[SECURITY] [DSA 3113-1] unzip security update

2014-12-2808:05:44

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.5%

JSON

Debian Security Advisory DSA-3113-1 [email protected]
http://www.debian.org/security/ Salvatore Bonaccorso
December 28, 2014 http://www.debian.org/security/faq

Package : unzip
CVE ID : CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
Debian Bug : 773722

Michele Spagnuolo of the Google Security Team discovered that unzip, an
extraction utility for archives compressed in .zip format, is affected
by heap-based buffer overflows within the CRC32 verification function
(CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the
getZip64Data() function (CVE-2014-8141), which may lead to the execution
of arbitrary code.

For the stable distribution (wheezy), these problems have been fixed in
version 6.0-8+deb7u1.

For the upcoming stable distribution (jessie), these problems will be
fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 6.0-13.

We recommend that you upgrade your unzip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7i386unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_i386.deb
Debian7mipselunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_mipsel.deb
Debian7armelunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_armel.deb
Debian7amd64unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_amd64.deb
Debian7kfreebsd-amd64unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_kfreebsd-amd64.deb
Debian7s390unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_s390.deb
Debian7kfreebsd-i386unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_kfreebsd-i386.deb
Debian7ia64unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_ia64.deb
Debian7s390xunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_s390x.deb
Debian7armhfunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	i386	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_i386.deb
Debian	7	mipsel	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_mipsel.deb
Debian	7	armel	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_armel.deb
Debian	7	amd64	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_amd64.deb
Debian	7	kfreebsd-amd64	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_kfreebsd-amd64.deb
Debian	7	s390	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_s390.deb
Debian	7	kfreebsd-i386	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_kfreebsd-i386.deb
Debian	7	ia64	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_ia64.deb
Debian	7	s390x	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_s390x.deb
Debian	7	armhf	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_armhf.deb