Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 603
Alerts This Week
Warning Icon 1 603

Ubuntu 22.04 LTS USN-5674-1: Addressing Compression Flaws and Risks

ubuntu
Calendar Grey October 13, 2022
Dist Ubuntu Esm H88
Various unzip flaws addressed in Ubuntu LTS help guard against possible DoS and arbitrary code execution threats in compressed files.
Several security issues were fixed in unzip.

Summary

Several security issues were fixed in unzip.

Software Description:

- unzip: De-archiver for .zip files

Details:

It was discovered that unzip did not properly handle unicode strings under

certain circumstances. If a user were tricked into opening a specially crafted

zip file, an attacker could possibly use this issue to cause unzip to crash,

resulting in a denial of service, or possibly execute arbitrary code.

(CVE-2021-4217)

It was discovered that unzip did not properly perform bounds checking while

converting wide strings to local strings. If a user were tricked into opening a

specially crafted zip file, an attacker could possibly use this issue to cause

unzip to crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2022-0529, CVE-2022-0530)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  unzip                           6.0-26ubuntu3.1

Ubuntu 20.04 LTS:
  unzip                           6.0-25ubuntu1.1

Ubuntu 18.04 LTS:
  unzip                           6.0-21ubuntu1.2

Ubuntu 16.04 ESM:
  unzip                           6.0-20ubuntu1.1+esm1

Ubuntu 14.04 ESM:
  unzip                           6.0-9ubuntu1.6+esm1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-5673-1

CVE-2021-4217, CVE-2022-0529, CVE-2022-0530,

Severity
important
Lowest
Low
Medium
High
Critical

October 13, 2022

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.