Hello,
I am proposing we switch upstreams for two packages in the system
repository to Debian due to our current upstreams having dried up.
Please leave your comments on this list or on the individual merge
requests.
Thanks,
Max Rees
===== system/unzip =====
The last release from Info-ZIP was 6.0 on 20 April 2009. Since that
time, the following nine CVEs have been issued and no upstream fixes
have been released:
> CVE-2014-8139: Heap-based buffer overflow in the CRC32 verification in
> Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute
> arbitrary code via a crafted zip file in the -t command argument to the
> unzip command.
> CVE-2014-8140: Heap-based buffer overflow in the test_compr_eb function
> in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute
> arbitrary code via a crafted zip file in the -t command argument to the
> unzip command.
> CVE-2014-8141: Heap-based buffer overflow in the getZip64Data function
> in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute
> arbitrary code via a crafted zip file in the -t command argument to the
> unzip command.
> CVE-2014-9636: unzip 6.0 allows remote attackers to cause a denial of
> service (out-of-bounds read or write and crash) via an extra field with
> an uncompressed size smaller than the compressed field size in a zip
> archive that advertises STORED method compression.
> CVE-2014-9913: Buffer overflow in the list_files function in list.c in
> Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service
> (crash) via vectors related to the compression method.
> CVE-2016-9844: Buffer overflow in the zi_short function in zipinfo.c in
> Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service
> (crash) via a large compression method value in the central directory
> file header.
> CVE-2018-18384: Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when
> a ZIP archive has a crafted relationship between the compressed-size
> value and the uncompressed-size value, because a buffer size is 10 and
> is supposed to be 12.
> CVE-2018-1000035: A heap-based buffer overflow exists in Info-Zip UnZip
> version <= 6.00 in the processing of password-protected archives that
> allows an attacker to perform a denial of service or to possibly achieve
> code execution.
> CVE-2019-13232: Info-ZIP UnZip 6.0 mishandles the overlapping of files
> inside a ZIP container, leading to denial of service (resource
> consumption), aka a "better zip bomb" issue.
Merge request URL:
https://code.foxkit.us/adelie/packages/merge_requests/413
===== system/nvi =====
The last release from repo.or.cz was 1.81.6 on 18 November 2007. The
following CVE appears to have never been addressed (except by individual
distros):
> CVE-2001-1562: Format string vulnerability in nvi allows local users to
> gain privileges via format string specifiers in a filename.
(this one is relatively minor, despite the scary description, since as
far as I know the format string is only used in a status message and not
for the final save location of the file)
Additionally, Debian also patched a few other bugs that our nvi
currently exhibits, such as:
* nvi issues a warning on startup due to an incompatibility with
system/db~4:
BDB0635 DB_CREATE must be specified to create databases.
* nvi segfaults if a trailing tab is pushed to a new line by inserting
characters before it if 'set number' is in effect
Merge request URL:
https://code.foxkit.us/adelie/packages/merge_requests/414
Received on Sat Mar 21 2020 - 21:40:54 UTC