Your message dated Mon, 29 Dec 2014 19:17:05 +0000
with message-id <[email protected]>
and subject line Bug#773722: fixed in unzip 6.0-8+deb7u1
has caused the Debian Bug report #773722,
regarding unzip: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773722
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unzip
Version: 6.0-4
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for unzip.
(disclaimer I was not yet able to verify any of those, but oCert
advisory claims to affect all unzip <= 6.0).
CVE-2014-8139[0]:
CRC32 heap overflow
CVE-2014-8140[1]:
heap overflow in test_compr_eb
CVE-2014-8141[2]:
heap overflow in getZip64Data
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
More information are found in the corresponding Red Hat bugzilla
entries.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8139
[1] https://security-tracker.debian.org/tracker/CVE-2014-8140
[2] https://security-tracker.debian.org/tracker/CVE-2014-8141
[3] http://www.ocert.org/advisories/ocert-2014-011.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-8+deb7u1
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Dec 2014 20:04:35 +0100
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-8+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Santiago Vila <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
unzip - De-archiver for .zip files
Closes: 773722
Changes:
unzip (6.0-8+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply upstream fix for three security bugs.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
(Closes: #773722)
Checksums-Sha1:
750342d29f6e203b8766d8d4acaa1e85f868c950 1676 unzip_6.0-8+deb7u1.dsc
abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz
efa3c8368010fb14355ed6121f1d2018a1122fec 13694 unzip_6.0-8+deb7u1.debian.tar.gz
1d0874f135b2fbeebb0d03124a3072adb8dd6d0a 194914 unzip_6.0-8+deb7u1_amd64.deb
Checksums-Sha256:
f38e804ae4c8e04d02f4c9d74e91c47b30a9aee048a6c41548bea2a9db4f149d 1676
unzip_6.0-8+deb7u1.dsc
036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845
unzip_6.0.orig.tar.gz
02aeb43c88ba38849597e03920422f9612ce8c658f558cd4b34c45b9837a6a5b 13694
unzip_6.0-8+deb7u1.debian.tar.gz
86bcc62e3f26eecdf3d102d8155471adcdf2d0c73f0387421d2c8a8effb4ba12 194914
unzip_6.0-8+deb7u1_amd64.deb
Files:
6d96da722abfc94bb4bfdf96e2a71723 1676 utils optional unzip_6.0-8+deb7u1.dsc
62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz
6d0673b9a6cc740dfb0b4fa20af5a824 13694 utils optional
unzip_6.0-8+deb7u1.debian.tar.gz
9a9c10dd675f9e080a80e883cdc52f30 194914 utils optional
unzip_6.0-8+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUnt0zAAoJEAVMuPMTQ89EaykP/RDih5x5tsCln5jxtb/lLewF
92LRuCxYd27S7Vn1LuB3JoYGk3VK2mpfOXJE28vdCcbiV4iLsedGiOGkIg7obMkH
O7sEF4KbQXdL50v8kSVr4K5aBa/W2MZpaZGKPMWBEPh+HFOuzJ0A8WtHH4xMv7qj
PMB5CpLNL0DTq3uNqBx37k8g78Ie2xqyBdhmdm2pCS4FxoKHysdtGZWBKZiCNZsl
h2kJY/EKw0jMyBf5dqz7zXy6yTDpQpaQNTD0WAPkj4HCaMonSMTt7VU1jlfCTv1U
ud+r/lXiIRprYr/5WygHwA/Q0bZyQVgRWt4P7OEXtzfvpYU06dUtwAw8d06+jmFR
0w0u0XVfvvIL398uzhVFZ9pncHTOCQClu0O5vXf67ZK4o2M8SIL8v7N/Sn7E6UZL
ABDPrlQbteUql4taj9y6ThVj8aL49T0KK6CBDGhkncADIew+AD2kV2Zc42gqCMUX
6bo4n9UFjwiKbFDQbGOR7LlysTXYP3VgsL2ulqe8JvxsfOS9Srs8qPNhehvfmzSe
JgcZkHFBR4QVj0vEEqs7UUt7knDxAbUtQ7n7Ap2G1BMdon4W39z1Y1TolJGIZWzL
7rUrAGWTb0m+f+e6qHOZgst7NqJ3w5hA+6oKoVvaxk48nsi7OYASUSLtWsKbyS64
keuJU5O3Gwwpbx+UnHCa
=P+o2
-----END PGP SIGNATURE-----
--- End Message ---
