CVE-2018-1000035 - log back

CVE-2018-1000035 edited at 23 Feb 2021 11:29:47
References
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-infozip-unzip/
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838
+ https://sources.debian.org/data/main/u/unzip/6.0-21+deb9u2/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
Notes
- Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.
CVE-2018-1000035 edited at 04 Feb 2021 23:28:44
References
- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
+ https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-infozip-unzip/
CVE-2018-1000035 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
References
+ https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Notes
+ Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.