[arch-security] [ASA-201501-3] unzip: arbitrary code execution

[Levente Polyak]

Arch Linux Security Advisory ASA-201501-3
=========================================

Severity: High
Date    : 2015-01-10
CVE-ID  : CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
Package : unzip
Type    : arbitrary code execution
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package unzip before version 6.0-9 is vulnerable to arbitrary code
execution and denial of service through multiple heap buffer overflows.

Resolution
==========

Upgrade to 6.0-9.

# pacman -Syu "unzip>=6.0-9"

The problems have not been fixed upstream but patches were added.

Workaround
==========

None.

Description
===========

- CVE-2014-8139 (heap buffer overflow)
A heap-based buffer overflow exists in the CRC32 verification that
allows attackers to potentially execute arbitrary code or cause a denial
of service (memory corruption).

- CVE-2014-8140 (out-of-bounds read/write)
Out-of-bounds access (both read and write) issues exist in
test_compr_eb() that can result in application crash or arbitrary code
execution.

- CVE-2014-8141 (out-of-bounds read)
Two out-of-bounds read issues exist in getZip64Data() that allows
attackers to cause a denial of service.

Impact
======

An attacker is able to execute arbitrary code or cause a denial of
service through a specially crafted zip file passed to the command unzip -t.

References
==========

https://www.ocert.org/advisories/ocert-2014-011.html
https://access.redhat.com/security/cve/CVE-2014-8139
https://access.redhat.com/security/cve/CVE-2014-8140
https://access.redhat.com/security/cve/CVE-2014-8141
https://bugs.archlinux.org/task/43300
https://bugs.archlinux.org/task/43391

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150111/8a204ab8/attachment.asc>