Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 454
Alerts This Week
Warning Icon 1 454

openSUSE 42.3: 2018:3043-1 Moderate: Unzip Denial Of Service

opensuse
Calendar Grey October 5, 2018
Dist Opensuse Esm H88
This patch addresses various vulnerabilities in zip extraction tools, boosting overall system integrity and protection. Essential corrections have been implemented.
An update that solves 6 vulnerabilities and has one errata is now available.

Description

This update for unzip fixes the following security issues:

- CVE-2014-9913: Specially crafted zip files could trigger invalid memory

writes possibly resulting in DoS or corruption (bsc#1013993)

- CVE-2015-7696: Specially crafted zip files with password protection

could trigger a crash and lead to denial of service (bsc#950110)

- CVE-2015-7697: Specially crafted zip files could trigger an endless loop

and lead to denial of service (bsc#950111)

- CVE-2016-9844: Specially crafted zip files could trigger invalid memory

writes possibly resulting in DoS or corruption (bsc#1013992)

- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing

of password-protected archives that allowed an attacker to perform a

denial of service or to possibly achieve code execution (bsc#1080074).

- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write

and crash) via an extra field with an uncompressed size smaller than the

...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1124=1

Package List

- openSUSE Leap 42.3 (i586 x86_64):

unzip-6.00-31.3.1

unzip-debuginfo-6.00-31.3.1

unzip-debugsource-6.00-31.3.1

unzip-doc-6.00-31.3.1

unzip-rcc-6.00-31.3.1

unzip-rcc-debuginfo-6.00-31.3.1

unzip-rcc-debugsource-6.00-31.3.1

References

https://www.suse.com/security/cve/CVE-2014-9636.html

https://www.suse.com/security/cve/CVE-2014-9913.html

https://www.suse.com/security/cve/CVE-2015-7696.html

https://www.suse.com/security/cve/CVE-2015-7697.html

https://www.suse.com/security/cve/CVE-2016-9844.html

https://www.suse.com/security/cve/CVE-2018-1000035.html

https://bugzilla.suse.com/1013992

https://bugzilla.suse.com/1013993

https://bugzilla.suse.com/1080074

https://bugzilla.suse.com/910683

https://bugzilla.suse.com/914442

https://bugzilla.suse.com/950110

https://bugzilla.suse.com/950111

--

Announcement ID: openSUSE-SU-2018:3043-1
Rating: moderate
Affected Products: openSUSE Leap 42.3 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.