From unknown Sat Sep 13 09:36:04 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#30415 <30415@debbugs.gnu.org>
To: bug#30415 <30415@debbugs.gnu.org>
Subject: Status: Unzip CVE-2018-1000031 and others
Reply-To: bug#30415 <30415@debbugs.gnu.org>
Date: Sat, 13 Sep 2025 16:36:04 +0000

retitle 30415 Unzip CVE-2018-1000031 and others
reassign 30415 guix
submitter 30415 Leo Famulari <leo@famulari.name>
severity 30415 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 10 13:57:43 2018
Received: (at submit) by debbugs.gnu.org; 10 Feb 2018 18:57:43 +0000
Received: from localhost ([127.0.0.1]:37232 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ekaLH-0007VH-9K
	for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:43 -0500
Received: from eggs.gnu.org ([208.118.235.92]:38347)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ekaLF-0007Ur-19
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:41 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL9-0006lB-2c
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:35 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,TVD_SPACE_RATIO,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:56261)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1ekaL8-0006kx-VS
 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:57:35 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57530)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL7-00007n-PS
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1ekaL4-0006fc-L8
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:33 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58633)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1ekaL4-0006fE-GB
 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:57:30 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 5B50020988;
 Sat, 10 Feb 2018 13:57:29 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sat, 10 Feb 2018 13:57:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=6fjeu07qCfW8MP
 cFkpcrfDn1eHRDWFU1rs0twDlVaa4=; b=k3MHpP5xEZHTG5SZsmxQkmHFYW0Ceo
 /LmwctV2docQ/OsGEvpcbjls+rm8aW9AZz/Pa9iUNlBW+MkZp3U1Ry/HgMuA/qmY
 tfIVvkTHKdt5RgjuRCim6stREJp0WJVDyOn6xXZgU089sLm8L6LGGUZzEERA9rbl
 Vinvl9Oyjv0mw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; bh=6fjeu07qCfW8MPcFkpcrfDn1eHRDWFU1rs0twDlVaa4=; b=lx+gbJx6
 orwgHCiX0hNc/vo6YuB1/BsA9u5t6msLYGc3mq4dvo1XCK/9MUbooHjl/i+NXY4I
 5ids2Mnh6fHHEsJYU+hXmEx9Z4BTvE3VWtZ1HkWqEARkxozGvRHzWvu6ruqsAzqM
 CzNpqbxmO/EnRhfsbidlb0JAsaH6yQ9qKECgkMUXnyGq75VL2f/SadY4hna9+5sg
 MXuhPvzQiP2NyYeH3I934D+kT6R1rVqN+pIzR/towh4+HfFhD4G9eBcXPqT1w41r
 yf3nFusNrGGEsL1epprOIPkruqaXJ+pBveDgdMdRAYoRPLz21AHVYsUIXu++Oc6h
 wyP+ib1oQM8csA==
X-ME-Sender: <xms:mUB_WqvMPTiV4S8Bz8uF-MwXMWJdWWi3HQ7D3nZbSyEC3O4tFzpyEQ>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 0755524406
 for <bug-guix@gnu.org>; Sat, 10 Feb 2018 13:57:29 -0500 (EST)
Date: Sat, 10 Feb 2018 13:57:28 -0500
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: Unzip CVE-2018-1000031 and others
Message-ID: <20180210185728.GA18894@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
User-Agent: Mutt/1.9.3 (2018-01-21)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
CVE-2018-1000034, CVE-2018-1000035 in UnZip:

http://seclists.org/oss-sec/2018/q1/134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/QJgACgkQJkb6MLrK
fwj2HhAA3h7kwVqLcW41YuuDUhRXutWinK1nmPfgA7OZZic9CZXAK49sRcSHpao4
1lISdvIUqHeIG3dkSwN+WrEHd4O7dwK3c0B2AXXV/9UD2Z/vQMppTiUG2lyd4flb
mCf0mpaWfBz9ImmU6isVe7T87NNMw6Qppoak1RJ7c1EHri8jbu7DUyEs4g0ncoNr
Ed566eso5drfSqukNUj5INBIwkUKO6Q6X5KnkGFjORoCQSBurPsX043hVPCv+YiX
dZu83cTC/B+uuE/wxm7vwpiCx860mb6nY56UWQN/duAETnkyKf7YnTjnB50Ksk/2
yPeNviOn5KibqlmTfCeAjl8L4TOo2+SWO19yffC2fGmRWRAahqnyhFO4A3kTIo7k
sR5/+BcKtfRpAN+XV85gdqKvLXYGi3sfhH+/8IiKwSVPKdhfApVA55zqrVrxZhTE
nki7U6XDf9Ie9NV0Iszs5Rc7QUTbntniJNjQrSNrMUzbCQS7olo/TPz5/ACLurHE
ZeWxcb66jUJxq3/ADqiXJ+gIAk0yjHkuLa46s/ycVPTb4UpBtSiE8IbRKFEbtLmh
yn0zRm1MDxpsh9v4WshWgAUrE0DPZtigyB9aSd8zQnrINIi6DRdJDF99uk/mfkc1
3y3+v30NP9eQotPKM4uzH3rsAoG7jQu+y+xGfRirFvzywTKeoss=
=OhBJ
-----END PGP SIGNATURE-----

--tThc/1wpZn/ma/RB--




From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 10:09:54 2018
Received: (at 30415) by debbugs.gnu.org; 11 Feb 2018 15:09:54 +0000
Received: from localhost ([127.0.0.1]:38447 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ektGL-0001E1-T6
	for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:09:54 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43551)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ektGJ-0001Ds-At
 for 30415@debbugs.gnu.org; Sun, 11 Feb 2018 10:09:52 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 442D620A08;
 Sun, 11 Feb 2018 10:09:51 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Sun, 11 Feb 2018 10:09:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=7O4gBD0W206WGn
 nUgE4yQnPw6LzoE08wBf7mBkTlamw=; b=DUznGRYZUlcnzlNrm9Fkuwl+NqjQ76
 njMYvR1Uzfmlze38fPehfw8NxtR7YFYHIPmUSWDaVXljruM87JlU9l2LpNWFlTJb
 REWgvZKT+jP6o7FVcXEg1YGAaIfyGUkv0Pc7vUjPjL37wMICGWxRt50QguFXJyot
 Q5FzVmB0sRiRA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; bh=7O4gBD0W206WGnnUgE4yQnPw6LzoE08wBf7mBkTlamw=; b=GvapeyBS
 8RCYuuT89kpDLMq7HThIo4KRLOCkheugBRaSBHLcC3QJwNRlr5IuazLVW/OKe2LH
 pKdz6wpB8h7rbqbJuA7FusucNGU4gpoBNqx3tQSY9lAZwVTnNXsW3qyBDqkNeRl9
 fZCsGc/Za9H/YvFIm+A3lUfKvJQoOY/RlkQ+yUDdTNOvTvhJC7NsDOzzjTirmfPl
 yuwGu/GJykla1SE4ZnIkQFhzrEfLZZ5xz7fMGDV/n6F57zAWNGs/kiIvG2VQ4BNb
 WlI8sMuM2HQf8SowqLNdHILfL8g4L2hewzSUPGB3Bl4HKIE1sFTwesOBM15b0mO5
 dxdYidtKnatWDg==
X-ME-Sender: <xms:v1yAWpJoly9AlYwvVOjiQl6hoWeQfHX2V7zwQoUiaUJOThKhbFa4CQ>
Received: from localhost (unknown [172.58.200.6])
 by mail.messagingengine.com (Postfix) with ESMTPA id DFA887E3E0
 for <30415@debbugs.gnu.org>; Sun, 11 Feb 2018 10:09:50 -0500 (EST)
Date: Sun, 11 Feb 2018 10:09:49 -0500
From: Leo Famulari <leo@famulari.name>
To: 30415@debbugs.gnu.org
Subject: RE: Unzip CVE-2018-1000031 and others
Message-ID: <20180211150949.GA26281@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU"
Content-Disposition: inline
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 30415
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The 3rd-party security advisory suggests that the bugs are fixed in
UnZip 6.1c23:

https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

See unzip610c23.zip here:

http://antinode.info/ftp/info-zip/

Unfortunately, this is a zip file, unlike the 9 year old tarball on the
UnZip SourceForge page.

Any advice? I suppose we could keep the old UnZip package just to unpack
the new one.

--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAXL0ACgkQJkb6MLrK
fwi3vhAAuquQSjHgS8oAvRR9hBwBFYZ26IlxP8a2x4ctvvdehuQE+gWR8UQ9qYtM
azqikAT9w1w6ZxmsGJHpwR5VdyxbGIIuGLyDXFOZuZXaMpNUiZ7MpDB0RecLNjmn
vYI0fCAr9ppyqxI4o9DlN2MNLbiwivnRJfiypv+g+pvX+3JHkWKMNvtBKyX3D9tQ
lo6T7SBK7T2EWm0ayrVnAcCIY09+BtckTNdU+HnJBeOKX9b9ps96JI4x8OWHyn5c
l7j1hR9ZZyIlpzuufRPy4j3vkwCAyhNwceSdnVp3iEAxbw3Df+zSDM8ZAyHW/3ih
tWKdBPMZ4L9kNb/e4pynJY5KrXJgfzg/h4N5HWGDcdnvdQjX1FdndpoG/lMVPMCF
b1P75p3mImdBpmOBfeNRa5qiT2040CEhcoU7ucW3O/0b/O+fyp5HVDBjP2xt/7uM
z194i/KRwWiGgRVAFV3AZrlv7zIv6MWeDkFJyX77i3yCz8F5Eku9ixSEVnT2hWjo
5DZznX9X+mSPGVvMOMokRuYQSWd+YUwVBhEtcYyBEot21/J5mRU2yzEb1G4eewMH
fRwZMoRypM/EGihCkoi0jm9D5+BVjQRzU3hEb2seKHGoBqrp9LXFFb2vSSqpMb4x
0hJAtreMDakNb6typZB8iqGfAze8sdBveUQ8+Mr9q9z91utU0lU=
=N/VD
-----END PGP SIGNATURE-----

--EeQfGwPcQSOJBaQU--




From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 10:35:51 2018
Received: (at 30415) by debbugs.gnu.org; 11 Feb 2018 15:35:51 +0000
Received: from localhost ([127.0.0.1]:38472 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ektfT-0001pL-Fw
	for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:35:51 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:54391)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1ektfS-0001pC-7d
 for 30415@debbugs.gnu.org; Sun, 11 Feb 2018 10:35:50 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 06322208D8;
 Sun, 11 Feb 2018 10:35:50 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Sun, 11 Feb 2018 10:35:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=eP4gyecmvED+8jhbEMFmnmM/YtlN1vWyL+mXxKM2Fww=; b=pRBGh
 4rV9+Xgp+CFps4ta3piHWbWI+fPd4uPZYaqXpbEpRlo7+/pBq3n1kCfRv2Rx8lFf
 1ISdukWhPWyzITvygQrAyxuA62xNT8wahd43VPfiNbXodFbv0cosFiBj7sIfg730
 0AokDCWIoJOytoDCsJytvGd59NUQcXu/U2IwWw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=eP4gyecmvED+8jhbEMFmnmM/YtlN1
 vWyL+mXxKM2Fww=; b=CoBePYhd4Wl8/STMwtJEjJSaJ14dz4mDUpdi20LG9c5nM
 0YHkfYUQSnApYLtxar9c4TTKV0YLMqXG3SeHzVcy9XxH0Lju5XVaipKxheZjRRGp
 u+pUwy9H38G9sx/FZS/reEv824FftfsmJ3AbgD3sxnK7CPCfMHUUGvkRQlb/O5/V
 DJI/BAxMW+1B50jHSzBXBskS4GPXWPITlF0ivIG8mxG3QImj1WIz9o1gNktKuP5p
 0FOfQEu8LFX6QDK11qzppTHj9QndBfRQ1dHSAHrSdPTTvL7Q0CW84XunpBXiZSX3
 y46+TaX6nP8ZlhoGilxA60n/0s9cmACZcbOcnaqcQ==
X-ME-Sender: <xms:1WKAWvuRh5Qyk8HrSE4Q5sVTFZBS9DV4ZduWpLrReEd-G-pk1-5SIg>
Received: from localhost (unknown [172.58.200.6])
 by mail.messagingengine.com (Postfix) with ESMTPA id AA1DA7E070
 for <30415@debbugs.gnu.org>; Sun, 11 Feb 2018 10:35:49 -0500 (EST)
Date: Sun, 11 Feb 2018 10:35:48 -0500
From: Leo Famulari <leo@famulari.name>
To: 30415@debbugs.gnu.org
Subject: Re: Unzip CVE-2018-1000031 and others
Message-ID: <20180211153548.GA1853@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA"
Content-Disposition: inline
In-Reply-To: <20180210185728.GA18894@jasmine.lan>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 30415
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 10, 2018 at 01:57:28PM -0500, Leo Famulari wrote:
> We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
> CVE-2018-1000034, CVE-2018-1000035 in UnZip:
>=20
> http://seclists.org/oss-sec/2018/q1/134
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-1000031 and etc

Okay, the advisory says that only CVE-2018-1000035 affects our UnZip 6.0
package; the other bugs were apparently introduced after that.

And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
more.

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAYtQACgkQJkb6MLrK
fwijxg//YwThwn0uFnt+t4HW07l9R3HZ1Cx+vmM9Kb5a+n+dOt4TwlnRjeY/yll2
eaDIywFxDWtku55fhUReGS1RDQYOGFfUsDTCu5MFP24mcsiO3mle+sXdsbbSGZoT
tzCwXY3EuIYkI/2VMA+PSFngNngR+N9vd02YnRhjFZ7+JtioBaxXq7il7o0QwFZ8
Nufu8YmlQkc6vSKoQExb84eORDC2YDHP3iuOHfkiTIfVRaXI65l9picFjnjjQpPl
QDZeq4rJ/+3wRF4FlzC9a6D+kFF038suE5htCgpB7af99+AfiJujUqCOsV9kRc2s
sDYI3GfBlZHD5wFVdOuvezeps1rv+EvcXtuk50ryi8ZPtXoMbUKef+Zy7DVThvXj
cmQ3x2oH7zs4BYFDtCCbPYjvazKd6267Q8ZtqZkOw5pmVIkdzhusvXfDg7CHHwLm
XVZIOaX09mT5G+MDnV7t1moKlh773VFhsXDKPbu7i44j5/lyUa1Amxi9nkYaKacj
cEOAZeqxHLQeDlUMznjtm4ywMldd/YSliZFwx4miNr5aVcxJiho2X+D5Omm6BJr+
fQ0BAKtct8q7PKNFDVJK3vMZluSzvZT5O1hN7I8yF08u8rtZ0WiH9ceLZdb4QKr3
b7QNpc0mu5VEVDaeJgbwwa1q35e46jz4bgCBHXl5S55YrHojR7w=
=BorG
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--




From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 12 13:58:06 2018
Received: (at 30415) by debbugs.gnu.org; 12 Feb 2018 18:58:06 +0000
Received: from localhost ([127.0.0.1]:40015 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1elJIk-0006Cd-9g
	for submit@debbugs.gnu.org; Mon, 12 Feb 2018 13:58:06 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43931)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1elJIi-0006CU-3T
 for 30415@debbugs.gnu.org; Mon, 12 Feb 2018 13:58:05 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8E38520BCD;
 Mon, 12 Feb 2018 13:58:03 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 12 Feb 2018 13:58:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=EhZOUIsKQqQrd2mN9TdbIXQrMUzZQWplhCIVJLiD3zM=; b=Nre5+
 fH1xARf4k952pqI4uo42tVssKpBpkNtoVQ7ZPLJkoBx03WpoC4qcpB5jSR+lbf1M
 mPcSYMnU4YG7PM3fSkUm5V2dQe67wnM6MWH4zfDdtLM7ak0nDyrTecaJijDmImbi
 UD3UrxFFuBQFiLkKxBlRxDpVzTT6Vo0W91og4k=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=EhZOUIsKQqQrd2mN9TdbIXQrMUzZQ
 WplhCIVJLiD3zM=; b=KdhahLmfiB6XideF3XB8cCKJNus9ddPM4oxZfuERKPyrc
 uZRNRoRJY6tmBtC3w9uBrVTIDDC2L74OSmpRkRTehA5gedoBRXHg7tEUTCViwU0X
 IlyeoI2yw2hps55GjJyDujudhcLt/4a/baNwUphuq8D7UhNFAkwZY4iS/hljEo8+
 IV+hgjdKkqsJ/7O3NirnPLbBiiSJ11ECffeG+tqXzA2B5QOjNybhgSN8TbW5GcQe
 Z8g5gGBVNP5Cpo5fVVaP6SR6Mh6ElHoRPhJbxQadaxIpe5ff/q+K2ZqSo5s8hLjP
 hSP9imhZCxKEgM/d+8DT5u1qazS+4AO2DK+xvbbpQ==
X-ME-Sender: <xms:u-OBWqmBECeYqghmjxJ3Xz-qnw1cyAKkC0oRhXbrLLAUZ83g1lBlDA>
Received: from localhost (unknown [172.56.34.105])
 by mail.messagingengine.com (Postfix) with ESMTPA id 15CB97E664
 for <30415@debbugs.gnu.org>; Mon, 12 Feb 2018 13:58:03 -0500 (EST)
Date: Mon, 12 Feb 2018 13:58:02 -0500
From: Leo Famulari <leo@famulari.name>
To: 30415@debbugs.gnu.org
Subject: Re: Unzip CVE-2018-1000031 and others
Message-ID: <20180212185802.GA30991@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
 <20180211153548.GA1853@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="JP+T4n/bALQSJXh8"
Content-Disposition: inline
In-Reply-To: <20180211153548.GA1853@jasmine.lan>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 30415
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--JP+T4n/bALQSJXh8
Content-Type: multipart/mixed; boundary="0OAP2g/MAC+5xKAE"
Content-Disposition: inline


--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sun, Feb 11, 2018 at 10:35:48AM -0500, Leo Famulari wrote:
> And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
> more.

The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
to reduce the impact of the bug. The attached patch does that.

AFAICT, the proof-of-concept zip file is not published, and there is no
upstream patch.

--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="0001-gnu-unzip-Mitigate-CVE-2018-1000035.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 4e9eaa43e19ff8fe02c02589d0ea42b88ce67c87 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@famulari.name>
Date: Mon, 12 Feb 2018 13:49:49 -0500
Subject: [PATCH] gnu: unzip: Mitigate CVE-2018-1000035.

* gnu/packages/compression.scm (unzip)[replacement]: New field.
(unzip/fixed): New variable.
---
 gnu/packages/compression.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 3a0e27945..9983ee129 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -5,7 +5,7 @@
 ;;; Copyright =C2=A9 2015 Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer <taylanba=
yirli@gmail.com>
 ;;; Copyright =C2=A9 2015, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright =C2=A9 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright =C2=A9 2015, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright =C2=A9 2015, 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;; Copyright =C2=A9 2015 Jeff Mickey <j@codemac.net>
 ;;; Copyright =C2=A9 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.=
il>
 ;;; Copyright =C2=A9 2016 Ben Woodcroft <donttrustben@gmail.com>
@@ -1719,6 +1719,7 @@ Compression ratios of 2:1 to 3:1 are common for text =
files.")
 (define-public unzip
   (package (inherit zip)
     (name "unzip")
+    (replacement unzip/fixed)
     (version "6.0")
     (source
      (origin
@@ -1769,6 +1770,20 @@ recreates the stored directory structure by default.=
")
     (license (license:non-copyleft "file://LICENSE"
                                    "See LICENSE in the distribution."))))
=20
+(define unzip/fixed
+  (package/inherit unzip
+    (arguments
+      (substitute-keyword-arguments (package-arguments unzip)
+        ((#:phases phases)
+          `(modify-phases ,phases
+             (add-after 'unpack 'fortify
+               (lambda _
+                 ;; Mitigate CVE-2018-1000035, an exploitable buffer overf=
low.
+                 ;; This environment variable is recommended in 'unix/Make=
file'
+                 ;; for passing flags to the C compiler.
+                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
+                 #t))))))))
+
 (define-public zziplib
   (package
     (name "zziplib")
--=20
2.16.1


--0OAP2g/MAC+5xKAE--

--JP+T4n/bALQSJXh8
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqB47kACgkQJkb6MLrK
fwgiWw/8DJ02xI3sqGYPx3qg6TiR2Vh23dK//cUGGWqnEnerhBTs4ZluZKjXxTxP
53U2TjMZHFTUS6Wyx8DcovGM7IH3VmgCYXuTCqvd16gDv4TfWqjlaPJBwlph6SIQ
0+e9BblHu5RTc7nsjS8a3LabJdN6RQMd3uUbdsMi5Q5YlLwzrZVyhJJblIk/8L1g
Yg9x7Az+oALLHVDEygqWQ8VuM3g6yYiJr7LTkm8DZC0RJcebI9SK2Zd3ZdajN0D5
utQIW8EqM1IOch+Rwx6WY07kYc/jKQQtU9IpU5ihbl6wFjHqNKsHdLy7YihXQbub
YGC9+CIZ76j6QpdeMbMcU+OQxF+3bWwCty0tdEyURvh8NmpcaC3x06SkPy4AdO5O
BgQfaduozL4BaRHfL2Om+fNBO+IeMDRCkiody8D3clPwrzsBlt4u2rTYUbVg9Wab
bEqDizRj0EJ+53UrmikHqt9fwcLNqEOt+kQpMl5UB9oZlR4oEQpirPvSFoQ4ZYUF
SRd6+LULfeRyAl7ygVx023hGppzA4BS+q2KpRacegB0B1E4pe1ASKU1sz+PVyGBY
rc5C55Ou4eu+4jvPYipfn+5aUtNgaQ9e1jTpLrmtmzPDXeWxkLg9gmKeJBemxwno
eTqKKuFTqeDxk++V8mSaB6CVtbf9MRHYgP28Yi62An1y/o634Yg=
=NlSW
-----END PGP SIGNATURE-----

--JP+T4n/bALQSJXh8--




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 13 09:51:38 2018
Received: (at 30415-done) by debbugs.gnu.org; 13 Feb 2018 14:51:38 +0000
Received: from localhost ([127.0.0.1]:40710 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1elbvm-0001Xr-FH
	for submit@debbugs.gnu.org; Tue, 13 Feb 2018 09:51:38 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:46689)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1elbvl-0001Xk-6d
 for 30415-done@debbugs.gnu.org; Tue, 13 Feb 2018 09:51:37 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id B00C222094;
 Tue, 13 Feb 2018 09:51:36 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Tue, 13 Feb 2018 09:51:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=MOvqXwq5oO+YLw3lxRDLoBlyBUhgryF+ZB1VRWFSwcs=; b=J4o7H
 673W7m0AULhJYGblCa5ByIli2zkzrxDc9dwgLVVOCx7ZuyHw213YtEILTHmTcHfU
 CuBsVg+MaQyB76EToz8SF8reakBp7GV29+IwPuQ8bNB5syFFVoQVvBC1YjjgDcuO
 G9EOtNpjg0aMAH9aqGPkpqGHAplsxK1scAGiLs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=MOvqXwq5oO+YLw3lxRDLoBlyBUhgr
 yF+ZB1VRWFSwcs=; b=CBo5SKoK+m9FU98bgPapTxm/2ykVISH9Txt/qXI+OW24z
 KOpD1Dlund/p2p5dUj+eOwJDXci7kemrUe4XxDRBTrgUp2LH60qGxw7TKiJu37eN
 JB5ta71/BbK+255SLACjiDJ4frigDAjNJpVyAU4gJcSq9mu9Nw616GzHh4ydMVNj
 LugnFicx+JFwSEULsbESejio1Mg8xcTP2mUZdo4g0N5PHiBEwpw3JLGUfbKPfdqF
 zFu+1QYpBVI2FOPjCDXgv84RwDpaTPpSsZGu/IrhmV0i0TPxiIZfriaQy8z65yoi
 JyhYA49WgMgwJBIrcd/I+ty0UlkJal0wla0P1c6Cw==
X-ME-Sender: <xms:ePuCWoaK2fzgUnpKvb0gv6H7B4ax5sqizg6kMWlXxmj2HtnXRC9gyw>
Received: from localhost (ool-2f14bdb1.dyn.optonline.net [47.20.189.177])
 by mail.messagingengine.com (Postfix) with ESMTPA id 60B8E7E4A8;
 Tue, 13 Feb 2018 09:51:36 -0500 (EST)
Date: Tue, 13 Feb 2018 09:51:35 -0500
From: Leo Famulari <leo@famulari.name>
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: bug#30415: Unzip CVE-2018-1000031 and others
Message-ID: <20180213145135.GB18012@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
 <20180211153548.GA1853@jasmine.lan>
 <20180212185802.GA30991@jasmine.lan> <87zi4djp1z.fsf@elephly.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="H1spWtNR+x+ondvy"
Content-Disposition: inline
In-Reply-To: <87zi4djp1z.fsf@elephly.net>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 30415-done
Cc: 30415-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--H1spWtNR+x+ondvy
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote:
>=20
> Hi Leo,
>=20
> > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> > to reduce the impact of the bug. The attached patch does that.
> [=E2=80=A6]
> > +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer o=
verflow.
> > +                 ;; This environment variable is recommended in 'unix/=
Makefile'
> > +                 ;; for passing flags to the C compiler.
> > +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
> > +                 #t))))))))
>=20
> This looks good to me.  Thank you!

Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930

--H1spWtNR+x+ondvy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqC+3cACgkQJkb6MLrK
fwh3Wg//R0fYSSN5wOoJZ+egel2y9bgbvMQ1Fp/oa8dozXxZhHnNsHNMLNsHNc6p
D2QNNeAt/HRJukt7VkignxWJyorYbL3cLtDwiZ4f1G709fAYDow3jIDvWdgoj4id
BLfENmq77pVHcs5QPeECqZWoNyJ4IPCQlbCK9GnMrnBQeKZAEltdCB4rH1dsmOlK
tAoyPnT7e8WeHjQTzs5DJWz+npr8NVxAjnSR9ZRX1jEe4wWGvCFtZ8pEHEgDuTlE
pBUeFi5LFBvnwndrU86AjTYJenV6FOkukdsrm2lFydINi7dnzw4Jn9G5WbQ0ObQR
hO7ZfSkNUtZ3reuZFYof53xx8XPbv7SJREVoa3pZbzr1XQVZl1OHVkbq6kxEhqIT
um7dhtsCHnVLdBoqBdnRW3HPLVKKEil89vkAkoUsuHaLRQBtBiR4VD/Qis58xmeC
AKKo11wtn/yp+B47NqX4ww8P1GCHGYTej42erwHPeXV82X8H0UN+j6oaAe3asctA
62wmZjMr6yafRcHecZPtvdhFFgECMQhxjFsYBGDDD8/+j4L4Z2/2uGC2rFjpqV75
Dii91qLHuyoP+zw1s+EEbTHOjwFICcW2rtdSiEHj7xMFaFQ9WgOIdMflWRsBLoRK
afntTuJLuEB3uf2Oq0FHtBZXLgm+adIAwHYOef5c7xcuHydhBcU=
=h5Yt
-----END PGP SIGNATURE-----

--H1spWtNR+x+ondvy--




From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 06:48:52 2018
Received: (at 30415) by debbugs.gnu.org; 14 Feb 2018 11:48:52 +0000
Received: from localhost ([127.0.0.1]:42190 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1elvYR-0000it-TB
	for submit@debbugs.gnu.org; Wed, 14 Feb 2018 06:48:52 -0500
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21071)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@elephly.net>) id 1elvYQ-0000ik-Ln
 for 30415@debbugs.gnu.org; Wed, 14 Feb 2018 06:48:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1518508907; 
 s=zoho; d=elephly.net; i=rekado@elephly.net;
 h=References:From:To:Cc:Subject:In-reply-to:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
 l=555; bh=NfWrLB7PUT/96tofx29ctuhzoUemibuWljR07xsIw+Y=;
 b=YXoEWjL4iE+RAG9zntKbsceb20yddjAcynf2bnL76Wm4Itl7pJpq47HDdMsup0I4
 kW/9lkxd+A9wKBEu0QyW5jsUTt7VzwOEtBeinvLle6qJq5kmA5BaGtPfrGtkIFLr0aK
 Vg64GYLwECB2CWq0kYyFpjxemLeoBJC9D9VwyGa0=
Received: from localhost (port-92-200-0-86.dynamic.qsc.de [92.200.0.86]) by
 mx.zohomail.com with SMTPS id 1518508907468243.0062058158161;
 Tue, 13 Feb 2018 00:01:47 -0800 (PST)
References: <20180210185728.GA18894@jasmine.lan>
 <20180211153548.GA1853@jasmine.lan> <20180212185802.GA30991@jasmine.lan>
User-agent: mu4e 0.9.18; emacs 25.3.1
From: Ricardo Wurmus <rekado@elephly.net>
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#30415: Unzip CVE-2018-1000031 and others
In-reply-to: <20180212185802.GA30991@jasmine.lan>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Tue, 13 Feb 2018 09:01:44 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <87zi4djp1z.fsf@elephly.net>
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 30415
Cc: 30415@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)


Hi Leo,

> The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> to reduce the impact of the bug. The attached patch does that.
[=E2=80=A6]
> +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer ove=
rflow.
> +                 ;; This environment variable is recommended in 'unix/Ma=
kefile'
> +                 ;; for passing flags to the C compiler.
> +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
> +                 #t))))))))

This looks good to me.  Thank you!

--=20
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net






From unknown Sat Sep 13 09:36:04 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Thu, 15 Mar 2018 11:24:05 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator