Bug 180159
| Summary: | CVE-2005-4667 unzip long filename buffer overflow | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | Ivana Varekova <varekova> |
| Component: | unzip | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | fc3 | CC: | deisenst, michal, pekkas, tseaver |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=low, LEGACY, rh73, rh90, 1, 2, 3 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-04-05 00:26:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ivana Varekova
2006-02-06 13:52:23 UTC
Thank you, Ivana, for the heads up on this issue! *** Bug 180411 has been marked as a duplicate of this bug. *** To have it handy, Michal Jaegerman wrote in the duplicate bug: "Description of problem: "Bug #178961 gives a description, with a simple test, of a bug which affects unzip. It is filed only for FC but it affects really all releases. "For FC3 binaries from FC4 updates work without any changes. Where unzip- 5.51 is used a patch from unzip-5.51-13.fc4.src.rpm can be applied 'as is'. With unzip-5.50, like it shows up in RHL7.3, a patched src.rpm can be found at: ftp://ftp.harddata.com/pub/Legacy_srpms/unzip-5.50-31.hd.src.rpm or one can update to unzip-5.51 by recompiling update FC4 sources." Thanks Michal! :-) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: 8194a9bdb7948585397896b6a0f36319ca4406c6 7.3/unzip-5.50-31.1.legacy.i386.rpm a0fe6afbc49e41b3041f3b5741e19d3082902d55 7.3/unzip-5.50-31.1.legacy.src.rpm 804c8f0bdba9b799456d16f5566c1d8a2804cefc 9/unzip-5.50-33.1.legacy.i386.rpm 12fd4826d8ae6f22bc59acc0d95e9e81e2543792 9/unzip-5.50-33.1.legacy.src.rpm 01f1bb8c630a71ffd305c66babf4d5263b50b8c7 1/unzip-5.50-35.1.legacy.i386.rpm 6e533d8f51e60ad7f7d17de76cdca01a6032fd46 1/unzip-5.50-35.1.legacy.src.rpm 89e0b45be6b2a6780b78fe05321e34d6787ac887 2/unzip-5.50-37.1.legacy.i386.rpm 4d719246a8a62219178647aff678e24d36827ff1 2/unzip-5.50-37.1.legacy.src.rpm 074f312c45e062ade60aec917af88fc7d70b2f5b 3/unzip-5.51-4.fc3.1.legacy.i386.rpm 363f21d643ca7d5d94738b420d47c2b496f9e42a 3/unzip-5.51-4.fc3.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/unzip-5.50-31.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/unzip-5.50-33.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/unzip-5.50-35.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/unzip-5.50-37.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/unzip-5.51-4.fc3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEEMY3LMAs/0C4zNoRAt4IAJwJ5fs145r8zhXiGYRWs8uyuCoyOACgom+r pdPS1mtEOlB1SfsN/47OB3k= =42e3 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come or be rediffed from FC4 +PUBLISH RHL73, RHL9, FC1, FC2, FC3 a0fe6afbc49e41b3041f3b5741e19d3082902d55 unzip-5.50-31.1.legacy.src.rpm 12fd4826d8ae6f22bc59acc0d95e9e81e2543792 unzip-5.50-33.1.legacy.src.rpm 6e533d8f51e60ad7f7d17de76cdca01a6032fd46 unzip-5.50-35.1.legacy.src.rpm 4d719246a8a62219178647aff678e24d36827ff1 unzip-5.50-37.1.legacy.src.rpm 363f21d643ca7d5d94738b420d47c2b496f9e42a unzip-5.51-4.fc3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEESx6GHbTkzxSL7QRAgacAKDNQnh/sbtRiuezCXyT5kc5NpGFXQCfVzOR kpr/CNIQ/PAS3e9QJCe4+ro= =ttDq -----END PGP SIGNATURE----- Packages were pushed to updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages tested: 473bf802cf9257684f534cb99e7813e4257bf189 unzip-5.50-35.1.legacy.i386.rpm - SHA1 checksums and GPG signatures verified. - Package installed cleanly. - Tested unzip of sample zipfile before and after, with identical results. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEGPCR+gerLs4ltQ4RAv/nAKCeWIy11shoZxy67fMBts1JZkpH0ACfZcmW IJDs9gbWc3+ALONzerSGd8c= =s6Q+ -----END PGP SIGNATURE----- Thanks! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signature OK, upgrades OK. Rpm-build-compare.sh on the binaries also looks OK. Basic testing OK. Unzip vulnerability fixed. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEGQCtGHbTkzxSL7QRAhdWAJ9mMXWwlyYfjDvCTRnebPVIfhLvcQCfdaTI e9VT9IVSGkoKmWLcLKPd26E= =KEpk -----END PGP SIGNATURE----- Timeout shortened to one week. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 00b6b6b34e4229e9a2547418c83470752c9c9ff9 unzip-5.50-33.1.legacy.i386.rpm installs fine. created a test zipfile, unzip -t works, unzip -x works. unzip `perl -e 'print "A" x 50000'` returns word too long (good) not seg fault (bad). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIn3bePtvKV31zw4RAjJtAJ9Qgd6nuv9V+0Bj41qzo4awudn9KwCgvLTB ffArXfOiB0CnXku5K5k7GA4= =34oY -----END PGP SIGNATURE----- Timeout over. Packages were released to updates. |