CVE-2014-9636: Buffer Overflow
First published: Fri Feb 06 2015(Updated: )
unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| unzip | =6.0 | |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =14.10 | |
| Debian | =7.0 | |
| Fedora | =20 | |
| Fedora | =21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148792.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148849.html
- http://seclists.org/oss-sec/2014/q4/1131
- http://seclists.org/oss-sec/2014/q4/489
- http://seclists.org/oss-sec/2014/q4/496
- http://seclists.org/oss-sec/2015/q1/216
- http://secunia.com/advisories/62738
- http://secunia.com/advisories/62751
- http://www.debian.org/security/2015/dsa-3152
- http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.securityfocus.com/bid/71825
- http://www.ubuntu.com/usn/USN-2489-1
- https://security.gentoo.org/glsa/201611-01
Frequently Asked Questions
What is the severity of CVE-2014-9636?
CVE-2014-9636 is rated as a denial of service vulnerability due to potential crashes caused by out-of-bounds reads or writes.
How do I fix CVE-2014-9636?
To mitigate CVE-2014-9636, update to a patched version of Unzip or apply relevant security patches provided by your Linux distribution.
Which software is affected by CVE-2014-9636?
CVE-2014-9636 affects Unzip version 6.0, as well as specific versions of Ubuntu, Debian, and Fedora.
Can CVE-2014-9636 be exploited remotely?
Yes, CVE-2014-9636 can be exploited remotely by attackers through specially crafted zip files.
What platforms are at risk due to CVE-2014-9636?
CVE-2014-9636 impacts platforms running Unzip 6.0 and various Linux distributions like Ubuntu, Debian, and Fedora.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/unzip project
- canonical/unzip
- version/unzip/6.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/14.10
- vendor/debian
- canonical/debian
- version/debian/7.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/20
- version/fedora/21