What Are You Looking For?

Sign Up
   SUSE Security Update: Security update for unzip
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2978-1
Rating:             moderate
References:         #1013992 #1013993 #1080074 #910683 #914442 
                    #950110 #950111 
Cross-References:   CVE-2014-9636 CVE-2014-9913 CVE-2015-7696
                    CVE-2015-7697 CVE-2016-9844 CVE-2018-1000035
                   
Affected Products:
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Desktop 12-SP3
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has one errata
   is now available.

Description:

   This update for unzip fixes the following security issues:

   - CVE-2014-9913: Specially crafted zip files could trigger invalid memory
     writes possibly resulting in DoS or corruption (bsc#1013993)
   - CVE-2015-7696: Specially crafted zip files with password protection
     could trigger a crash and lead to denial of service (bsc#950110)
   - CVE-2015-7697: Specially crafted zip files could trigger an endless loop
     and lead to denial of service (bsc#950111)
   - CVE-2016-9844: Specially crafted zip files could trigger invalid memory
     writes possibly resulting in DoS or corruption (bsc#1013992)
   - CVE-2018-1000035: Prevent heap-based buffer overflow in the processing
     of password-protected archives that allowed an attacker to perform a
     denial of service or to possibly achieve code execution (bsc#1080074).
   - CVE-2014-9636: Prevent denial of service (out-of-bounds read or write
     and crash) via an extra field with an uncompressed size smaller than the
     compressed field size in a zip archive that advertises STORED method
     compression (bsc#914442).

   This non-security issue was fixed:

   +- Allow processing of Windows zip64 archives (Windows archivers set
    total_disks field to 0 but per standard, valid values are 1 and higher)
    (bnc#910683)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2117=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2117=1



Package List:

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      unzip-6.00-33.8.1
      unzip-debuginfo-6.00-33.8.1
      unzip-debugsource-6.00-33.8.1

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      unzip-6.00-33.8.1
      unzip-debuginfo-6.00-33.8.1
      unzip-debugsource-6.00-33.8.1


References:

   https://www.suse.com/security/cve/CVE-2014-9636.html
   https://www.suse.com/security/cve/CVE-2014-9913.html
   https://www.suse.com/security/cve/CVE-2015-7696.html
   https://www.suse.com/security/cve/CVE-2015-7697.html
   https://www.suse.com/security/cve/CVE-2016-9844.html
   https://www.suse.com/security/cve/CVE-2018-1000035.html
   https://bugzilla.suse.com/1013992
   https://bugzilla.suse.com/1013993
   https://bugzilla.suse.com/1080074
   https://bugzilla.suse.com/910683
   https://bugzilla.suse.com/914442
   https://bugzilla.suse.com/950110
   https://bugzilla.suse.com/950111

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2018:2978-1 moderate: unzip

October 2, 2018
An update that solves 6 vulnerabilities and has one errata is now available

Summary

This update for unzip fixes the following security issues: - CVE-2014-9913: Specially crafted zip files could trigger invalid memory writes possibly resulting in DoS or corruption (bsc#1013993) - CVE-2015-7696: Specially crafted zip files with password protection could trigger a crash and lead to denial of service (bsc#950110) - CVE-2015-7697: Specially crafted zip files could trigger an endless loop and lead to denial of service (bsc#950111) - CVE-2016-9844: Specially crafted zip files could trigger invalid memory writes possibly resulting in DoS or corruption (bsc#1013992) - CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of password-protected archives that allowed an attacker to perform a denial of service or to possibly achieve code execution (bsc#1080074). - CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression (bsc#914442). This non-security issue was fixed: +- Allow processing of Windows zip64 archives (Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher) (bnc#910683) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2117=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2117=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): unzip-6.00-33.8.1 unzip-debuginfo-6.00-33.8.1 unzip-debugsource-6.00-33.8.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): unzip-6.00-33.8.1 unzip-debuginfo-6.00-33.8.1 unzip-debugsource-6.00-33.8.1

References

#1013992 #1013993 #1080074 #910683 #914442

#950110 #950111

Cross- CVE-2014-9636 CVE-2014-9913 CVE-2015-7696

CVE-2015-7697 CVE-2016-9844 CVE-2018-1000035

Affected Products:

SUSE Linux Enterprise Server 12-SP3

SUSE Linux Enterprise Desktop 12-SP3

https://www.suse.com/security/cve/CVE-2014-9636.html

https://www.suse.com/security/cve/CVE-2014-9913.html

https://www.suse.com/security/cve/CVE-2015-7696.html

https://www.suse.com/security/cve/CVE-2015-7697.html

https://www.suse.com/security/cve/CVE-2016-9844.html

https://www.suse.com/security/cve/CVE-2018-1000035.html

https://bugzilla.suse.com/1013992

https://bugzilla.suse.com/1013993

https://bugzilla.suse.com/1080074

https://bugzilla.suse.com/910683

https://bugzilla.suse.com/914442

https://bugzilla.suse.com/950110

https://bugzilla.suse.com/950111

Severity
Announcement ID: SUSE-SU-2018:2978-1
Rating: moderate

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Kali vs. ParrotOS: 2 Versatile Linux Distros for Security Pros

Dec 9, 2023

Kali Linux 2023.4 Released With New Hacking Tools

Dec 6, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo