Your message dated Sat, 31 Oct 2015 21:18:42 +0000
with message-id <[email protected]>
and subject line Bug#802162: fixed in unzip 6.0-16+deb8u1
has caused the Debian Bug report #802162,
regarding CVE-2015-7696: unzip: Heap buffer overflow when extracting
password-protected archive
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
802162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802162
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: unzip
Version: 6.0-18
Severity: normal
Tags: security
A heap overflow triggered by unzipping a file with password issue has been found
from unzip. Proof-of-concept file can be downloaded from:
http://seclists.org/oss-sec/2015/q3/att-512/sigxcpu_zip.bin (unzip -p
- -P x sigsegv.zip).
Announcement: http://www.openwall.com/lists/oss-security/2015/09/07/4
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJWIrSbAAoJECet96ROqnV06ZcQAMOlKFF2J7P5Zo9/Yi41Zbsp
beaW07xTB9xZehsuIbadGJBcRKfN5GLyeL+RxsNgh58Hes3ooiyPDXO1nIMoIW7i
wblk7oRWKMTn/9tw7jekeZ80XycJ3srXkOzGBoEJKG3Ay1dXD+CHyI1qu9fW/jyD
kQMrm8nEhF44uQb5Qw7nA1hRZY9M4Pg8wuo2T6ES8zeKWtTeZhfEckT0O+PHStDk
k9AkxAKhe8u+2ZAkIUocmYIECZJ6rUwgW7yAfQar2hzDBM7AyKESITVOTj1hdyux
cTfuInTP/2wwJfTLnV3sSeSyeEdSdP8+IHMC8hK2x/yPhFSrlodlKxLWw28qWPcI
dcemZrsuUEB93FlVDJHu/4vd26PGT1X3Ep8wvVp6SYwo9915PFUuz3fw66EfzlpX
3+mIZxZn7M7YMJP3su9x9ul3AHhdgr8NoyAWoMknO01dOQgJgNa2WdkUJxDnob/9
hthAZxizMiy+5sY1VaogAxzQpIT2DuQYagmzTuGjuKbwo/X5X4dEWUCyRq1hgqby
ALDFFrF5QTb+fUAkO7nqnSXcB/VUbcZesH2YW5MQ/FdbGZub30ip5f5J0b/Qcck9
xtAjGy/WwbcdnIcEZleTXFmUTstw7EkYXagGJdiJ18WgvPNdBE1zxTQSyg6SzxdD
y9Gwt/S2ykcNLpmKWBzR
=UsPo
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-16+deb8u1
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 22 Oct 2015 12:51:52 +0000
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-16+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Santiago Vila <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
unzip - De-archiver for .zip files
Closes: 802160 802162
Changes:
unzip (6.0-16+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix infinite loop when extracting password-protected archive.
This is CVE-2015-7697. Closes: #802160.
* Fix heap overflow when extracting password-protected archive.
This is CVE-2015-7696. Closes: #802162.
* Fix additional unsigned overflow on invalid input.
Checksums-Sha1:
a35718aa518e18a15dfb53a3b63d30d97543b9ec 1685 unzip_6.0-16+deb8u1.dsc
abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz
cf31bacbd1ed2a003c5b0fc0b00de74962998c9d 15372
unzip_6.0-16+deb8u1.debian.tar.xz
9e00bf478436027b7f7f2869db9b8cc9dc85e3cc 161794 unzip_6.0-16+deb8u1_amd64.deb
Checksums-Sha256:
26178443053c58792692ad3dc1f78df3719360b38b2aae5cb820768dd3c30c12 1685
unzip_6.0-16+deb8u1.dsc
036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845
unzip_6.0.orig.tar.gz
e24d2a7f93e717ba69c5f1d8f68884cf0c20008e1d525268b0f6133bdc14c46a 15372
unzip_6.0-16+deb8u1.debian.tar.xz
79604b090126c9904680469b2630e3b8f8cd5bdb8b90c69b1b31f9d019837f70 161794
unzip_6.0-16+deb8u1_amd64.deb
Files:
72063177ca672fc005166298749299c0 1685 utils optional unzip_6.0-16+deb8u1.dsc
62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz
9585bf3617df6fc0a15e1b292701ed14 15372 utils optional
unzip_6.0-16+deb8u1.debian.tar.xz
370eca35d7eeb03e7ca10b7c82c300b9 161794 utils optional
unzip_6.0-16+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWKef1AAoJENzjEOeGTMi/oeoP/jokgmFVWIJmvkC1B4ghLmfc
8ROxOuVq2qR/10q12eaz6q/R3jVcyLavTVyvfu4a9zo51UHdvbwVE6IGLVQxnGly
ukmZJuRSp8dpqxvSrECkxojawCM6M+jPEweOGWz0Y8XBAyTy9UG8rsGJenIcSHfR
PTxu/+4KAwnsAohq/wRaKcSBWxva0o3y1AjAqPEvhtljsGodtZRXmbbmih9plwR0
LHskP//0wLKJz9jocmHtI1ys6NhUBjujj9oEum9uL1g3wFNgIzMa0R4ow9jYsxz3
9TMRm98fylMQMqp8+RXyVUL7AhybTSUlv/ss7paxDqBSs3BSw2zVrqMiO/TmQF7B
thWFcPKC9FPjCKChdLdfiy+Pkq1GzZm7xFspJ0i7yxAZ2IL5XQOWOh6g0TdgnnVN
A+DYlEcF3yvUAFw4kHovFrl5+wJX1OLGLhfbGXD8EoC46cCG4RwRPsK+T2BQO0fD
KM34wIlahbbW/3SBP8yqwhstYfQ3PwFKFJJwh48GohkbMyzv5zlz9T8W5ZvjVcsr
r2mQx/m+nFxRyl2PvUkfYYFbheE+1wx/Hv0tCjYen7ybUGscY/5Da1sR09LJR1UU
e8c61jn/dU9bOx410Nd/cLktS1vhWArKHKOnbQctaPs0qzJzFNAeJADqKQlMmSWK
Kzcybm79CoPvTnBnGorA
=FLX8
-----END PGP SIGNATURE-----
--- End Message ---
