Your message dated Sat, 31 Oct 2015 21:19:08 +0000
with message-id <[email protected]>
and subject line Bug#802162: fixed in unzip 6.0-8+deb7u4
has caused the Debian Bug report #802162,
regarding CVE-2015-7696: unzip: Heap buffer overflow when extracting
password-protected archive
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
802162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802162
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: unzip
Version: 6.0-18
Severity: normal
Tags: security
A heap overflow triggered by unzipping a file with password issue has been found
from unzip. Proof-of-concept file can be downloaded from:
http://seclists.org/oss-sec/2015/q3/att-512/sigxcpu_zip.bin (unzip -p
- -P x sigsegv.zip).
Announcement: http://www.openwall.com/lists/oss-security/2015/09/07/4
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJWIrSbAAoJECet96ROqnV06ZcQAMOlKFF2J7P5Zo9/Yi41Zbsp
beaW07xTB9xZehsuIbadGJBcRKfN5GLyeL+RxsNgh58Hes3ooiyPDXO1nIMoIW7i
wblk7oRWKMTn/9tw7jekeZ80XycJ3srXkOzGBoEJKG3Ay1dXD+CHyI1qu9fW/jyD
kQMrm8nEhF44uQb5Qw7nA1hRZY9M4Pg8wuo2T6ES8zeKWtTeZhfEckT0O+PHStDk
k9AkxAKhe8u+2ZAkIUocmYIECZJ6rUwgW7yAfQar2hzDBM7AyKESITVOTj1hdyux
cTfuInTP/2wwJfTLnV3sSeSyeEdSdP8+IHMC8hK2x/yPhFSrlodlKxLWw28qWPcI
dcemZrsuUEB93FlVDJHu/4vd26PGT1X3Ep8wvVp6SYwo9915PFUuz3fw66EfzlpX
3+mIZxZn7M7YMJP3su9x9ul3AHhdgr8NoyAWoMknO01dOQgJgNa2WdkUJxDnob/9
hthAZxizMiy+5sY1VaogAxzQpIT2DuQYagmzTuGjuKbwo/X5X4dEWUCyRq1hgqby
ALDFFrF5QTb+fUAkO7nqnSXcB/VUbcZesH2YW5MQ/FdbGZub30ip5f5J0b/Qcck9
xtAjGy/WwbcdnIcEZleTXFmUTstw7EkYXagGJdiJ18WgvPNdBE1zxTQSyg6SzxdD
y9Gwt/S2ykcNLpmKWBzR
=UsPo
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-8+deb7u4
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 22 Oct 2015 12:59:24 +0000
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-8+deb7u4
Distribution: wheezy-security
Urgency: high
Maintainer: Santiago Vila <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
unzip - De-archiver for .zip files
Closes: 802160 802162
Changes:
unzip (6.0-8+deb7u4) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix infinite loop when extracting password-protected archive.
This is CVE-2015-7697. Closes: #802160.
* Fix heap overflow when extracting password-protected archive.
This is CVE-2015-7696. Closes: #802162.
* Fix additional unsigned overflow on invalid input.
Checksums-Sha1:
983e8410c3496a796dddc07d6b5a33e5729797da 1676 unzip_6.0-8+deb7u4.dsc
f3f54bfc28760c590bea2e42ab615055045d693c 16408 unzip_6.0-8+deb7u4.debian.tar.gz
07e7eabcb5f9173aaa4e61eafa708ea1e51fd850 196196 unzip_6.0-8+deb7u4_amd64.deb
Checksums-Sha256:
b51e1fbc8df6dd1207e20a77bfc26098dddf3bdf1393b9d3874696ae225337cc 1676
unzip_6.0-8+deb7u4.dsc
9f2702bc4d2c558926a76298cc524eaec93d8da99f7540107217745f1f430764 16408
unzip_6.0-8+deb7u4.debian.tar.gz
aa1b9672d69c843214f565a29a77432f9ce1a6cf495c64cc3bf63245ed86324f 196196
unzip_6.0-8+deb7u4_amd64.deb
Files:
a59776bbffa09226be950bd397e05ace 1676 utils optional unzip_6.0-8+deb7u4.dsc
727356974f30d47a6f322ec433e14673 16408 utils optional
unzip_6.0-8+deb7u4.debian.tar.gz
82323d4a754cd31b8daf97a5dcd4700a 196196 utils optional
unzip_6.0-8+deb7u4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWKegIAAoJENzjEOeGTMi/C8sP+wXvdqUebQg+RbhJ63l7oMMt
V1y5Du7rPOjF3ZK4VvKBO3JHHoXIx1rh4nWskwXerhmwp0LwhsTUW7zMycGmW54D
mLcSj/lyWAces1FhidO6nZpGonNkwS0wyr3uV0neXhj4zNGHAd0CBzxVs866te6w
DGL344EKpCgPa0lhsWy6vv+W+HhDzXlsVzb1fIGrmcBPztFHWkBQjauPiAd8VHEx
7ktPYUNxL5ldfFpdjiAIY7fcbyETReIR9AZktK7/1wPzEvQq6A28bnAu5qOQc2fX
VxPnvETdGY7DII0tFMiZo6GdKeNobVK9kxe+ohnAC5Op27D1EAJx7jGj6hktjfJ4
7NQr7dFsYmnrKBtDWzaMEArqsH90kBSUqlayXZ6YYhNw0iEKKTxA1lWZ2wqIYnxh
nMQCAXhT+i8LiAJMzlImPwItfVG7+Jw6bBE569SMnUVW1y7NQZhZnHF7sDfKMGl4
4GLM1LGDT4AHfj+7E2n4rtWAbV7DYru2dDqBOAG/YtqO/P/zzXEpUoIGi9Boognt
Gp9g3PYII1RKza82VYQBdR10dPSPg6tdVYgwLWBnIONEUcKeXpHSSHcJVemKa2J2
2bZUo9vKFcj/BGmCPlu10b7VXftXPSgQEf+Q/gNxX+MXr/gmWSFEUhQF/ZJxhkdn
Umj1aRWiaxhOylaPpF3D
=+RMZ
-----END PGP SIGNATURE-----
--- End Message ---
