[SECURITY] [DSA 3152-1] unzip security update

2015-02-0315:04:37

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Debian Security Advisory DSA-3152-1 [email protected]
http://www.debian.org/security/ Salvatore Bonaccorso
February 03, 2015 http://www.debian.org/security/faq

Package : unzip
CVE ID : CVE-2014-9636
Debian Bug : 776589

A flaw was found in the test_compr_eb() function allowing out-of-bounds
read and write access to memory locations. By carefully crafting a
corrupt ZIP archive an attacker can trigger a heap overflow, resulting
in application crash or possibly having other unspecified impact.

For the stable distribution (wheezy), this problem has been fixed in
version 6.0-8+deb7u2. Additionally this update corrects a defective
patch applied to address CVE-2014-8139, which caused a regression with
executable jar files.

For the unstable distribution (sid), this problem has been fixed in
version 6.0-15. The defective patch applied to address CVE-2014-8139 was
corrected in version 6.0-16.

We recommend that you upgrade your unzip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7mipsunzip< 6.0-8+deb7u2unzip_6.0-8+deb7u2_mips.deb
Debian7powerpcunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_powerpc.deb
Debian7s390xunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_s390x.deb
Debian7armhfunzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_armhf.deb
Debian7kfreebsd-i386unzip< 6.0-8+deb7u1unzip_6.0-8+deb7u1_kfreebsd-i386.deb
Debian7allunzip< 6.0-8+deb7u2unzip_6.0-8+deb7u2_all.deb
Debian7s390xunzip< 6.0-8+deb7u2unzip_6.0-8+deb7u2_s390x.deb
Debian7kfreebsd-amd64unzip< 6.0-8+deb7u2unzip_6.0-8+deb7u2_kfreebsd-amd64.deb
Debian7i386unzip< 6.0-8+deb7u2unzip_6.0-8+deb7u2_i386.deb
Debian6allunzip< 6.0-4+deb6u2unzip_6.0-4+deb6u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	mips	unzip	< 6.0-8+deb7u2	unzip_6.0-8+deb7u2_mips.deb
Debian	7	powerpc	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_powerpc.deb
Debian	7	s390x	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_s390x.deb
Debian	7	armhf	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_armhf.deb
Debian	7	kfreebsd-i386	unzip	< 6.0-8+deb7u1	unzip_6.0-8+deb7u1_kfreebsd-i386.deb
Debian	7	all	unzip	< 6.0-8+deb7u2	unzip_6.0-8+deb7u2_all.deb
Debian	7	s390x	unzip	< 6.0-8+deb7u2	unzip_6.0-8+deb7u2_s390x.deb
Debian	7	kfreebsd-amd64	unzip	< 6.0-8+deb7u2	unzip_6.0-8+deb7u2_kfreebsd-amd64.deb
Debian	7	i386	unzip	< 6.0-8+deb7u2	unzip_6.0-8+deb7u2_i386.deb
Debian	6	all	unzip	< 6.0-4+deb6u2	unzip_6.0-4+deb6u2_all.deb