[Git][security-tracker-team/security-tracker][master] Reference further fix for functional regregression in unzip
Salvatore Bonaccorso
carnil at debian.org
Sun Jul 28 08:31:16 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4ed56c18 by Salvatore Bonaccorso at 2019-07-28T07:28:02Z
Reference further fix for functional regregression in unzip
There is one further commit needed for unzip to avoid a regresssion
causing firefox-esr FTBFS (reported as #932404).
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3413,6 +3413,7 @@ CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a
NOTE: https://www.bamsoftware.com/hacks/zipbomb/
NOTE: Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
NOTE: Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
+ NOTE: Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
NOTE: No security impact, crash in CLI tool, any server implementing automatic extraction needs
NOTE: to apply resource limits anyway
CVE-2019-13231
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ed56c186a7912c4a505dd8b5b9e33e727e62091
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ed56c186a7912c4a505dd8b5b9e33e727e62091
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190728/3fdb4c14/attachment.html>
More information about the debian-security-tracker-commits
mailing list