Arch Linux Security Advisory ASA-201511-1 ========================================= Severity: High Date : 2015-11-03 CVE-ID : CVE-2015-7696 CVE-2015-7697 Package : unzip Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package unzip before version 6.0-11 is vulnerable to arbitrary code execution and denial of service. Resolution ========== Upgrade to 6.0-11. # pacman -Syu "unzip>=6.0-11" The problems have been fixed by applying proper patches. Workaround ========== None. Description =========== - CVE-2015-7696 (arbitrary code execution) A heap buffer overflow triggered by unzipping a file with password that can lead to arbitrary code execution. - CVE-2015-7697 (denial of service) A denial of service with a file that never finishes unzipping. Impact ====== A remote attacker is able to create a specially crafted zip archive with a password that is leading to arbitrary code execution or denial of service via an infinite loop while unzipping. References ========== https://access.redhat.com/security/cve/CVE-2015-7696 https://access.redhat.com/security/cve/CVE-2015-7697 http://seclists.org/oss-sec/2015/q3/512 https://bugs.archlinux.org/task/46955