You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@corinthia.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2014/12/29 14:06:26 UTC

FW: [SECURITY] [DSA 3113-1] unzip security update

FYI and consideration,

I have no clue to the extent to which any of this apples in the external sources that Corinthia relies on.

 - Dennis

-----Original Message-----
From: Salvatore Bonaccorso [mailto:carnil@debian.org] 
Sent: Sunday, December 28, 2014 00:06
To: bugtraq@securityfocus.com
Subject: [SECURITY] [DSA 3113-1] unzip security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3113-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
December 28, 2014                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : unzip
CVE ID         : CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
Debian Bug     : 773722

Michele Spagnuolo of the Google Security Team discovered that unzip, an
extraction utility for archives compressed in .zip format, is affected
by heap-based buffer overflows within the CRC32 verification function
(CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the
getZip64Data() function (CVE-2014-8141), which may lead to the execution
of arbitrary code.

For the stable distribution (wheezy), these problems have been fixed in
version 6.0-8+deb7u1.

For the upcoming stable distribution (jessie), these problems will be
fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 6.0-13.

We recommend that you upgrade your unzip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUn7mQAAoJEAVMuPMTQ89EeowQAKE25ywJuv85W18UDxCVJ4M5
jECsUBPPrv5gf2leoJDr4UYhIdBQ5StZA6Cro8qsehcCayZuUayE2tfZjhtR9I9X
pif1tPalH5Cdtzph4XZxmah99MFW8J5z2zuhAa6UcVYDXuup8+o0yz9kJuVJ0e5H
pfT4+FwVdNXiGq+5NgXru4egXCSXs62FRTIp5ezx1uz0PBl2FFnu2ZBND5IgNWf/
cQubdcx02uYkl0fYBQAkClbRK4JZZE/TipdjYkNBpnaHj4EkFKesuSfLcSTmtIK4
R2r34Kzavn9QStJny+Uvzdqqw8e/q5WSmjR2MtDd4l4f3VxMFaoYaRQgon+K4T4L
rs6C7+VeI5gsYrnTyQRPix+v+esGNMke3l1WzHV5fbSXeUic+vooJZoMBmR2ep4j
Vp8kGkoVG8FQ4GgVGDCyV4XiYl9VaGxk1H8/rCSfn1Ag9ImqiiBNuGnBzx+6kGDk
cdb8ZFZpcF5/ueAC7IZ7Cotzncy2c5d7nDTActjSnmK53gnPgRiQwtyu8doM1heF
pWlXLXKxnspIyNugEI2xRYY2I7GN04AhElN+c9DDNBoBiKUVjjBgR8lT9OnDCgBN
UPx9mxeehoibtE67bONhQoxgbyBT3ukRCNFybkNT3K6bGLclFBUNKMpOjJzIvEJs
XU5IchBNf8BhT7Ekd2Lo
=D8OH
-----END PGP SIGNATURE-----

Re: FW: [SECURITY] [DSA 3113-1] unzip security update

Posted by jan i <ja...@apache.org>.

On Monday, December 29, 2014, Dennis E. Hamilton <de...@acm.org>
wrote:

> FYI and consideration,
>
> I have no clue to the extent to which any of this apples in the external
> sources that Corinthia relies on.

thanks for the info, since I am on that part now I will have a look.

Please send such alerts to private@ so we can discuss them before telling
the world how we solve it.

rgds
jan i

>
>  - Dennis
>
> -----Original Message-----
> From: Salvatore Bonaccorso [mailto:carnil@debian.org <javascript:;>]
> Sent: Sunday, December 28, 2014 00:06
> To: bugtraq@securityfocus.com <javascript:;>
> Subject: [SECURITY] [DSA 3113-1] unzip security update
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3113-1                   security@debian.org
> <javascript:;>
> http://www.debian.org/security/                      Salvatore Bonaccorso
> December 28, 2014                      http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package        : unzip
> CVE ID         : CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
> Debian Bug     : 773722
>
> Michele Spagnuolo of the Google Security Team discovered that unzip, an
> extraction utility for archives compressed in .zip format, is affected
> by heap-based buffer overflows within the CRC32 verification function
> (CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the
> getZip64Data() function (CVE-2014-8141), which may lead to the execution
> of arbitrary code.
>
> For the stable distribution (wheezy), these problems have been fixed in
> version 6.0-8+deb7u1.
>
> For the upcoming stable distribution (jessie), these problems will be
> fixed soon.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 6.0-13.
>
> We recommend that you upgrade your unzip packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org <javascript:;>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJUn7mQAAoJEAVMuPMTQ89EeowQAKE25ywJuv85W18UDxCVJ4M5
> jECsUBPPrv5gf2leoJDr4UYhIdBQ5StZA6Cro8qsehcCayZuUayE2tfZjhtR9I9X
> pif1tPalH5Cdtzph4XZxmah99MFW8J5z2zuhAa6UcVYDXuup8+o0yz9kJuVJ0e5H
> pfT4+FwVdNXiGq+5NgXru4egXCSXs62FRTIp5ezx1uz0PBl2FFnu2ZBND5IgNWf/
> cQubdcx02uYkl0fYBQAkClbRK4JZZE/TipdjYkNBpnaHj4EkFKesuSfLcSTmtIK4
> R2r34Kzavn9QStJny+Uvzdqqw8e/q5WSmjR2MtDd4l4f3VxMFaoYaRQgon+K4T4L
> rs6C7+VeI5gsYrnTyQRPix+v+esGNMke3l1WzHV5fbSXeUic+vooJZoMBmR2ep4j
> Vp8kGkoVG8FQ4GgVGDCyV4XiYl9VaGxk1H8/rCSfn1Ag9ImqiiBNuGnBzx+6kGDk
> cdb8ZFZpcF5/ueAC7IZ7Cotzncy2c5d7nDTActjSnmK53gnPgRiQwtyu8doM1heF
> pWlXLXKxnspIyNugEI2xRYY2I7GN04AhElN+c9DDNBoBiKUVjjBgR8lT9OnDCgBN
> UPx9mxeehoibtE67bONhQoxgbyBT3ukRCNFybkNT3K6bGLclFBUNKMpOjJzIvEJs
> XU5IchBNf8BhT7Ekd2Lo
> =D8OH
> -----END PGP SIGNATURE-----
>
>

-- 
Sent from My iPad, sorry for any misspellings.