GNU bug report logs - #30415
Unzip CVE-2018-1000031 and others

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 10 Feb 2018 18:58:01 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #22 received at 30415 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 30415 <at> debbugs.gnu.org
Subject: Re: bug#30415: Unzip CVE-2018-1000031 and others
Date: Tue, 13 Feb 2018 09:01:44 +0100

Hi Leo,

> The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> to reduce the impact of the bug. The attached patch does that.
[…]
> +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow.
> +                 ;; This environment variable is recommended in 'unix/Makefile'
> +                 ;; for passing flags to the C compiler.
> +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1")
> +                 #t))))))))

This looks good to me.  Thank you!

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

This bug report was last modified 7 years and 184 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #30415 Unzip CVE-2018-1000031 and others

GNU bug report logs - #30415
Unzip CVE-2018-1000031 and others