'[USN-4672-1] unzip vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ubuntu-security-announce
Subject:    [USN-4672-1] unzip vulnerabilities
From:       Avital Ostromich <avital.ostromich () canonical ! com>
Date:       2020-12-16 20:40:06
Message-ID: 41610769-bd27-965d-6e6c-a6374eefabc5 () canonical ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

[Attachment #4 (multipart/mixed)]

[Attachment #6 (multipart/alternative)]

==========================================================================
Ubuntu Security Notice USN-4672-1
December 16, 2020

unzip vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in unzip.

Software Description:
- unzip: De-archiver for .zip files

Details:

Rene Freingruber discovered that unzip incorrectly handled certain
specially crafted password protected ZIP archives. If a user or automated
system using unzip were tricked into opening a specially crafted zip file,
an attacker could exploit this to cause a crash, resulting in a denial of
service. (CVE-2018-1000035)

Antonio Carista discovered that unzip incorrectly handled certain
specially crafted ZIP archives. If a user or automated system using unzip
were tricked into opening a specially crafted zip file, an attacker could
exploit this to cause a crash, resulting in a denial of service. This
issue only affected Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
(CVE-2018-18384)

It was discovered that unzip incorrectly handled certain specially crafted
ZIP archives. If a user or automated system using unzip were tricked into
opening a specially crafted zip file, an attacker could exploit this to
cause resource consumption, resulting in a denial of service.
(CVE-2019-13232)

Martin Carpenter discovered that unzip incorrectly handled certain
specially crafted ZIP archives. If a user or automated system using unzip
were tricked into opening a specially crafted zip file, an attacker could
exploit this to cause a crash, resulting in a denial of service. This
issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04
LTS. (CVE-2014-9913)

Alexis Vanden Eijnde discovered that unzip incorrectly handled certain
specially crafted ZIP archives. If a user or automated system using unzip
were tricked into opening a specially crafted zip file, an attacker could
exploit this to cause a crash, resulting in a denial of service. This
issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04
LTS. (CVE-2016-9844)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  unzip                           6.0-21ubuntu1.1

Ubuntu 16.04 LTS:
  unzip                           6.0-20ubuntu1.1

Ubuntu 14.04 ESM:
  unzip                           6.0-9ubuntu1.6

Ubuntu 12.04 ESM:
  unzip                           6.0-4ubuntu2.6

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/4672-1
  CVE-2014-9913, CVE-2016-9844, CVE-2018-1000035, CVE-2018-18384,
  CVE-2019-13232

Package Information:
  https://launchpad.net/ubuntu/+source/unzip/6.0-21ubuntu1.1
  https://launchpad.net/ubuntu/+source/unzip/6.0-20ubuntu1.1

[Attachment #9 (text/html)]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>
    </p>
    <div class="moz-text-plain" wrap="true" style="font-family:
      -moz-fixed; font-size: 12px;" lang="x-unicode">
      <pre class="moz-quote-pre" \
wrap="">========================================================================== \
Ubuntu Security Notice USN-4672-1 December 16, 2020

unzip vulnerabilities
==========================================================================