Your message dated Mon, 22 Dec 2014 18:36:42 +0000
with message-id <[email protected]>
and subject line Bug#773722: fixed in unzip 6.0-13
has caused the Debian Bug report #773722,
regarding unzip: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773722
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unzip
Version: 6.0-4
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for unzip.
(disclaimer I was not yet able to verify any of those, but oCert
advisory claims to affect all unzip <= 6.0).
CVE-2014-8139[0]:
CRC32 heap overflow
CVE-2014-8140[1]:
heap overflow in test_compr_eb
CVE-2014-8141[2]:
heap overflow in getZip64Data
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
More information are found in the corresponding Red Hat bugzilla
entries.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8139
[1] https://security-tracker.debian.org/tracker/CVE-2014-8140
[2] https://security-tracker.debian.org/tracker/CVE-2014-8141
[3] http://www.ocert.org/advisories/ocert-2014-011.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-13
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 22 Dec 2014 19:16:10 +0100
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-13
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Description:
unzip - De-archiver for .zip files
Closes: 773722
Changes:
unzip (6.0-13) unstable; urgency=medium
.
* Apply upstream fix for three security bugs. Closes: #773722.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
Checksums-Sha1:
f7b1be73e9039266337b9f6d962c0d455b4350a7 1311 unzip_6.0-13.dsc
5663fba14ac26549c487c573d6df6a4db673f13d 13512 unzip_6.0-13.debian.tar.xz
c42b7221cde3acc12f6197620ea28a2752eab299 160690 unzip_6.0-13_amd64.deb
Checksums-Sha256:
029ccdf813e6fd884139b7ba904e4ba5e5356fbb26a56a42ae5e618424989ac4 1311
unzip_6.0-13.dsc
1278b3d077ea388f59b1890ea34a1791b524c7634d52bbdb9f733cd0906d975b 13512
unzip_6.0-13.debian.tar.xz
7ca14e05e59c115f7b056b6ff8cec8851258f528012a3f2a735478f19dd99f39 160690
unzip_6.0-13_amd64.deb
Files:
af8c8bc702b4343e6942d72e9fc7b41e 1311 utils optional unzip_6.0-13.dsc
b66659905826c0725bdb98a336bb156d 13512 utils optional
unzip_6.0-13.debian.tar.xz
c93df3e23ec23a456f63d6a1aebd4962 160690 utils optional unzip_6.0-13_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUmGBpAAoJEEHOfwufG4syNy4H/AntJeXy8XyizN0YYvfETMEG
q/CbIqj28GKty/PPVhQXjPVdaK0RGzbp0Oq/wUEVn1ww+tQgZnxKcR7/4z/nX2fd
6+uv+NzuLsx7d6bAoOFJIxOYhfqAQCWxZHtE8b+TDEd9YFC/Z82Ib9G8VrQdOdaU
4UFLjw0waPBZJ2eGG6+vB+E+vwkB/hPYMG87Unj7373IF5vhB52Eb6ikdTd7ZbH6
fBLstEcgnq/gskxhN3YxSKnTci50/2VCsjo8Y1im1Moc94nllvDvWfvWXWEOkCmQ
B5Ucf0LzWqGQC4vuEqRCrAYgh7vqtdGQOvM1mPPz3lIl4cJ8rxrDrONRdzF0otQ=
=D/bI
-----END PGP SIGNATURE-----
--- End Message ---
