GNU bug report logs - #30415
Unzip CVE-2018-1000031 and others

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 10 Feb 2018 18:58:01 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#30415: closed (Re: bug#30415: Unzip CVE-2018-1000031 and others)
Date: Tue, 13 Feb 2018 14:52:01 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#30415: Unzip CVE-2018-1000031 and others

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 30415 <at> debbugs.gnu.org.

-- 
30415: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30415
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 30415-done <at> debbugs.gnu.org
Subject: Re: bug#30415: Unzip CVE-2018-1000031 and others
Date: Tue, 13 Feb 2018 09:51:35 -0500

[Message part 3 (text/plain, inline)]
On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote:
> 
> Hi Leo,
> 
> > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> > to reduce the impact of the bug. The attached patch does that.
> […]
> > +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow.
> > +                 ;; This environment variable is recommended in 'unix/Makefile'
> > +                 ;; for passing flags to the C compiler.
> > +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1")
> > +                 #t))))))))
> 
> This looks good to me.  Thank you!

Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Unzip CVE-2018-1000031 and others
Date: Sat, 10 Feb 2018 13:57:28 -0500

[Message part 6 (text/plain, inline)]
We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
CVE-2018-1000034, CVE-2018-1000035 in UnZip:

http://seclists.org/oss-sec/2018/q1/134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 184 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.