From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Date: Sun, 11 Feb 2018 10:09:49 -0500
Message-ID: <20180211150949.GA26281@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55408)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ektGZ-00047f-Fb
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:10:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ektGV-0005UR-I7
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:10:07 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:58784)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ektGV-0005UA-CV
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:10:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ektGV-0001Eb-6g
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:10:03 -0500
In-Reply-To: <20180210185728.GA18894@jasmine.lan>
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.30415.B30415.15183617944718@debbugs.gnu.org>
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 30415@debbugs.gnu.org


--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The 3rd-party security advisory suggests that the bugs are fixed in
UnZip 6.1c23:

https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

See unzip610c23.zip here:

http://antinode.info/ftp/info-zip/

Unfortunately, this is a zip file, unlike the 9 year old tarball on the
UnZip SourceForge page.

Any advice? I suppose we could keep the old UnZip package just to unpack
the new one.

--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAXL0ACgkQJkb6MLrK
fwi3vhAAuquQSjHgS8oAvRR9hBwBFYZ26IlxP8a2x4ctvvdehuQE+gWR8UQ9qYtM
azqikAT9w1w6ZxmsGJHpwR5VdyxbGIIuGLyDXFOZuZXaMpNUiZ7MpDB0RecLNjmn
vYI0fCAr9ppyqxI4o9DlN2MNLbiwivnRJfiypv+g+pvX+3JHkWKMNvtBKyX3D9tQ
lo6T7SBK7T2EWm0ayrVnAcCIY09+BtckTNdU+HnJBeOKX9b9ps96JI4x8OWHyn5c
l7j1hR9ZZyIlpzuufRPy4j3vkwCAyhNwceSdnVp3iEAxbw3Df+zSDM8ZAyHW/3ih
tWKdBPMZ4L9kNb/e4pynJY5KrXJgfzg/h4N5HWGDcdnvdQjX1FdndpoG/lMVPMCF
b1P75p3mImdBpmOBfeNRa5qiT2040CEhcoU7ucW3O/0b/O+fyp5HVDBjP2xt/7uM
z194i/KRwWiGgRVAFV3AZrlv7zIv6MWeDkFJyX77i3yCz8F5Eku9ixSEVnT2hWjo
5DZznX9X+mSPGVvMOMokRuYQSWd+YUwVBhEtcYyBEot21/J5mRU2yzEb1G4eewMH
fRwZMoRypM/EGihCkoi0jm9D5+BVjQRzU3hEb2seKHGoBqrp9LXFFb2vSSqpMb4x
0hJAtreMDakNb6typZB8iqGfAze8sdBveUQ8+Mr9q9z91utU0lU=
=N/VD
-----END PGP SIGNATURE-----

--EeQfGwPcQSOJBaQU--