CVEs have been assigned for two security issues in unzip: http://www.openwall.com/lists/oss-security/2016/12/05/20 It was mentioned elsewhere in the thread that they should be fixed in the upcoming 6.1 beta release. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Debian-LTS has issued an advisory for this today (December 13): https://lwn.net/Alerts/708934/
URL: (none) => https://lwn.net/Vulnerabilities/708995/
Patched package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated unzip package fixes security vulnerabilities: It was discovered that "unzip -l" (CVE-2014-9913) and "zipinfo" (CVE-2016-9844) were vulnerable to buffer overflows when provided malformed or maliciously-crafted ZIP files. References: http://www.openwall.com/lists/oss-security/2016/12/05/20 https://security-tracker.debian.org/tracker/CVE-2014-9913 https://security-tracker.debian.org/tracker/CVE-2016-9844 https://lwn.net/Alerts/708934/ ======================== Updated packages in core/updates_testing: ======================== unzip-6.0-13.3.mga5 unzip-debuginfo-6.0-13.3.mga5 from unzip-6.0-13.3.mga5.src.rpm I marked this as having test procedures but I'm not sure how well they apply. What I found is in some of the comments for: https://bugs.mageia.org/show_bug.cgi?id=14872 https://bugs.mageia.org/show_bug.cgi?id=16813 There is mention of PoC.zip in comment #1 at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750
CC: (none) => mramboVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => has_procedure
Testing M5_64 From the unzip/zipinfo man pages: unzip will list, test, or extract files from a ZIP archive zipinfo lists technical information about files in a ZIP archive Note that zipinfo is the same program as unzip (under Unix, a link to it) BEFORE the update: unzip-6.0-13.1.mga5 Using the valuable POC link at the end of Comment 3 (thanks for same, Mike), I downloaded & ran the Python script which produces the test file PoZ.zip - which I will attach to this bug. $ zipinfo PoZ.zip Archive: PoZ.zip Zip file size: 154 bytes, number of entries: 1 *** buffer overflow detected ***: zipinfo terminated ======= Backtrace: ========= then loads of output. $ unzip -l PoZ.zip Archive: PoZ.zip Length Date Time Name --------- ---------- ----- ---- *** buffer overflow detected ***: unzip terminated ======= Backtrace: ========= etc AFTER update to: unzip-6.0-13.3.mga5 $ zipinfo PoZ.zip Archive: PoZ.zip Zip file size: 154 bytes, number of entries: 1 -rw-rw-r-- 3.0 unx 2 tx FFFF 16-Nov-22 02:07 a 1 file, 2 bytes uncompressed, 2 bytes compressed: 0.0% $ unzip -l PoZ.zip Archive: PoZ.zip Length Date Time Name --------- ---------- ----- ---- 2 2016-11-22 02:07 a --------- ------- 2 1 file which is conclusively OK. Oh that things were always so neat.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Created attachment 8840 [details] POC test file PoZ.zip for this bug Run with: $ zipinfo PoZ.zip $ unzip -l PoZ.zip Buffer overflows before update; OK after it.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
$ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux The following package is going to be installed: - unzip-6.0-13.3.mga5.i586 4B of additional disk space will be used. 207KB of packages will be retrieved. $ unzip -v UnZip 6.00 of 20 April 2009, by ALT Linux Team. Original by Info-ZIP. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ; see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites. Compiled with gcc 4.9.2 for Unix (Linux ELF) on Jan 6 2017. ---and lots more stuff--- I used the gnome file browser to compress a few items to a zip file. -rw-rw-r-- 1 brian brian 169405691 Jan 12 12:36 sf_vmshare.zip ------------- [brian@localhost uncomp]$ unzip sf*.zip Archive: sf_vmshare.zip inflating: gzread.php inflating: gzread2.php inflating: hdark.tar inflating: hdark11.txt inflating: hello_world.php inflating: libgd_test.php inflating: php12.php inflating: php12_2.php inflating: php529_test inflating: php529_test.php inflating: php_zip.php inflating: read_book.php inflating: slacko-5.7.0-PAE.iso inflating: virt_man_error1 looks like it still works. $ ls gzread2.php* hello_world.php* php529_test* sf_vmshare.zip gzread.php* libgd_test.php* php529_test.php* slacko-5.7.0-PAE.iso* hdark11.txt* php12_2.php* php_zip.php* virt_man_error1* hdark.tar* php12.php* read_book.php*
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory mga5-32-okCC: (none) => brtians1, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0015.html
Status: NEW => RESOLVEDResolution: (none) => FIXED