[unzip] add patch for CVE-2018-1000035

Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

Tasklist

Attached to Project: Arch Linux
Opened by Conrad Hoffmann (conrausch) - Monday, 22 February 2021, 22:33 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 23 February 2021, 07:15 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Assigned
Assigned To	Lukas Fleischer (lfleischer)
Architecture	All
Severity	High
Priority	Urgent
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

According to AVG-611 [1], the Arch unzip package is vulnerable to CVE-2018-1000035 [2]. Debian ships a patch [3] for this, see also the respective Debian bug report [4]. Since Arch already ships some Debian patches to unzip, maybe this one could be added and the AVG closed?

The patch applies cleanly. For what it's worth I am attaching the git diff I used for testing.

[1] https://security.archlinux.org/AVG-611
[2] https://security.archlinux.org/CVE-2018-1000035
[3] https://sources.debian.org/data/main/u/unzip/6.0-21+deb9u2/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838

Cheers,
Conrad

unzip_cve-2018-1000035.patch (2.6 KiB)

This task depends upon

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Details

Loading...