A null-pointer dereference issue was reported for unzip: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 No fix is available yet. It will likely receive a CVE. Mageia 8 is also affected.
Assigning to neoclust as you have done the most recent updates to this pkg. Not sure how we handle "No fix is available yet". I have flagged this UPSTREAM pending that; imagine DavidW will bring the bug to life (& NicolasL's attention) when the CVE surfaces.
Keywords: (none) => UPSTREAMAssignee: bugsquad => mageia
Also: https://bugzilla.redhat.com/show_bug.cgi?id=2051395 https://bugzilla.redhat.com/show_bug.cgi?id=2051402
Summary: unzip new security issue lp#1957077 => unzip new security issues lp#1957077, rhbz#2051395, rhbz#2051402Status comment: (none) => No fixes available as of February 2022
(In reply to David Walser from comment #0) > A null-pointer dereference issue was reported for unzip: > https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 > > No fix is available yet. It will likely receive a CVE. > > Mageia 8 is also affected. This is CVE-2021-4217: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/comments/9 https://bugzilla.redhat.com/show_bug.cgi?id=2044583 and a suggested patch is attached here: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/comments/7 (In reply to David Walser from comment #2) > Also: > https://bugzilla.redhat.com/show_bug.cgi?id=2051395 > https://bugzilla.redhat.com/show_bug.cgi?id=2051402 These are CVE-2022-0529, CVE-2022-0530: https://www.debian.org/security/2022/dsa-5202 So there are patches for those now too.
Whiteboard: (none) => MGA8TOOSummary: unzip new security issues lp#1957077, rhbz#2051395, rhbz#2051402 => unzip new security issues CVE-2021-4217, CVE-2022-0529, CVE-2022-0530Status comment: No fixes available as of February 2022 => Patches available from Debian and Ubuntu
Debian-LTS has issued an advisory for CVE-2022-0529, CVE-2022-0530 on September 22: https://www.debian.org/lts/security/2022/dla-3118
(In reply to David Walser from comment #4) > Debian-LTS has issued an advisory for CVE-2022-0529, CVE-2022-0530 on > September 22: > https://www.debian.org/lts/security/2022/dla-3118 openSUSE has issued an advisory for this today (September 26): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VFUXYMOCMRAV3GMQQKYX6T4L2I23XSQU/
Ubuntu has issued an advisory for this today (October 13): https://ubuntu.com/security/notices/USN-5673-1
Suggested advisory: ======================== The updated package fixes security vulnerabilities: Improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. (CVE-2021-4217) Conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. (CVE-2022-0529, CVE-2022-0530) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0529 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0530 https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 https://bugzilla.redhat.com/show_bug.cgi?id=2044583 https://bugzilla.redhat.com/show_bug.cgi?id=2051395 https://bugzilla.redhat.com/show_bug.cgi?id=2051402 https://www.debian.org/security/2022/dsa-5202 https://www.debian.org/lts/security/2022/dla-3118 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VFUXYMOCMRAV3GMQQKYX6T4L2I23XSQU/ https://ubuntu.com/security/notices/USN-5673-1 ======================== Updated package in core/updates_testing: ======================== unzip-6.0-2.1.mga8 from SRPM: unzip-6.0-2.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Patches available from Debian and Ubuntu => (none)Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Keywords: UPSTREAM => (none)CVE: (none) => CVE-2021-4217, CVE-2022-0529, CVE-2022-0530Status: NEW => ASSIGNEDAssignee: mageia => qa-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Tested on an zip file I made some 5 years ago. $ unzip anglo.zip Archive: anglo.zip creating: anglo/ inflating: anglo/09-Sanctusamp.mp3 inflating: anglo/06-Alleluia.mp3 inflating: anglo/10-Agnus Deiamp.mp3 inflating: anglo/03-Kyrie.mp3 inflating: anglo/05- Graduale Haec Dies.mp3 inflating: anglo/08-Offertorium Terra tremuitamp.mp3 inflating: anglo/01-Quem queritisamp.mp3 inflating: anglo/04-Gloria.mp3 inflating: anglo/02-Introitus Resurrexiamp.mp3 inflating: anglo/11-Communio Pascha nostrumamp.mp3 inflating: anglo/07-Sequentia Fulgens.mp3 Files play OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0371.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
(In reply to Mageia Robot from comment #10) > Một bản cập nhật cho sự cố này đã được đẩy lên kho lưu trữ Bản cập nhật > Mageia. > > https://advisories.mageia.org/MGASA-2022-0371.html https://incrediboxgame.co/ I tried your way and it worked. Thank you very much!
CC: (none) => misalumix9x