Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 403
    • Issues 403
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 21
    • Merge requests 21
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #123
Closed
Open
Created Jul 29, 2019 by Emily@emily🤖

system/unzip: multiple vulnerabilities

Bugzilla ID 123
Alias(es) CVE-2014-8139, CVE-2014-8140, CVE-2014-8141, CVE-2014-9636, CVE-2014-9913, CVE-2015-7696, CVE-2015-7697, CVE-2016-9844, CVE-2018-18384, CVE-2019-13232
Reporter Max Rees (sroracle)
Assignee Max Rees (sroracle)
Reported 2019-07-29 04:10:28 -0500
Modified 2020-06-12 19:30:04 -0500
Status RESOLVED FIXED
Version 1.0-BETA3
Hardware Adélie Linux / All
Importance --- / normal

Description

CVE-2014-9636: https://nvd.nist.gov/vuln/detail/CVE-2014-9636

unzip 6.0 allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via an extra field with an
uncompressed size smaller than the compressed field size in a zip
archive that advertises STORED method compression.

CVE-2014-9913: https://nvd.nist.gov/vuln/detail/CVE-2014-9913

Buffer overflow in the list_files function in list.c in Info-Zip UnZip
6.0 allows remote attackers to cause a denial of service (crash) via
vectors related to the compression method.

CVE-2015-7696: https://nvd.nist.gov/vuln/detail/CVE-2015-7696

Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of
service (heap-based buffer over-read and application crash) or
possibly execute arbitrary code via a crafted password-protected ZIP
archive, possibly related to an Extra-Field size value.

CVE-2015-7697: https://nvd.nist.gov/vuln/detail/CVE-2015-7697

Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of
service (infinite loop) via empty bzip2 data in a ZIP archive.

CVE-2016-9844: https://nvd.nist.gov/vuln/detail/CVE-2016-9844

Buffer overflow in the zi_short function in zipinfo.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service (crash)
via a large compression method value in the central directory file
header.

CVE-2018-18384: https://nvd.nist.gov/vuln/detail/CVE-2018-18384

Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive
has a crafted relationship between the compressed-size value and the
uncompressed-size value, because a buffer size is 10 and is supposed
to be 12.

CVE-2019-13232: https://nvd.nist.gov/vuln/detail/CVE-2019-13232

Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP
container, leading to denial of service (resource consumption), aka a
"better zip bomb" issue.

Assignee
Assign to
Time tracking