REDHAT-BUG-1174844
First published: Tue Dec 16 2014(Updated: )
oCERT reports unzip flaw discovered by Michele Spagnuolo, Google Security Team. """ I would like to report a heap overflow condition in the CRC32 verification of unzip, which may result in arbitrary code execution. It can be triggered by passing a maliciously crafted zip files to unzip -t (version 6.00, both InfoZip and Debian). Patches: The problem was an unrealistic/invalid value in a .ZIP Extra Field. There was a check (in extract.c:TestExtraField()) for an extra-block length that was too large, but no check for a too-small value. In this example, the length (ebLen) was 1, and when "(ebLen-4)" was passed to crc32(), bad things happened. A revised extract.c (which adds a new check and error message) should be available here: <a href="http://antinode.info/ftp/unzip60/extract.c">http://antinode.info/ftp/unzip60/extract.c</a> """ Acknowledgement: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Michele Spagnuolo of the Google Security Team as the original reporter.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Unzip | ||
| unzip |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://antinode.info/ftp/unzip60/extract.c
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=969598&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=969598&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1174844#c0
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=971984&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=971984&action=edit
- http://www.ocert.org/advisories/ocert-2014-011.html
- http://stackoverflow.com/tags/executable-jar/info
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1174844#c6
- http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=454
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=989833&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=989833&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1191118
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=990132&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=990132&action=edit
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1174844#c11
- https://rhn.redhat.com/errata/RHSA-2015-0700.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1174844
Frequently Asked Questions
What is the severity of REDHAT-BUG-1174844?
The severity of REDHAT-BUG-1174844 is high due to the potential for arbitrary code execution.
How do I fix REDHAT-BUG-1174844?
To fix REDHAT-BUG-1174844, update the unzip package to the latest version provided by your distribution.
What causes the vulnerability REDHAT-BUG-1174844?
REDHAT-BUG-1174844 is caused by a heap overflow condition in the CRC32 verification of the unzip utility.
Which software is affected by REDHAT-BUG-1174844?
REDHAT-BUG-1174844 affects the InfoZip unzip and Debian unzip software packages.
Can REDHAT-BUG-1174844 be exploited remotely?
Yes, REDHAT-BUG-1174844 can be exploited remotely by processing maliciously crafted zip files.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8139
- agent/references
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/infozip
- canonical/infozip unzip
- vendor/debian
- canonical/unzip