From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Date: Sun, 11 Feb 2018 10:35:48 -0500
Message-ID: <20180211153548.GA1853@jasmine.lan>
References: <20180210185728.GA18894@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47986)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ektfi-0008Bi-3J
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:36:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ektfe-0004P8-VG
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:36:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:58809)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ektfe-0004Oe-NT
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:36:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ektfe-0001pr-H2
	for bug-guix@gnu.org; Sun, 11 Feb 2018 10:36:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.30415.B30415.15183633517031@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <20180210185728.GA18894@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 30415@debbugs.gnu.org


--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 10, 2018 at 01:57:28PM -0500, Leo Famulari wrote:
> We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
> CVE-2018-1000034, CVE-2018-1000035 in UnZip:
>=20
> http://seclists.org/oss-sec/2018/q1/134
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-1000031 and etc

Okay, the advisory says that only CVE-2018-1000035 affects our UnZip 6.0
package; the other bugs were apparently introduced after that.

And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
more.

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAYtQACgkQJkb6MLrK
fwijxg//YwThwn0uFnt+t4HW07l9R3HZ1Cx+vmM9Kb5a+n+dOt4TwlnRjeY/yll2
eaDIywFxDWtku55fhUReGS1RDQYOGFfUsDTCu5MFP24mcsiO3mle+sXdsbbSGZoT
tzCwXY3EuIYkI/2VMA+PSFngNngR+N9vd02YnRhjFZ7+JtioBaxXq7il7o0QwFZ8
Nufu8YmlQkc6vSKoQExb84eORDC2YDHP3iuOHfkiTIfVRaXI65l9picFjnjjQpPl
QDZeq4rJ/+3wRF4FlzC9a6D+kFF038suE5htCgpB7af99+AfiJujUqCOsV9kRc2s
sDYI3GfBlZHD5wFVdOuvezeps1rv+EvcXtuk50ryi8ZPtXoMbUKef+Zy7DVThvXj
cmQ3x2oH7zs4BYFDtCCbPYjvazKd6267Q8ZtqZkOw5pmVIkdzhusvXfDg7CHHwLm
XVZIOaX09mT5G+MDnV7t1moKlh773VFhsXDKPbu7i44j5/lyUa1Amxi9nkYaKacj
cEOAZeqxHLQeDlUMznjtm4ywMldd/YSliZFwx4miNr5aVcxJiho2X+D5Omm6BJr+
fQ0BAKtct8q7PKNFDVJK3vMZluSzvZT5O1hN7I8yF08u8rtZ0WiH9ceLZdb4QKr3
b7QNpc0mu5VEVDaeJgbwwa1q35e46jz4bgCBHXl5S55YrHojR7w=
=BorG
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--