Two vulnerabilites were found in unzip 6.0, namely heap overflow and denial of service. Public post together with error report and reproducers are avalaible at: http://seclists.org/oss-sec/2015/q3/512
Created unzip tracking bugs for this issue: Affects: fedora-all [bug 1260947]
Created attachment 1073339 [details] proposed fix
(In reply to Kamil Dudka from comment #2) > Created attachment 1073339 [details] > proposed fix Second part of the patch proposed upstream: https://sourceforge.net/p/infozip/patches/23/
The bzip2 compression support is broken in RHEL6 due to an error in the unzip-6.0-bzip2-configure.patch - it passes the -DBZIP2_SUPPORT flag, but (additionally?) requires -DUSE_BZIP2, or it will not process the sigxcpu.zip reproducer: skipping: 8?H? `bzip2' method not supported If we compile the RHEL6 version with proper flags, it's affected by the same issue.
RHEL5 does not support bzip2, so the sigxcpu.zip reproducer has no impact. It is affected by the segfault issue, though.
unzip-6.0-23.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 1075942 [details] [PATCH] extract: prevent unsigned overflow on invalid input
unzip-6.0-22.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment on attachment 1075942 [details] [PATCH] extract: prevent unsigned overflow on invalid input Very good! (Not 100% sure how the review system works. This patch looks good and can go ahead, I hope that's also reflected in the flags. If not, simply ignore the flags).
Thanks for review! The patch is now included in unzip-6.0-24.fc24: http://pkgs.fedoraproject.org/cgit/unzip.git/commit/?id=d18f821e
unzip-6.0-22.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.