REDHAT-BUG-1174856
First published: Tue Dec 16 2014(Updated: )
oCERT reports an unzip flaw discovered by Michele Spagnuolo, Google Security Team: """ The read errors show problems in process.c:getZip64Data(), which lacked any error detection or reporting, and was trying to extract multi-byte data from a buffer which did not contain enough bytes. Proposed changes: <a href="http://antinode.info/ftp/info-zip/unzip60/fileio.c">http://antinode.info/ftp/info-zip/unzip60/fileio.c</a> fileio.c:do_string() looks at the status value returned from process.c:getZip64Data(), and puts out a new warning. <a href="http://antinode.info/ftp/info-zip/unzip60/process.c">http://antinode.info/ftp/info-zip/unzip60/process.c</a> process.c:getZip64Data() gets new validity tests, and it returns a useful status value. """ Acknowledgement: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Michele Spagnuolo of the Google Security Team as the original reporter.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Info-ZIP Zip |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://antinode.info/ftp/info-zip/unzip60/fileio.c
- http://antinode.info/ftp/info-zip/unzip60/process.c
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=969625&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=969625&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1174856#c0
- http://www.ocert.org/advisories/ocert-2014-011.html
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=990005&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=990005&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1191118
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1174844
- https://rhn.redhat.com/errata/RHSA-2015-0700.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1174856
Frequently Asked Questions
What is the severity of REDHAT-BUG-1174856?
The severity of REDHAT-BUG-1174856 is considered high due to the unzip flaw that can lead to improper error handling and potential data extraction issues.
How do I fix REDHAT-BUG-1174856?
To fix REDHAT-BUG-1174856, update to the latest version of Info-ZIP Unzip that addresses the vulnerability promptly.
What software is affected by REDHAT-BUG-1174856?
REDHAT-BUG-1174856 affects Info-ZIP Unzip across various versions.
What kind of attack can REDHAT-BUG-1174856 lead to?
REDHAT-BUG-1174856 can lead to data corruption or extraction issues due to improper handling of ZIP file structures.
Who discovered the flaw reported in REDHAT-BUG-1174856?
The flaw reported in REDHAT-BUG-1174856 was discovered by Michele Spagnuolo from the Google Security Team.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8141
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/info-zip
- canonical/info-zip zip