Heap-based buffer overflow vulnerability in UzpPassword function was found, possibly allowing arbitrary code execution when uncompressing specially crafted password protected ZIP archives. Vulnerable code: [1591] if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { [1592] sprintf(prompt, LoadFarString(PasswPrompt), [1593] FnFilter1(zfn), FnFilter2(efn)); ... [1595] } The buffer can be overrun since the attacker can arbitrarily choose name for files residing inside archive file.
Acknowledgments: Name: R. Freingruber (SEC Consult Vulnerability Lab)
Statement: This issue affects the versions of unzip as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
External References: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Created unzip tracking bugs for this issue: Affects: fedora-all [bug 1543337]