Your message dated Sun, 28 Dec 2014 18:49:34 +0000
with message-id <[email protected]>
and subject line Bug#773722: fixed in unzip 6.0-4+deb6u1
has caused the Debian Bug report #773722,
regarding unzip: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773722
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unzip
Version: 6.0-4
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for unzip.
(disclaimer I was not yet able to verify any of those, but oCert
advisory claims to affect all unzip <= 6.0).
CVE-2014-8139[0]:
CRC32 heap overflow
CVE-2014-8140[1]:
heap overflow in test_compr_eb
CVE-2014-8141[2]:
heap overflow in getZip64Data
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
More information are found in the corresponding Red Hat bugzilla
entries.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8139
[1] https://security-tracker.debian.org/tracker/CVE-2014-8140
[2] https://security-tracker.debian.org/tracker/CVE-2014-8141
[3] http://www.ocert.org/advisories/ocert-2014-011.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-4+deb6u1
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Dec 2014 19:01:00 +0100
Source: unzip
Binary: unzip
Architecture: source i386
Version: 6.0-4+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Santiago Vila <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Description:
unzip - De-archiver for .zip files
Closes: 773722
Changes:
unzip (6.0-4+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* Apply upstream fix for three security bugs.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
(Closes: #773722)
Checksums-Sha1:
6d23af8072a5b697fc5ac318017df62702cb916d 1765 unzip_6.0-4+deb6u1.dsc
abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz
e7b399a051526c2bdcef7b7de846c78f03590ad3 12943 unzip_6.0-4+deb6u1.debian.tar.gz
66fe0b0a68ebda0208c38769d3d2f3e678136fc0 178936 unzip_6.0-4+deb6u1_i386.deb
Checksums-Sha256:
a1280dfbb24c109c936aa79d1c325a868a875abb5a70b9aa0cd6c2b8a533c137 1765
unzip_6.0-4+deb6u1.dsc
036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845
unzip_6.0.orig.tar.gz
8be138960971c6f493ea0daca0088830dff2659150490b248200eb9014f66dfd 12943
unzip_6.0-4+deb6u1.debian.tar.gz
d74fda6de46321f58859007481e37651c39b044282acc7e778b79f89822e27ab 178936
unzip_6.0-4+deb6u1_i386.deb
Files:
3ebd2ee7ded89a93ddcd095c6d26bba2 1765 utils optional unzip_6.0-4+deb6u1.dsc
62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz
30e64e4b220d1e41c75f212ce0e0d2ce 12943 utils optional
unzip_6.0-4+deb6u1.debian.tar.gz
9994a87d5fdb01e4cdb2f75cd637534a 178936 utils optional
unzip_6.0-4+deb6u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUoE9CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHKMkP/0R5GHUlPXyAAeJao7Tftxr2
RCsOcIjLUISQJsCdXtYiP1yER3dP9VZ5274A6NChAL0oQqMoTCPV3utFFdR7GGb+
cmJt7GOY7Bs4z8TL7yKvmQuWyBNmD5CzbTITVIiY0sTAzKDm2wlp72ut7YZ3Oawn
e5w3os6ZYQftB+0uBo4dcJ4d76pyyKG+IqoeUizw8ZJ7Mob2d+w7gFeV/73OF3xV
nNwI2+//W2P6MYiYMu7YbH2Sv3BF16uB4Jqs/+vR9Ilx9cjVtt3WisYesKJNFhRD
PFYw82eDzaqTy8pDwYZ1nIW9GrWEH6H31GNxFEP48GdpLnIsaGCTA4JKwY71nqrt
XHOeXjFjaoOF6uR1BhFnaPwQg/d9g47i7eD9HwfTuvDdU6kH/EvYaWrLm+Okmx7o
Iw77rOEBmVoze/Aa4fP4SM8d7ZkndnZ8i/WnfJnlu+wWpXxFcxeFgx1YlJbEN+FB
Ks/SIxX8uUSM3rWS/VfUfgABFd5ONJNwH+dNK4mkZ7ow80TQLeF5dLIygPeQswcZ
DXA8lS2IpMLMeAqPGkzKbnheUcr4ruKEhUhiAaYqmTGL22pbIQOlNNnfcmQ8fnsx
BsvkxFniDfJAEICln1HX7can8z6vMIr6q1ueImYI+vbDbKmpC+BsS3xzeQOA8ATl
s5mDvu1Na3OVtkOjUB/A
=UD4Y
-----END PGP SIGNATURE-----
--- End Message ---
