Security update for unzip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:0377-1 Final 1 1 2015-02-20T20:23:48Z current 2015-02-20T20:23:48Z 2015-02-20T20:23:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for unzip This update fixes the following security issues: * CVE-2014-8139: input sanitization errors (bnc#909214) * CVE-2014-9636: out-of-bounds read/write in test_compr_eb() (bnc#914442) Security Issues: * CVE-2014-9636 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9636> * CVE-2014-8139 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139> The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sledsp3-unzip,slessp3-unzip Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20150377-1/ Link for SUSE-SU-2015:0377-1 https://lists.suse.com/pipermail/sle-security-updates/2015-February/001255.html E-Mail link for SUSE-SU-2015:0377-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/909214 SUSE Bug 909214 https://bugzilla.suse.com/914442 SUSE Bug 914442 https://www.suse.com/security/cve/CVE-2014-8139/ SUSE CVE CVE-2014-8139 page https://www.suse.com/security/cve/CVE-2014-8140/ SUSE CVE CVE-2014-8140 page https://www.suse.com/security/cve/CVE-2014-8141/ SUSE CVE CVE-2014-8141 page https://www.suse.com/security/cve/CVE-2014-9636/ SUSE CVE CVE-2014-9636 page SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server for SAP Applications 11 SP3 unzip-6.00-11.13.1 unzip-6.00-11.13.1 as a component of SUSE Linux Enterprise Desktop 11 SP3 unzip-6.00-11.13.1 as a component of SUSE Linux Enterprise Server 11 SP3 unzip-6.00-11.13.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA unzip-6.00-11.13.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. CVE-2014-8139 SUSE Linux Enterprise Desktop 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:unzip-6.00-11.13.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150377-1/ https://www.suse.com/security/cve/CVE-2014-8139.html CVE-2014-8139 https://bugzilla.suse.com/909214 SUSE Bug 909214 https://bugzilla.suse.com/915880 SUSE Bug 915880 Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. CVE-2014-8140 SUSE Linux Enterprise Desktop 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:unzip-6.00-11.13.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150377-1/ https://www.suse.com/security/cve/CVE-2014-8140.html CVE-2014-8140 https://bugzilla.suse.com/909214 SUSE Bug 909214 https://bugzilla.suse.com/914442 SUSE Bug 914442 https://bugzilla.suse.com/915880 SUSE Bug 915880 Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. CVE-2014-8141 SUSE Linux Enterprise Desktop 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:unzip-6.00-11.13.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150377-1/ https://www.suse.com/security/cve/CVE-2014-8141.html CVE-2014-8141 https://bugzilla.suse.com/909214 SUSE Bug 909214 https://bugzilla.suse.com/915880 SUSE Bug 915880 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. CVE-2014-9636 SUSE Linux Enterprise Desktop 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:unzip-6.00-11.13.1 SUSE Linux Enterprise Server 11 SP3:unzip-6.00-11.13.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:unzip-6.00-11.13.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150377-1/ https://www.suse.com/security/cve/CVE-2014-9636.html CVE-2014-9636 https://bugzilla.suse.com/914442 SUSE Bug 914442