Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12. References: https://bugzilla.suse.com/show_bug.cgi?id=1110194 https://sourceforge.net/p/infozip/bugs/53/ https://src.fedoraproject.org/rpms/unzip/blob/master/f/unzip-6.0-overflow-long-fsize.patch
This is not a new bug, and it shouldn't have got a CVE form 2018. The problem was reported back in 2014 via: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741384 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=432 (no longer available) https://seclists.org/oss-sec/2014/q4/503 For Red Hat and Fedora, this was handled via bug 1191136. The issue was not handled as a security flaw, as the overflow was caught by FORTIFY_SOURCE, reducing impact to crash, which is not too relevant for an unzip tool. The patch linked in comment 0 was added to Fedora packages at the time. Note that the patch proposed in the SuSE bug also linked in comment 0 also adds sprintf -> snprintf change, which is a hardening, but does not fix any issue when properly sized cfactorstr[] buffer is used.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2159 https://access.redhat.com/errata/RHSA-2019:2159
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18384