Bugzilla – Bug 909214
VUL-0: CVE-2014-8139: unzip: input sanitization errors
Last modified: 2019-05-01 16:34:49 UTC
bugbot adjusting priority
SUSE-SU-2015:0026-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 909214 CVE References: CVE-2014-8139,CVE-2014-8140,CVE-2014-8141 Sources used: SUSE Linux Enterprise Server 12 (src): unzip-6.00-28.1 SUSE Linux Enterprise Desktop 12 (src): unzip-6.00-28.1
http://seclists.org/oss-sec/2014/q4/1127 [oCERT-2014-011] UnZip input sanitization errors Description: The UnZip tool is an open source extraction utility for archives compressed in the zip format. The unzip command line tool is affected by heap-based buffer overflows within the CRC32 verification, the test_compr_eb() and the getZip64Data() functions. The input errors may result in in arbitrary code execution. A specially crafted zip file, passed to unzip -t, can be used to trigger the vulnerability. Affected version: UnZip <= 6.0 Fixed version: UnZip, N/A Credit: vulnerability report received from the Google Security Team. CVE: CVE-2014-8139 (CRC32 heap overflow), CVE-2014-8140 (test_compr_eb), CVE-2014-8141 (getZip64Data) Timeline: 2014-12-03: vulnerability report received 2014-12-03: contacted maintainer 2014-12-03: first patch provided by maintainer 2014-12-04: report provides additional reproducers 2014-12-03: second patch provided by maintainer 2014-12-04: reporter confirms patch 2014-12-10: contacted affected vendors 2014-12-12: assigned CVEs 2014-12-22: advisory release References: http://www.info-zip.org/UnZip.html Permalink: http://www.ocert.org/advisories/ocert-2014-011.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-01-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60227
SUSE-SU-2015:0070-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 909214 CVE References: CVE-2014-8139,CVE-2014-8140,CVE-2014-8141 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): unzip-6.00-11.9.1 SUSE Linux Enterprise Server 11 SP3 (src): unzip-6.00-11.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): unzip-6.00-11.9.1
Can you also submit fixes for openSUSE 13.1, 13.2 and factory?
This is an autogenerated message for OBS integration: This bug (909214) was mentioned in https://build.opensuse.org/request/show/282877 13.2+13.1 / unzip-rcc+unzip
(In reply to Bernhard Wiedemann from comment #19) > This is an autogenerated message for OBS integration: > This bug (909214) was mentioned in > https://build.opensuse.org/request/show/282877 13.2+13.1 / unzip-rcc+unzip > And sr#282876 for factory.
openSUSE-SU-2015:0240-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 909214 CVE References: CVE-2014-8139,CVE-2014-8140,CVE-2014-8141 Sources used: openSUSE 13.2 (src): unzip-6.00-26.4.1, unzip-rcc-6.00-26.4.1 openSUSE 13.1 (src): unzip-6.00-24.4.1, unzip-rcc-6.00-24.4.1
SUSE-SU-2015:0377-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 909214,914442 CVE References: CVE-2014-8139,CVE-2014-9636 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3 (src): unzip-6.00-11.13.1 SUSE Linux Enterprise Desktop 11 SP3 (src): unzip-6.00-11.13.1
released