From unknown Sat Sep 13 09:36:03 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sat, 10 Feb 2018 18:58:01 +0000
Resent-Message-ID: <handler.30415.B.151828906328851@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 30415
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 30415@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.151828906328851
          (code B ref -1); Sat, 10 Feb 2018 18:58:01 +0000
Received: (at submit) by debbugs.gnu.org; 10 Feb 2018 18:57:43 +0000
Received: from localhost ([127.0.0.1]:37232 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ekaLH-0007VH-9K
	for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:43 -0500
Received: from eggs.gnu.org ([208.118.235.92]:38347)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ekaLF-0007Ur-19
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:41 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL9-0006lB-2c
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:35 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,TVD_SPACE_RATIO,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:56261)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1ekaL8-0006kx-VS
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:35 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57530)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL7-00007n-PS
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL4-0006fc-L8
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:33 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58633)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1ekaL4-0006fE-GB
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:30 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 5B50020988;
 Sat, 10 Feb 2018 13:57:29 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sat, 10 Feb 2018 13:57:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=6fjeu07qCfW8MP
 cFkpcrfDn1eHRDWFU1rs0twDlVaa4=; b=k3MHpP5xEZHTG5SZsmxQkmHFYW0Ceo
 /LmwctV2docQ/OsGEvpcbjls+rm8aW9AZz/Pa9iUNlBW+MkZp3U1Ry/HgMuA/qmY
 tfIVvkTHKdt5RgjuRCim6stREJp0WJVDyOn6xXZgU089sLm8L6LGGUZzEERA9rbl
 Vinvl9Oyjv0mw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; bh=6fjeu07qCfW8MPcFkpcrfDn1eHRDWFU1rs0twDlVaa4=; b=lx+gbJx6
 orwgHCiX0hNc/vo6YuB1/BsA9u5t6msLYGc3mq4dvo1XCK/9MUbooHjl/i+NXY4I
 5ids2Mnh6fHHEsJYU+hXmEx9Z4BTvE3VWtZ1HkWqEARkxozGvRHzWvu6ruqsAzqM
 CzNpqbxmO/EnRhfsbidlb0JAsaH6yQ9qKECgkMUXnyGq75VL2f/SadY4hna9+5sg
 MXuhPvzQiP2NyYeH3I934D+kT6R1rVqN+pIzR/towh4+HfFhD4G9eBcXPqT1w41r
 yf3nFusNrGGEsL1epprOIPkruqaXJ+pBveDgdMdRAYoRPLz21AHVYsUIXu++Oc6h
 wyP+ib1oQM8csA==
X-ME-Sender: <xms:mUB_WqvMPTiV4S8Bz8uF-MwXMWJdWWi3HQ7D3nZbSyEC3O4tFzpyEQ>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 0755524406
 for <bug-guix@gnu.org>; Sat, 10 Feb 2018 13:57:29 -0500 (EST)
Date: Sat, 10 Feb 2018 13:57:28 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20180210185728.GA18894@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
User-Agent: Mutt/1.9.3 (2018-01-21)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
CVE-2018-1000034, CVE-2018-1000035 in UnZip:

http://seclists.org/oss-sec/2018/q1/134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/QJgACgkQJkb6MLrK
fwj2HhAA3h7kwVqLcW41YuuDUhRXutWinK1nmPfgA7OZZic9CZXAK49sRcSHpao4
1lISdvIUqHeIG3dkSwN+WrEHd4O7dwK3c0B2AXXV/9UD2Z/vQMppTiUG2lyd4flb
mCf0mpaWfBz9ImmU6isVe7T87NNMw6Qppoak1RJ7c1EHri8jbu7DUyEs4g0ncoNr
Ed566eso5drfSqukNUj5INBIwkUKO6Q6X5KnkGFjORoCQSBurPsX043hVPCv+YiX
dZu83cTC/B+uuE/wxm7vwpiCx860mb6nY56UWQN/duAETnkyKf7YnTjnB50Ksk/2
yPeNviOn5KibqlmTfCeAjl8L4TOo2+SWO19yffC2fGmRWRAahqnyhFO4A3kTIo7k
sR5/+BcKtfRpAN+XV85gdqKvLXYGi3sfhH+/8IiKwSVPKdhfApVA55zqrVrxZhTE
nki7U6XDf9Ie9NV0Iszs5Rc7QUTbntniJNjQrSNrMUzbCQS7olo/TPz5/ACLurHE
ZeWxcb66jUJxq3/ADqiXJ+gIAk0yjHkuLa46s/ycVPTb4UpBtSiE8IbRKFEbtLmh
yn0zRm1MDxpsh9v4WshWgAUrE0DPZtigyB9aSd8zQnrINIi6DRdJDF99uk/mfkc1
3y3+v30NP9eQotPKM4uzH3rsAoG7jQu+y+xGfRirFvzywTKeoss=
=OhBJ
-----END PGP SIGNATURE-----

--tThc/1wpZn/ma/RB--




From unknown Sat Sep 13 09:36:03 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#30415: Unzip CVE-2018-1000031 and others
References: <20180210185728.GA18894@jasmine.lan>
In-Reply-To: <20180210185728.GA18894@jasmine.lan>
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 11 Feb 2018 15:10:03 +0000
Resent-Message-ID: <handler.30415.B30415.15183617944718@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 30415
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 30415@debbugs.gnu.org
Received: via spool by 30415-submit@debbugs.gnu.org id=B30415.15183617944718
          (code B ref 30415); Sun, 11 Feb 2018 15:10:03 +0000
Received: (at 30415) by debbugs.gnu.org; 11 Feb 2018 15:09:54 +0000
Received: from localhost ([127.0.0.1]:38447 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ektGL-0001E1-T6
	for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:09:54 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43551)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ektGJ-0001Ds-At
 for 30415@debbugs.gnu.org; Sun, 11 Feb 2018 10:09:52 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 442D620A08;
 Sun, 11 Feb 2018 10:09:51 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Sun, 11 Feb 2018 10:09:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=7O4gBD0W206WGn
 nUgE4yQnPw6LzoE08wBf7mBkTlamw=; b=DUznGRYZUlcnzlNrm9Fkuwl+NqjQ76
 njMYvR1Uzfmlze38fPehfw8NxtR7YFYHIPmUSWDaVXljruM87JlU9l2LpNWFlTJb
 REWgvZKT+jP6o7FVcXEg1YGAaIfyGUkv0Pc7vUjPjL37wMICGWxRt50QguFXJyot
 Q5FzVmB0sRiRA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; bh=7O4gBD0W206WGnnUgE4yQnPw6LzoE08wBf7mBkTlamw=; b=GvapeyBS
 8RCYuuT89kpDLMq7HThIo4KRLOCkheugBRaSBHLcC3QJwNRlr5IuazLVW/OKe2LH
 pKdz6wpB8h7rbqbJuA7FusucNGU4gpoBNqx3tQSY9lAZwVTnNXsW3qyBDqkNeRl9
 fZCsGc/Za9H/YvFIm+A3lUfKvJQoOY/RlkQ+yUDdTNOvTvhJC7NsDOzzjTirmfPl
 yuwGu/GJykla1SE4ZnIkQFhzrEfLZZ5xz7fMGDV/n6F57zAWNGs/kiIvG2VQ4BNb
 WlI8sMuM2HQf8SowqLNdHILfL8g4L2hewzSUPGB3Bl4HKIE1sFTwesOBM15b0mO5
 dxdYidtKnatWDg==
X-ME-Sender: <xms:v1yAWpJoly9AlYwvVOjiQl6hoWeQfHX2V7zwQoUiaUJOThKhbFa4CQ>
Received: from localhost (unknown [172.58.200.6])
 by mail.messagingengine.com (Postfix) with ESMTPA id DFA887E3E0
 for <30415@debbugs.gnu.org>; Sun, 11 Feb 2018 10:09:50 -0500 (EST)
Date: Sun, 11 Feb 2018 10:09:49 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20180211150949.GA26281@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU"
Content-Disposition: inline
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The 3rd-party security advisory suggests that the bugs are fixed in
UnZip 6.1c23:

https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

See unzip610c23.zip here:

http://antinode.info/ftp/info-zip/

Unfortunately, this is a zip file, unlike the 9 year old tarball on the
UnZip SourceForge page.

Any advice? I suppose we could keep the old UnZip package just to unpack
the new one.

--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAXL0ACgkQJkb6MLrK
fwi3vhAAuquQSjHgS8oAvRR9hBwBFYZ26IlxP8a2x4ctvvdehuQE+gWR8UQ9qYtM
azqikAT9w1w6ZxmsGJHpwR5VdyxbGIIuGLyDXFOZuZXaMpNUiZ7MpDB0RecLNjmn
vYI0fCAr9ppyqxI4o9DlN2MNLbiwivnRJfiypv+g+pvX+3JHkWKMNvtBKyX3D9tQ
lo6T7SBK7T2EWm0ayrVnAcCIY09+BtckTNdU+HnJBeOKX9b9ps96JI4x8OWHyn5c
l7j1hR9ZZyIlpzuufRPy4j3vkwCAyhNwceSdnVp3iEAxbw3Df+zSDM8ZAyHW/3ih
tWKdBPMZ4L9kNb/e4pynJY5KrXJgfzg/h4N5HWGDcdnvdQjX1FdndpoG/lMVPMCF
b1P75p3mImdBpmOBfeNRa5qiT2040CEhcoU7ucW3O/0b/O+fyp5HVDBjP2xt/7uM
z194i/KRwWiGgRVAFV3AZrlv7zIv6MWeDkFJyX77i3yCz8F5Eku9ixSEVnT2hWjo
5DZznX9X+mSPGVvMOMokRuYQSWd+YUwVBhEtcYyBEot21/J5mRU2yzEb1G4eewMH
fRwZMoRypM/EGihCkoi0jm9D5+BVjQRzU3hEb2seKHGoBqrp9LXFFb2vSSqpMb4x
0hJAtreMDakNb6typZB8iqGfAze8sdBveUQ8+Mr9q9z91utU0lU=
=N/VD
-----END PGP SIGNATURE-----

--EeQfGwPcQSOJBaQU--




From unknown Sat Sep 13 09:36:03 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 11 Feb 2018 15:36:02 +0000
Resent-Message-ID: <handler.30415.B30415.15183633517031@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 30415
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 30415@debbugs.gnu.org
Received: via spool by 30415-submit@debbugs.gnu.org id=B30415.15183633517031
          (code B ref 30415); Sun, 11 Feb 2018 15:36:02 +0000
Received: (at 30415) by debbugs.gnu.org; 11 Feb 2018 15:35:51 +0000
Received: from localhost ([127.0.0.1]:38472 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ektfT-0001pL-Fw
	for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:35:51 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:54391)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ektfS-0001pC-7d
 for 30415@debbugs.gnu.org; Sun, 11 Feb 2018 10:35:50 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 06322208D8;
 Sun, 11 Feb 2018 10:35:50 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Sun, 11 Feb 2018 10:35:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=eP4gyecmvED+8jhbEMFmnmM/YtlN1vWyL+mXxKM2Fww=; b=pRBGh
 4rV9+Xgp+CFps4ta3piHWbWI+fPd4uPZYaqXpbEpRlo7+/pBq3n1kCfRv2Rx8lFf
 1ISdukWhPWyzITvygQrAyxuA62xNT8wahd43VPfiNbXodFbv0cosFiBj7sIfg730
 0AokDCWIoJOytoDCsJytvGd59NUQcXu/U2IwWw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=eP4gyecmvED+8jhbEMFmnmM/YtlN1
 vWyL+mXxKM2Fww=; b=CoBePYhd4Wl8/STMwtJEjJSaJ14dz4mDUpdi20LG9c5nM
 0YHkfYUQSnApYLtxar9c4TTKV0YLMqXG3SeHzVcy9XxH0Lju5XVaipKxheZjRRGp
 u+pUwy9H38G9sx/FZS/reEv824FftfsmJ3AbgD3sxnK7CPCfMHUUGvkRQlb/O5/V
 DJI/BAxMW+1B50jHSzBXBskS4GPXWPITlF0ivIG8mxG3QImj1WIz9o1gNktKuP5p
 0FOfQEu8LFX6QDK11qzppTHj9QndBfRQ1dHSAHrSdPTTvL7Q0CW84XunpBXiZSX3
 y46+TaX6nP8ZlhoGilxA60n/0s9cmACZcbOcnaqcQ==
X-ME-Sender: <xms:1WKAWvuRh5Qyk8HrSE4Q5sVTFZBS9DV4ZduWpLrReEd-G-pk1-5SIg>
Received: from localhost (unknown [172.58.200.6])
 by mail.messagingengine.com (Postfix) with ESMTPA id AA1DA7E070
 for <30415@debbugs.gnu.org>; Sun, 11 Feb 2018 10:35:49 -0500 (EST)
Date: Sun, 11 Feb 2018 10:35:48 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20180211153548.GA1853@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA"
Content-Disposition: inline
In-Reply-To: <20180210185728.GA18894@jasmine.lan>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 10, 2018 at 01:57:28PM -0500, Leo Famulari wrote:
> We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
> CVE-2018-1000034, CVE-2018-1000035 in UnZip:
>=20
> http://seclists.org/oss-sec/2018/q1/134
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-1000031 and etc

Okay, the advisory says that only CVE-2018-1000035 affects our UnZip 6.0
package; the other bugs were apparently introduced after that.

And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
more.

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAYtQACgkQJkb6MLrK
fwijxg//YwThwn0uFnt+t4HW07l9R3HZ1Cx+vmM9Kb5a+n+dOt4TwlnRjeY/yll2
eaDIywFxDWtku55fhUReGS1RDQYOGFfUsDTCu5MFP24mcsiO3mle+sXdsbbSGZoT
tzCwXY3EuIYkI/2VMA+PSFngNngR+N9vd02YnRhjFZ7+JtioBaxXq7il7o0QwFZ8
Nufu8YmlQkc6vSKoQExb84eORDC2YDHP3iuOHfkiTIfVRaXI65l9picFjnjjQpPl
QDZeq4rJ/+3wRF4FlzC9a6D+kFF038suE5htCgpB7af99+AfiJujUqCOsV9kRc2s
sDYI3GfBlZHD5wFVdOuvezeps1rv+EvcXtuk50ryi8ZPtXoMbUKef+Zy7DVThvXj
cmQ3x2oH7zs4BYFDtCCbPYjvazKd6267Q8ZtqZkOw5pmVIkdzhusvXfDg7CHHwLm
XVZIOaX09mT5G+MDnV7t1moKlh773VFhsXDKPbu7i44j5/lyUa1Amxi9nkYaKacj
cEOAZeqxHLQeDlUMznjtm4ywMldd/YSliZFwx4miNr5aVcxJiho2X+D5Omm6BJr+
fQ0BAKtct8q7PKNFDVJK3vMZluSzvZT5O1hN7I8yF08u8rtZ0WiH9ceLZdb4QKr3
b7QNpc0mu5VEVDaeJgbwwa1q35e46jz4bgCBHXl5S55YrHojR7w=
=BorG
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--




From unknown Sat Sep 13 09:36:03 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 12 Feb 2018 18:59:02 +0000
Resent-Message-ID: <handler.30415.B30415.151846188623852@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 30415
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 30415@debbugs.gnu.org
Received: via spool by 30415-submit@debbugs.gnu.org id=B30415.151846188623852
          (code B ref 30415); Mon, 12 Feb 2018 18:59:02 +0000
Received: (at 30415) by debbugs.gnu.org; 12 Feb 2018 18:58:06 +0000
Received: from localhost ([127.0.0.1]:40015 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1elJIk-0006Cd-9g
	for submit@debbugs.gnu.org; Mon, 12 Feb 2018 13:58:06 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43931)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1elJIi-0006CU-3T
 for 30415@debbugs.gnu.org; Mon, 12 Feb 2018 13:58:05 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8E38520BCD;
 Mon, 12 Feb 2018 13:58:03 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 12 Feb 2018 13:58:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=EhZOUIsKQqQrd2mN9TdbIXQrMUzZQWplhCIVJLiD3zM=; b=Nre5+
 fH1xARf4k952pqI4uo42tVssKpBpkNtoVQ7ZPLJkoBx03WpoC4qcpB5jSR+lbf1M
 mPcSYMnU4YG7PM3fSkUm5V2dQe67wnM6MWH4zfDdtLM7ak0nDyrTecaJijDmImbi
 UD3UrxFFuBQFiLkKxBlRxDpVzTT6Vo0W91og4k=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=EhZOUIsKQqQrd2mN9TdbIXQrMUzZQ
 WplhCIVJLiD3zM=; b=KdhahLmfiB6XideF3XB8cCKJNus9ddPM4oxZfuERKPyrc
 uZRNRoRJY6tmBtC3w9uBrVTIDDC2L74OSmpRkRTehA5gedoBRXHg7tEUTCViwU0X
 IlyeoI2yw2hps55GjJyDujudhcLt/4a/baNwUphuq8D7UhNFAkwZY4iS/hljEo8+
 IV+hgjdKkqsJ/7O3NirnPLbBiiSJ11ECffeG+tqXzA2B5QOjNybhgSN8TbW5GcQe
 Z8g5gGBVNP5Cpo5fVVaP6SR6Mh6ElHoRPhJbxQadaxIpe5ff/q+K2ZqSo5s8hLjP
 hSP9imhZCxKEgM/d+8DT5u1qazS+4AO2DK+xvbbpQ==
X-ME-Sender: <xms:u-OBWqmBECeYqghmjxJ3Xz-qnw1cyAKkC0oRhXbrLLAUZ83g1lBlDA>
Received: from localhost (unknown [172.56.34.105])
 by mail.messagingengine.com (Postfix) with ESMTPA id 15CB97E664
 for <30415@debbugs.gnu.org>; Mon, 12 Feb 2018 13:58:03 -0500 (EST)
Date: Mon, 12 Feb 2018 13:58:02 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20180212185802.GA30991@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
 <20180211153548.GA1853@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="JP+T4n/bALQSJXh8"
Content-Disposition: inline
In-Reply-To: <20180211153548.GA1853@jasmine.lan>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--JP+T4n/bALQSJXh8
Content-Type: multipart/mixed; boundary="0OAP2g/MAC+5xKAE"
Content-Disposition: inline


--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sun, Feb 11, 2018 at 10:35:48AM -0500, Leo Famulari wrote:
> And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
> more.

The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
to reduce the impact of the bug. The attached patch does that.

AFAICT, the proof-of-concept zip file is not published, and there is no
upstream patch.

--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="0001-gnu-unzip-Mitigate-CVE-2018-1000035.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 4e9eaa43e19ff8fe02c02589d0ea42b88ce67c87 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@famulari.name>
Date: Mon, 12 Feb 2018 13:49:49 -0500
Subject: [PATCH] gnu: unzip: Mitigate CVE-2018-1000035.

* gnu/packages/compression.scm (unzip)[replacement]: New field.
(unzip/fixed): New variable.
---
 gnu/packages/compression.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 3a0e27945..9983ee129 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -5,7 +5,7 @@
 ;;; Copyright =C2=A9 2015 Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer <taylanba=
yirli@gmail.com>
 ;;; Copyright =C2=A9 2015, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright =C2=A9 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright =C2=A9 2015, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright =C2=A9 2015, 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;; Copyright =C2=A9 2015 Jeff Mickey <j@codemac.net>
 ;;; Copyright =C2=A9 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.=
il>
 ;;; Copyright =C2=A9 2016 Ben Woodcroft <donttrustben@gmail.com>
@@ -1719,6 +1719,7 @@ Compression ratios of 2:1 to 3:1 are common for text =
files.")
 (define-public unzip
   (package (inherit zip)
     (name "unzip")
+    (replacement unzip/fixed)
     (version "6.0")
     (source
      (origin
@@ -1769,6 +1770,20 @@ recreates the stored directory structure by default.=
")
     (license (license:non-copyleft "file://LICENSE"
                                    "See LICENSE in the distribution."))))
=20
+(define unzip/fixed
+  (package/inherit unzip
+    (arguments
+      (substitute-keyword-arguments (package-arguments unzip)
+        ((#:phases phases)
+          `(modify-phases ,phases
+             (add-after 'unpack 'fortify
+               (lambda _
+                 ;; Mitigate CVE-2018-1000035, an exploitable buffer overf=
low.
+                 ;; This environment variable is recommended in 'unix/Make=
file'
+                 ;; for passing flags to the C compiler.
+                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
+                 #t))))))))
+
 (define-public zziplib
   (package
     (name "zziplib")
--=20
2.16.1


--0OAP2g/MAC+5xKAE--

--JP+T4n/bALQSJXh8
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqB47kACgkQJkb6MLrK
fwgiWw/8DJ02xI3sqGYPx3qg6TiR2Vh23dK//cUGGWqnEnerhBTs4ZluZKjXxTxP
53U2TjMZHFTUS6Wyx8DcovGM7IH3VmgCYXuTCqvd16gDv4TfWqjlaPJBwlph6SIQ
0+e9BblHu5RTc7nsjS8a3LabJdN6RQMd3uUbdsMi5Q5YlLwzrZVyhJJblIk/8L1g
Yg9x7Az+oALLHVDEygqWQ8VuM3g6yYiJr7LTkm8DZC0RJcebI9SK2Zd3ZdajN0D5
utQIW8EqM1IOch+Rwx6WY07kYc/jKQQtU9IpU5ihbl6wFjHqNKsHdLy7YihXQbub
YGC9+CIZ76j6QpdeMbMcU+OQxF+3bWwCty0tdEyURvh8NmpcaC3x06SkPy4AdO5O
BgQfaduozL4BaRHfL2Om+fNBO+IeMDRCkiody8D3clPwrzsBlt4u2rTYUbVg9Wab
bEqDizRj0EJ+53UrmikHqt9fwcLNqEOt+kQpMl5UB9oZlR4oEQpirPvSFoQ4ZYUF
SRd6+LULfeRyAl7ygVx023hGppzA4BS+q2KpRacegB0B1E4pe1ASKU1sz+PVyGBY
rc5C55Ou4eu+4jvPYipfn+5aUtNgaQ9e1jTpLrmtmzPDXeWxkLg9gmKeJBemxwno
eTqKKuFTqeDxk++V8mSaB6CVtbf9MRHYgP28Yi62An1y/o634Yg=
=NlSW
-----END PGP SIGNATURE-----

--JP+T4n/bALQSJXh8--




From unknown Sat Sep 13 09:36:03 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo@famulari.name>
Subject: bug#30415: closed (Re: bug#30415: Unzip CVE-2018-1000031 and others)
Message-ID: <handler.30415.D30415.15185334985947.notifdone@debbugs.gnu.org>
References: <20180213145135.GB18012@jasmine.lan>
 <20180210185728.GA18894@jasmine.lan>
X-Gnu-PR-Message: they-closed 30415
X-Gnu-PR-Package: guix
Reply-To: 30415@debbugs.gnu.org
Date: Tue, 13 Feb 2018 14:52:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1518533521-5977-1"

This is a multi-part message in MIME format...

------------=_1518533521-5977-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#30415: Unzip CVE-2018-1000031 and others

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 30415@debbugs.gnu.org.

--=20
30415: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D30415
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1518533521-5977-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 30415-done) by debbugs.gnu.org; 13 Feb 2018 14:51:38 +0000
Received: from localhost ([127.0.0.1]:40710 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1elbvm-0001Xr-FH
	for submit@debbugs.gnu.org; Tue, 13 Feb 2018 09:51:38 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:46689)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1elbvl-0001Xk-6d
 for 30415-done@debbugs.gnu.org; Tue, 13 Feb 2018 09:51:37 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id B00C222094;
 Tue, 13 Feb 2018 09:51:36 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Tue, 13 Feb 2018 09:51:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=MOvqXwq5oO+YLw3lxRDLoBlyBUhgryF+ZB1VRWFSwcs=; b=J4o7H
 673W7m0AULhJYGblCa5ByIli2zkzrxDc9dwgLVVOCx7ZuyHw213YtEILTHmTcHfU
 CuBsVg+MaQyB76EToz8SF8reakBp7GV29+IwPuQ8bNB5syFFVoQVvBC1YjjgDcuO
 G9EOtNpjg0aMAH9aqGPkpqGHAplsxK1scAGiLs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=MOvqXwq5oO+YLw3lxRDLoBlyBUhgr
 yF+ZB1VRWFSwcs=; b=CBo5SKoK+m9FU98bgPapTxm/2ykVISH9Txt/qXI+OW24z
 KOpD1Dlund/p2p5dUj+eOwJDXci7kemrUe4XxDRBTrgUp2LH60qGxw7TKiJu37eN
 JB5ta71/BbK+255SLACjiDJ4frigDAjNJpVyAU4gJcSq9mu9Nw616GzHh4ydMVNj
 LugnFicx+JFwSEULsbESejio1Mg8xcTP2mUZdo4g0N5PHiBEwpw3JLGUfbKPfdqF
 zFu+1QYpBVI2FOPjCDXgv84RwDpaTPpSsZGu/IrhmV0i0TPxiIZfriaQy8z65yoi
 JyhYA49WgMgwJBIrcd/I+ty0UlkJal0wla0P1c6Cw==
X-ME-Sender: <xms:ePuCWoaK2fzgUnpKvb0gv6H7B4ax5sqizg6kMWlXxmj2HtnXRC9gyw>
Received: from localhost (ool-2f14bdb1.dyn.optonline.net [47.20.189.177])
 by mail.messagingengine.com (Postfix) with ESMTPA id 60B8E7E4A8;
 Tue, 13 Feb 2018 09:51:36 -0500 (EST)
Date: Tue, 13 Feb 2018 09:51:35 -0500
From: Leo Famulari <leo@famulari.name>
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: bug#30415: Unzip CVE-2018-1000031 and others
Message-ID: <20180213145135.GB18012@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
 <20180211153548.GA1853@jasmine.lan>
 <20180212185802.GA30991@jasmine.lan> <87zi4djp1z.fsf@elephly.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="H1spWtNR+x+ondvy"
Content-Disposition: inline
In-Reply-To: <87zi4djp1z.fsf@elephly.net>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 30415-done
Cc: 30415-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--H1spWtNR+x+ondvy
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote:
>=20
> Hi Leo,
>=20
> > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> > to reduce the impact of the bug. The attached patch does that.
> [=E2=80=A6]
> > +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer o=
verflow.
> > +                 ;; This environment variable is recommended in 'unix/=
Makefile'
> > +                 ;; for passing flags to the C compiler.
> > +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
> > +                 #t))))))))
>=20
> This looks good to me.  Thank you!

Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930

--H1spWtNR+x+ondvy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqC+3cACgkQJkb6MLrK
fwh3Wg//R0fYSSN5wOoJZ+egel2y9bgbvMQ1Fp/oa8dozXxZhHnNsHNMLNsHNc6p
D2QNNeAt/HRJukt7VkignxWJyorYbL3cLtDwiZ4f1G709fAYDow3jIDvWdgoj4id
BLfENmq77pVHcs5QPeECqZWoNyJ4IPCQlbCK9GnMrnBQeKZAEltdCB4rH1dsmOlK
tAoyPnT7e8WeHjQTzs5DJWz+npr8NVxAjnSR9ZRX1jEe4wWGvCFtZ8pEHEgDuTlE
pBUeFi5LFBvnwndrU86AjTYJenV6FOkukdsrm2lFydINi7dnzw4Jn9G5WbQ0ObQR
hO7ZfSkNUtZ3reuZFYof53xx8XPbv7SJREVoa3pZbzr1XQVZl1OHVkbq6kxEhqIT
um7dhtsCHnVLdBoqBdnRW3HPLVKKEil89vkAkoUsuHaLRQBtBiR4VD/Qis58xmeC
AKKo11wtn/yp+B47NqX4ww8P1GCHGYTej42erwHPeXV82X8H0UN+j6oaAe3asctA
62wmZjMr6yafRcHecZPtvdhFFgECMQhxjFsYBGDDD8/+j4L4Z2/2uGC2rFjpqV75
Dii91qLHuyoP+zw1s+EEbTHOjwFICcW2rtdSiEHj7xMFaFQ9WgOIdMflWRsBLoRK
afntTuJLuEB3uf2Oq0FHtBZXLgm+adIAwHYOef5c7xcuHydhBcU=
=h5Yt
-----END PGP SIGNATURE-----

--H1spWtNR+x+ondvy--


------------=_1518533521-5977-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 10 Feb 2018 18:57:43 +0000
Received: from localhost ([127.0.0.1]:37232 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ekaLH-0007VH-9K
	for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:43 -0500
Received: from eggs.gnu.org ([208.118.235.92]:38347)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ekaLF-0007Ur-19
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:41 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL9-0006lB-2c
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:35 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,TVD_SPACE_RATIO,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:56261)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1ekaL8-0006kx-VS
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:35 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57530)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL7-00007n-PS
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL4-0006fc-L8
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:33 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58633)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1ekaL4-0006fE-GB
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:30 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 5B50020988;
 Sat, 10 Feb 2018 13:57:29 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sat, 10 Feb 2018 13:57:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=6fjeu07qCfW8MP
 cFkpcrfDn1eHRDWFU1rs0twDlVaa4=; b=k3MHpP5xEZHTG5SZsmxQkmHFYW0Ceo
 /LmwctV2docQ/OsGEvpcbjls+rm8aW9AZz/Pa9iUNlBW+MkZp3U1Ry/HgMuA/qmY
 tfIVvkTHKdt5RgjuRCim6stREJp0WJVDyOn6xXZgU089sLm8L6LGGUZzEERA9rbl
 Vinvl9Oyjv0mw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; bh=6fjeu07qCfW8MPcFkpcrfDn1eHRDWFU1rs0twDlVaa4=; b=lx+gbJx6
 orwgHCiX0hNc/vo6YuB1/BsA9u5t6msLYGc3mq4dvo1XCK/9MUbooHjl/i+NXY4I
 5ids2Mnh6fHHEsJYU+hXmEx9Z4BTvE3VWtZ1HkWqEARkxozGvRHzWvu6ruqsAzqM
 CzNpqbxmO/EnRhfsbidlb0JAsaH6yQ9qKECgkMUXnyGq75VL2f/SadY4hna9+5sg
 MXuhPvzQiP2NyYeH3I934D+kT6R1rVqN+pIzR/towh4+HfFhD4G9eBcXPqT1w41r
 yf3nFusNrGGEsL1epprOIPkruqaXJ+pBveDgdMdRAYoRPLz21AHVYsUIXu++Oc6h
 wyP+ib1oQM8csA==
X-ME-Sender: <xms:mUB_WqvMPTiV4S8Bz8uF-MwXMWJdWWi3HQ7D3nZbSyEC3O4tFzpyEQ>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 0755524406
 for <bug-guix@gnu.org>; Sat, 10 Feb 2018 13:57:29 -0500 (EST)
Date: Sat, 10 Feb 2018 13:57:28 -0500
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: Unzip CVE-2018-1000031 and others
Message-ID: <20180210185728.GA18894@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
User-Agent: Mutt/1.9.3 (2018-01-21)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
CVE-2018-1000034, CVE-2018-1000035 in UnZip:

http://seclists.org/oss-sec/2018/q1/134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/QJgACgkQJkb6MLrK
fwj2HhAA3h7kwVqLcW41YuuDUhRXutWinK1nmPfgA7OZZic9CZXAK49sRcSHpao4
1lISdvIUqHeIG3dkSwN+WrEHd4O7dwK3c0B2AXXV/9UD2Z/vQMppTiUG2lyd4flb
mCf0mpaWfBz9ImmU6isVe7T87NNMw6Qppoak1RJ7c1EHri8jbu7DUyEs4g0ncoNr
Ed566eso5drfSqukNUj5INBIwkUKO6Q6X5KnkGFjORoCQSBurPsX043hVPCv+YiX
dZu83cTC/B+uuE/wxm7vwpiCx860mb6nY56UWQN/duAETnkyKf7YnTjnB50Ksk/2
yPeNviOn5KibqlmTfCeAjl8L4TOo2+SWO19yffC2fGmRWRAahqnyhFO4A3kTIo7k
sR5/+BcKtfRpAN+XV85gdqKvLXYGi3sfhH+/8IiKwSVPKdhfApVA55zqrVrxZhTE
nki7U6XDf9Ie9NV0Iszs5Rc7QUTbntniJNjQrSNrMUzbCQS7olo/TPz5/ACLurHE
ZeWxcb66jUJxq3/ADqiXJ+gIAk0yjHkuLa46s/ycVPTb4UpBtSiE8IbRKFEbtLmh
yn0zRm1MDxpsh9v4WshWgAUrE0DPZtigyB9aSd8zQnrINIi6DRdJDF99uk/mfkc1
3y3+v30NP9eQotPKM4uzH3rsAoG7jQu+y+xGfRirFvzywTKeoss=
=OhBJ
-----END PGP SIGNATURE-----

--tThc/1wpZn/ma/RB--



------------=_1518533521-5977-1--


From unknown Sat Sep 13 09:36:03 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Resent-From: Ricardo Wurmus <rekado@elephly.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Wed, 14 Feb 2018 11:49:02 +0000
Resent-Message-ID: <handler.30415.B30415.15186089322787@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 30415
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Leo Famulari <leo@famulari.name>
Cc: 30415@debbugs.gnu.org
Received: via spool by 30415-submit@debbugs.gnu.org id=B30415.15186089322787
          (code B ref 30415); Wed, 14 Feb 2018 11:49:02 +0000
Received: (at 30415) by debbugs.gnu.org; 14 Feb 2018 11:48:52 +0000
Received: from localhost ([127.0.0.1]:42190 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1elvYR-0000it-TB
	for submit@debbugs.gnu.org; Wed, 14 Feb 2018 06:48:52 -0500
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21071)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@elephly.net>) id 1elvYQ-0000ik-Ln
 for 30415@debbugs.gnu.org; Wed, 14 Feb 2018 06:48:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1518508907; 
 s=zoho; d=elephly.net; i=rekado@elephly.net;
 h=References:From:To:Cc:Subject:In-reply-to:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
 l=555; bh=NfWrLB7PUT/96tofx29ctuhzoUemibuWljR07xsIw+Y=;
 b=YXoEWjL4iE+RAG9zntKbsceb20yddjAcynf2bnL76Wm4Itl7pJpq47HDdMsup0I4
 kW/9lkxd+A9wKBEu0QyW5jsUTt7VzwOEtBeinvLle6qJq5kmA5BaGtPfrGtkIFLr0aK
 Vg64GYLwECB2CWq0kYyFpjxemLeoBJC9D9VwyGa0=
Received: from localhost (port-92-200-0-86.dynamic.qsc.de [92.200.0.86]) by
 mx.zohomail.com with SMTPS id 1518508907468243.0062058158161;
 Tue, 13 Feb 2018 00:01:47 -0800 (PST)
References: <20180210185728.GA18894@jasmine.lan>
 <20180211153548.GA1853@jasmine.lan> <20180212185802.GA30991@jasmine.lan>
User-agent: mu4e 0.9.18; emacs 25.3.1
From: Ricardo Wurmus <rekado@elephly.net>
In-reply-to: <20180212185802.GA30991@jasmine.lan>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Tue, 13 Feb 2018 09:01:44 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <87zi4djp1z.fsf@elephly.net>
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)


Hi Leo,

> The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> to reduce the impact of the bug. The attached patch does that.
[=E2=80=A6]
> +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer ove=
rflow.
> +                 ;; This environment variable is recommended in 'unix/Ma=
kefile'
> +                 ;; for passing flags to the C compiler.
> +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
> +                 #t))))))))

This looks good to me.  Thank you!

--=20
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net