CVE-2018-1000035 - log back

CVE-2018-1000035 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
References
+ https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Notes
+ Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.