Overview

File _patchinfo of Package patchinfo.3339

<patchinfo incident="3339">
  <issue id="950110" tracker="bnc">VUL-1: CVE-2015-7696: unzip: heap overflow triggered by unzipping a file with password</issue>
  <issue id="950111" tracker="bnc">VUL-1: CVE-2015-7697: unzip: DoS with a file that never finishes unzipping</issue>
  <issue id="1013992" tracker="bnc">VUL-0: CVE-2016-9844: unzip: Buffer overflow in ZipInfo</issue>
  <issue id="1013993" tracker="bnc">VUL-0: CVE-2014-9913: unzip: Buffer overflow in "unzip -l" via list_files() in list.c</issue>
  <issue id="1080074" tracker="bnc">VUL-1: CVE-2018-1000035: unzip: [Heap-based buffer overflow in password protected ZIP archives]</issue>
  <issue id="910683" tracker="bnc">unzip fails to extract file generated by WS2012R2</issue>
  <issue id="914442" tracker="bnc">VUL-1: CVE-2014-9636: unzip: out-of-bounds read/write in test_compr_eb() in extract.c</issue>
  <issue id="2014-9636" tracker="cve" />
  <issue id="2018-1000035" tracker="cve" />
  <issue id="2015-7696" tracker="cve" />
  <issue id="2015-7697" tracker="cve" />
  <issue id="2016-9844" tracker="cve" />
  <issue id="2014-9913" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>jmoellers</packager>
  <description>This update for unzip fixes the following security issues:

- CVE-2014-9913: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013993)
- CVE-2015-7696: Specially crafted zip files with password protection could
  trigger a crash and lead to denial of service (bsc#950110)
- CVE-2015-7697: Specially crafted zip files could trigger an endless loop and
  lead to denial of service (bsc#950111)
- CVE-2016-9844: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013992)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of
  password-protected archives that allowed an attacker to perform a denial of
  service or to possibly achieve code execution (bsc#1080074).
- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and
  crash) via an extra field with an uncompressed size smaller than the compressed
  field size in a zip archive that advertises STORED method compression
  (bsc#914442).

This non-security issue was fixed:

+- Allow processing of Windows zip64 archives (Windows archivers set
  total_disks field to 0 but per standard, valid values are 1 and higher)
  (bnc#910683)
</description>
  <summary>Security update for unzip</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places