An advisory has been issued on February 8: http://openwall.com/lists/oss-security/2018/02/08/1 The issues are fixed upstream in 6.10c23. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 6.10c23Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
(In reply to Marja van Waes from comment #1) > Assigning to the registered maintainer. Does anyone know where the hell can I find the new release's archive? Why can't they mint a new stable release already? It is really hard for me to work this way and the info zip people are being irresponsible.
See the link in Comment 0. There's a direct link to 6.10c23 at the bottom. I just noticed that it says the LZMA vulnerabilities aren't fixed yet, so perhaps that's why they haven't made a new stable release yet.
A note on how to get it to respect our CFLAGS, which is important: http://openwall.com/lists/oss-security/2018/02/13/1
Fedora has issued an advisory for one of these issues on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WN3ZDO5UYFEX36VLDSUJ5HKZQMD2UPI3/
openSUSE has issued an advisory for one of these issues on July 7: https://lists.opensuse.org/opensuse-updates/2018-07/msg00019.html
shlomif pushed 6.10c23 to fix this in cauldron 2018-02-11
CC: (none) => bruno
I pushed 6.10c23 for 6 in core/updates_testing
Status: NEW => ASSIGNEDTarget Milestone: --- => Mageia 6Assignee: shlomif => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => (none)
It doesn't look like Comment 4 has been addressed, and I'm not sure all of the CVEs have been either.
Assignee: qa-bugs => shlomifWhiteboard: (none) => MGA6TOOCC: (none) => qa-bugsTarget Milestone: Mageia 6 => ---
Updated again with LOCAL_UNZIP used. As the initial comment was suggesting all CVEs were addressed by that new version, I thought it was the case, but didn't check closely.
Assignee: shlomif => qa-bugs
Cauldron also updated with LOCAL_UNZIP
It sounds like everything except CVE-2018-1000034 should be fixed by this update, and if the LZMA code could be disabled that would be fixed too. unzip-6.0-3.1.mga6 from unzip-6.0-3.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Four days and still no sign of unzip in updates_testing.
CC: (none) => tarazed25
Before update: $ sudo urpmi unzip Package unzip-6.0-17.mga6.x86_64 is already installed
Just tried to urpme unzip and it asked if it could remove half the operating system. How can the installed unzip at 6.0-17 be updated to 6.0-3.1?
Thats because the update is done wrongly… Here: http://svnweb.mageia.org/packages/updates/6/unzip/current/SPECS/unzip.spec?r1=1120275&r2=1319460 rel was reset to 1, even if version stayed on 6.0 But according to unzip filename and source, this would be version 6.1
CC: (none) => tmb
Thanks for the enlightenment - so we should leave this for the packagers to sort out.
Keywords: (none) => feedback
In the upstream README, they name that version 6.1c, so I changed the spec files from both cauldron and mga6 to use that. Packages now uploaded as unzip-6.1c-1.mga6 and unzip-6.1c-1.mga7
Sorry correct versions to test are unzip-6.1c-1.1.mga6 and unzip-6.1c-2.mga7
Mageia 6, x86_64 Clean update. $ unzip vlc-skins.zip Archive: vlc-skins.zip inflating: Airflow.vlt inflating: argenta.vlt [...] $ unzip -l gliese3.zip Archive: gliese3.zip Length Date Time Name --------- ---------- ----- ---- 753557 02-25-1995 16:29 GLIESE3.DAT 8840 02-25-1995 16:28 GLIESE3.DOC --------- ------- 762397 2 files $ unzip -v pcfont.zip Archive: pcfont.zip Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 40484 Defl:N 21460 47% 12-09-2003 13:22 fc6aac4f Tiresias PCfont Bold.ttf 42332 Defl:N 22579 47% 12-06-2003 09:35 9d7a208d Tiresias PCfont Italic.ttf 40540 Defl:N 21639 47% 12-05-2003 00:21 e77d7cf0 Tiresias PCfont.ttf 39340 Defl:N 20898 47% 01-07-2004 18:43 888012d9 TIRESIAS PCFONTZ Bold.TTF 42412 Defl:N 22602 47% 01-07-2004 20:23 353e4ea8 TIRESIAS PCFONTZ Italic.TTF 73464 Defl:N 43299 41% 09-19-2000 22:03 2feafe4f TIRESIAS PCFONTZ.TTF 23552 Defl:N 3629 85% 12-11-2007 09:09 84133c07 COPYING/copying.doc 35821 Defl:N 12288 66% 09-18-2007 15:59 ba8cd1a6 COPYING/gpl.txt -------- ------- --- ------- 337945 168394 50% 8 files $ unzip pcfont.zip Archive: pcfont.zip inflating: Tiresias PCfont Bold.ttf inflating: Tiresias PCfont Italic.ttf inflating: Tiresias PCfont.ttf inflating: TIRESIAS PCFONTZ Bold.TTF inflating: TIRESIAS PCFONTZ Italic.TTF inflating: TIRESIAS PCFONTZ.TTF inflating: COPYING/copying.doc inflating: COPYING/gpl.txt $ ll drwxr-xr-x 2 lcl lcl 4096 Oct 21 16:16 COPYING/ -rw-r--r-- 2 lcl lcl 169374 Jan 16 2010 pcfont.zip -r--r--r-- 1 lcl lcl 40484 Dec 9 2003 'Tiresias PCfont Bold.ttf' -r--r--r-- 1 lcl lcl 42332 Dec 6 2003 'Tiresias PCfont Italic.ttf' -r--r--r-- 1 lcl lcl 40540 Dec 5 2003 'Tiresias PCfont.ttf' -r--r--r-- 1 lcl lcl 39340 Jan 7 2004 'TIRESIAS PCFONTZ Bold.TTF' -r--r--r-- 1 lcl lcl 42412 Jan 7 2004 'TIRESIAS PCFONTZ Italic.TTF' -r--r--r-- 1 lcl lcl 73464 Sep 19 2000 'TIRESIAS PCFONTZ.TTF' That all looks OK.
Keywords: feedback => (none)Whiteboard: (none) => MGA6-64-OK
$ unzip -v Info-ZIP UnZip 6.1c23-BETA (2017-12-08) Maintainer: Steven M. Schweda Copyright (c) 1990-2017 Info-ZIP. License: unzip --license More info: http://info-zip.org http://info-zip.org/UnZip.html Bugs: http://www.info-zip.org/zip-bug.html See README for details. THIS IS A BETA VERSION OF UNZIP -- NOT FOR GENERAL DISTRIBUTION. Compiled with GCC 5.5.0 for Unix (Linux ELF) on Oct 20 2018. UnZip special compilation options/features: ARCHIVE_STDIN (Allow streaming archive from stdin) SET_DIR_ATTRIB (Setting directory attributes supported) [...]
WRT comment 12, I have desactivated LZMA.
Installs OK for me, unzipped a simple file containing a pdf. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0422.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED