GNU bug report logs - #30415
Unzip CVE-2018-1000031 and others

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 10 Feb 2018 18:58:01 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#30415: closed (Unzip CVE-2018-1000031 and others)
Date: Tue, 13 Feb 2018 14:52:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Tue, 13 Feb 2018 09:51:35 -0500
with message-id <20180213145135.GB18012 <at> jasmine.lan>
and subject line Re: bug#30415: Unzip CVE-2018-1000031 and others
has caused the debbugs.gnu.org bug report #30415,
regarding Unzip CVE-2018-1000031 and others
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
30415: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30415
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Unzip CVE-2018-1000031 and others
Date: Sat, 10 Feb 2018 13:57:28 -0500

[Message part 3 (text/plain, inline)]
We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
CVE-2018-1000034, CVE-2018-1000035 in UnZip:

http://seclists.org/oss-sec/2018/q1/134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 30415-done <at> debbugs.gnu.org
Subject: Re: bug#30415: Unzip CVE-2018-1000031 and others
Date: Tue, 13 Feb 2018 09:51:35 -0500

[Message part 6 (text/plain, inline)]
On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote:
> 
> Hi Leo,
> 
> > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> > to reduce the impact of the bug. The attached patch does that.
> […]
> > +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow.
> > +                 ;; This environment variable is recommended in 'unix/Makefile'
> > +                 ;; for passing flags to the C compiler.
> > +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1")
> > +                 #t))))))))
> 
> This looks good to me.  Thank you!

Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 184 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.