Bug#802162: marked as done (CVE-2015-7696: unzip: Heap buffer overflow when extracting password-protected archive)

Thu, 22 Oct 2015 02:40:55 -0700 

Your message dated Thu, 22 Oct 2015 09:39:21 +0000
with message-id <[email protected]>
and subject line Bug#802162: fixed in unzip 6.0-4+deb6u3
has caused the Debian Bug report #802162,
regarding CVE-2015-7696: unzip: Heap buffer overflow when extracting 
password-protected archive
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
802162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802162
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: unzip
Version: 6.0-18
Severity: normal
Tags: security

A heap overflow triggered by unzipping a file with password issue has been found
from unzip. Proof-of-concept file can be downloaded from:
http://seclists.org/oss-sec/2015/q3/att-512/sigxcpu_zip.bin (unzip -p
- -P x sigsegv.zip).

Announcement: http://www.openwall.com/lists/oss-security/2015/09/07/4

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJWIrSbAAoJECet96ROqnV06ZcQAMOlKFF2J7P5Zo9/Yi41Zbsp
beaW07xTB9xZehsuIbadGJBcRKfN5GLyeL+RxsNgh58Hes3ooiyPDXO1nIMoIW7i
wblk7oRWKMTn/9tw7jekeZ80XycJ3srXkOzGBoEJKG3Ay1dXD+CHyI1qu9fW/jyD
kQMrm8nEhF44uQb5Qw7nA1hRZY9M4Pg8wuo2T6ES8zeKWtTeZhfEckT0O+PHStDk
k9AkxAKhe8u+2ZAkIUocmYIECZJ6rUwgW7yAfQar2hzDBM7AyKESITVOTj1hdyux
cTfuInTP/2wwJfTLnV3sSeSyeEdSdP8+IHMC8hK2x/yPhFSrlodlKxLWw28qWPcI
dcemZrsuUEB93FlVDJHu/4vd26PGT1X3Ep8wvVp6SYwo9915PFUuz3fw66EfzlpX
3+mIZxZn7M7YMJP3su9x9ul3AHhdgr8NoyAWoMknO01dOQgJgNa2WdkUJxDnob/9
hthAZxizMiy+5sY1VaogAxzQpIT2DuQYagmzTuGjuKbwo/X5X4dEWUCyRq1hgqby
ALDFFrF5QTb+fUAkO7nqnSXcB/VUbcZesH2YW5MQ/FdbGZub30ip5f5J0b/Qcck9
xtAjGy/WwbcdnIcEZleTXFmUTstw7EkYXagGJdiJ18WgvPNdBE1zxTQSyg6SzxdD
y9Gwt/S2ykcNLpmKWBzR
=UsPo
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: unzip
Source-Version: 6.0-4+deb6u3

We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <[email protected]> (supplier of updated unzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Oct 2015 10:49:06 +0200
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-4+deb6u3
Distribution: squeeze-lts
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Raphaël Hertzog <[email protected]>
Description: 
 unzip      - De-archiver for .zip files
Closes: 802160 802162
Changes: 
 unzip (6.0-4+deb6u3) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * CVE-2015-7696: Fix heap overflow. Closes: #802162
   * CVE-2015-7697: Fix denial of service due to infinite loop with
     some invalid input data. Closes: #802160
   * Add a third patch fixing an integer underflow found by
     Stefan Cornelius.
Checksums-Sha1: 
 432b5f3bc197d2928ca10c41ff1f23e86588ecb6 1324 unzip_6.0-4+deb6u3.dsc
 c47de49294436e645bcd9999adbeb61de32e41e0 15442 unzip_6.0-4+deb6u3.debian.tar.gz
 a2d5e0061b70abb8ab412fa5af4dcef22a480cae 192038 unzip_6.0-4+deb6u3_amd64.deb
Checksums-Sha256: 
 f1e9c37bea565eafccd68237439c37e9b783997421f546d11ea05dcbb8a4093a 1324 
unzip_6.0-4+deb6u3.dsc
 8630ce83f64a309da0cae342179461ebde93f0cf82dde357224db4fb4f59736b 15442 
unzip_6.0-4+deb6u3.debian.tar.gz
 b387abd4a9c5940e98f96e60c81b6ff4dc7c3c352e86d29cba06137fdab7dd45 192038 
unzip_6.0-4+deb6u3_amd64.deb
Files: 
 207e64938b5c6062ac01f57c0f566f1f 1324 utils optional unzip_6.0-4+deb6u3.dsc
 36e379ddd9d11dab908f8a88181c1083 15442 utils optional 
unzip_6.0-4+deb6u3.debian.tar.gz
 366ec34df6c20e56be23351f630eae55 192038 utils optional 
unzip_6.0-4+deb6u3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJWKKs/AAoJEAOIHavrwpq5QFIH/1K4N9RtSAZY4N3WVm/WUe/0
AtiG75N94atCCBRgv+6W2kSPMVDuVZs68CZoe8s0k+7xXPgW8zSUAZqlGEc179Qz
9pIPgvR2vjRZbOwsnhcUdTl+zSNEK+BJTWcbY4k8msTRTW5cM2N2aaiQWBbZdTUH
8WTaTRaf72xbKmRMH+WhLmjYWtftmb5bauq6SgdAlAwn0wu58uRkHCYq04D2XlQ/
/QkjazsFXxqIYk4HN6fE1dUzvR9B3I0/mkUAL9SNYEGMX4yjJfNCAoofibZAvw22
PSGbrUwNd+IrUkmdnHKKZfznh1rmFwciBnMQEIwOqrpCVv0h7eGMtfFQas3llhc=
=N6GF
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to