---

CVE-2018-1000035 - log back

CVE-2018-1000035 edited at 23 Feb 2021 11:29:47
References	https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-infozip-unzip/ + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838 + https://sources.debian.org/data/main/u/unzip/6.0-21+deb9u2/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
Notes	- Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.

CVE-2018-1000035 edited at 04 Feb 2021 23:28:44
References	- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html + https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-infozip-unzip/

CVE-2018-1000035 created at 25 Sep 2019 19:31:40
Severity	+ Low
Remote	+ Local
Type	+ Arbitrary code execution
Description	+ A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
References	+ https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Notes	+ Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.