ArchLinux: 201511-1: unzip: multiple issues
Summary
- CVE-2015-7696 (arbitrary code execution)
A heap buffer overflow triggered by unzipping a file with password that
can lead to arbitrary code execution.
- CVE-2015-7697 (denial of service)
A denial of service with a file that never finishes unzipping.
Resolution
Upgrade to 6.0-11.
# pacman -Syu "unzip>=6.0-11"
The problems have been fixed by applying proper patches.
References
https://access.redhat.com/security/cve/CVE-2015-7696 https://access.redhat.com/security/cve/CVE-2015-7697 https://seclists.org/oss-sec/2015/q3/512 https://bugs.archlinux.org/task/46955
Workaround
None.