Bug 180159 - CVE-2005-4667 unzip long filename buffer overflow
CVE-2005-4667 unzip long filename buffer overflow
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: unzip (Show other bugs)
fc3
All Linux
low Severity low
: ---
: ---
Assigned To: Fedora Legacy Bugs
Ben Levenson
impact=low, LEGACY, rh73, rh90, 1, 2, 3
: Security
: 180411 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-06 08:52 EST by Ivana Varekova
Modified: 2006-04-24 13:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 20:26:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivana Varekova 2006-02-06 08:52:23 EST
+++ This bug was initially created as a clone of Bug #178961 +++

unzip long filename buffer overflow

unzip is vulnerable to a filename buffer overflow vulnerability.  It
may be possible to execute arbitrary code as the user running unzip.

http://www.securityfocus.com/bid/15968/info

This issue can be verified with the following command:
unzip `perl -e 'print "A" x 50000'`

-- Additional comment from bressers@redhat.com on 2006-01-25 14:44 EST --
This issue also affects FC5

-- Additional comment from varekova@redhat.com on 2006-02-06 08:44 EST --
fc5 and fc4 versions are fixed (unzip-5.52-2 and unzip-5.51-13.fc4).
Comment 1 David Eisenstein 2006-02-07 07:19:55 EST
Thank you, Ivana, for the heads up on this issue!
Comment 2 Marc Deslauriers 2006-02-07 18:14:03 EST
*** Bug 180411 has been marked as a duplicate of this bug. ***
Comment 3 David Eisenstein 2006-02-07 23:10:55 EST
To have it handy, Michal Jaegerman wrote in the duplicate bug:

"Description of problem:

"Bug #178961 gives a description, with a simple test, of a bug which 
affects unzip.  It is filed only for FC but it affects really all releases.

"For FC3 binaries from FC4 updates work without any changes. Where unzip-
5.51 is used a patch from unzip-5.51-13.fc4.src.rpm can be applied 'as 
is'.  With unzip-5.50, like it shows up in RHL7.3, a patched src.rpm can
be found at:

  ftp://ftp.harddata.com/pub/Legacy_srpms/unzip-5.50-31.hd.src.rpm

or one can update to unzip-5.51 by recompiling update FC4 sources."

Thanks Michal!  :-)
Comment 4 Marc Deslauriers 2006-03-09 19:11:58 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

8194a9bdb7948585397896b6a0f36319ca4406c6  7.3/unzip-5.50-31.1.legacy.i386.rpm
a0fe6afbc49e41b3041f3b5741e19d3082902d55  7.3/unzip-5.50-31.1.legacy.src.rpm
804c8f0bdba9b799456d16f5566c1d8a2804cefc  9/unzip-5.50-33.1.legacy.i386.rpm
12fd4826d8ae6f22bc59acc0d95e9e81e2543792  9/unzip-5.50-33.1.legacy.src.rpm
01f1bb8c630a71ffd305c66babf4d5263b50b8c7  1/unzip-5.50-35.1.legacy.i386.rpm
6e533d8f51e60ad7f7d17de76cdca01a6032fd46  1/unzip-5.50-35.1.legacy.src.rpm
89e0b45be6b2a6780b78fe05321e34d6787ac887  2/unzip-5.50-37.1.legacy.i386.rpm
4d719246a8a62219178647aff678e24d36827ff1  2/unzip-5.50-37.1.legacy.src.rpm
074f312c45e062ade60aec917af88fc7d70b2f5b  3/unzip-5.51-4.fc3.1.legacy.i386.rpm
363f21d643ca7d5d94738b420d47c2b496f9e42a  3/unzip-5.51-4.fc3.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/unzip-5.50-31.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/unzip-5.50-33.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/unzip-5.50-35.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/unzip-5.50-37.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/unzip-5.51-4.fc3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFEEMY3LMAs/0C4zNoRAt4IAJwJ5fs145r8zhXiGYRWs8uyuCoyOACgom+r
pdPS1mtEOlB1SfsN/47OB3k=
=42e3
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2006-03-10 02:31:20 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come or be rediffed from FC4
 
+PUBLISH RHL73, RHL9, FC1, FC2, FC3
 
a0fe6afbc49e41b3041f3b5741e19d3082902d55  unzip-5.50-31.1.legacy.src.rpm
12fd4826d8ae6f22bc59acc0d95e9e81e2543792  unzip-5.50-33.1.legacy.src.rpm
6e533d8f51e60ad7f7d17de76cdca01a6032fd46  unzip-5.50-35.1.legacy.src.rpm
4d719246a8a62219178647aff678e24d36827ff1  unzip-5.50-37.1.legacy.src.rpm
363f21d643ca7d5d94738b420d47c2b496f9e42a  unzip-5.51-4.fc3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEESx6GHbTkzxSL7QRAgacAKDNQnh/sbtRiuezCXyT5kc5NpGFXQCfVzOR
kpr/CNIQ/PAS3e9QJCe4+ro=
=ttDq
-----END PGP SIGNATURE-----
Comment 6 Marc Deslauriers 2006-03-15 20:29:03 EST
Packages were pushed to updates-testing.
Comment 7 Tres Seaver 2006-03-15 23:53:53 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  473bf802cf9257684f534cb99e7813e4257bf189  unzip-5.50-35.1.legacy.i386.rpm

  - SHA1 checksums and GPG signatures verified.

  - Package installed cleanly.

  - Tested unzip of sample zipfile before and after, with identical results.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEGPCR+gerLs4ltQ4RAv/nAKCeWIy11shoZxy67fMBts1JZkpH0ACfZcmW
IJDs9gbWc3+ALONzerSGd8c=
=s6Q+
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2006-03-16 00:47:13 EST
Thanks!
Comment 9 Pekka Savola 2006-03-16 01:02:40 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK.  Rpm-build-compare.sh on
the binaries also looks OK.  Basic testing OK.  Unzip vulnerability fixed.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGQCtGHbTkzxSL7QRAhdWAJ9mMXWwlyYfjDvCTRnebPVIfhLvcQCfdaTI
e9VT9IVSGkoKmWLcLKPd26E=
=KEpk
-----END PGP SIGNATURE-----

Timeout shortened to one week.
Comment 10 Tom Yates 2006-03-23 05:46:58 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

00b6b6b34e4229e9a2547418c83470752c9c9ff9  unzip-5.50-33.1.legacy.i386.rpm

installs fine.  created a test zipfile, unzip -t works, unzip -x works.

unzip `perl -e 'print "A" x 50000'` returns word too long (good) not seg
fault (bad).

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIn3bePtvKV31zw4RAjJtAJ9Qgd6nuv9V+0Bj41qzo4awudn9KwCgvLTB
ffArXfOiB0CnXku5K5k7GA4=
=34oY
-----END PGP SIGNATURE-----
Comment 11 Pekka Savola 2006-03-23 08:24:19 EST
Timeout over.
Comment 12 Marc Deslauriers 2006-04-04 20:26:48 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.