Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201511-1 ======================================== Severity: High Date : 2015-11-03 CVE-ID : CVE-2015-7696 CVE-2015-7697 Package : unzip Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package unzip before version 6.0-11 is vulnerable to arbitrary code execution and denial of service. Resolution ========= Upgrade to 6.0-11. # pacman -Syu "unzip>=6.0-11" The problems have been fixed by applying proper patches. Workaround ========= None. Description ========== - CVE-2015-7696 (arbitrary code execution) A heap buffer overflow triggered by unzipping a file with password that can lead to arbitrary code execution. - CVE-2015-7697 (denial of service) A denial of service with a file that never finishes unzipping. Impact ===== A remote attacker is able to create a specially crafted zip archive with a password that is leading to arbitrary code execution or denial of service via an infinite loop while unzipping. References ========= https://access.redhat.com/security/cve/CVE-2015-7696 https://access.redhat.com/security/cve/CVE-2015-7697 https://seclists.org/oss-sec/2015/q3/512 https://bugs.archlinux.org/task/46955