded (No CVE's for this one yet) Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-32-ok MGA5-64-OK => has_procedure advisory mga5-32-ok MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0384.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2015-7696 and CVE-2015-7697 have been assigned for this: http://openwall.com/lists/oss-security/2015/10/11/5
Summary: unzip new heap overflow and denial of service security issues => unzip new heap overflow and denial of service security issues (CVE-2015-7696, CVE-2015-7697)