unzip-6.00-39.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11485-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z unzip-6.00-39.1 on GA media These are all security issues fixed in the unzip-6.00-39.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11485 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2005-2475/ SUSE CVE CVE-2005-2475 page https://www.suse.com/security/cve/CVE-2014-9636/ SUSE CVE CVE-2014-9636 page https://www.suse.com/security/cve/CVE-2016-9844/ SUSE CVE CVE-2016-9844 page https://www.suse.com/security/cve/CVE-2018-1000035/ SUSE CVE CVE-2018-1000035 page https://www.suse.com/security/cve/CVE-2018-18384/ SUSE CVE CVE-2018-18384 page openSUSE Tumbleweed unzip-6.00-39.1 unzip-doc-6.00-39.1 unzip-6.00-39.1 as a component of openSUSE Tumbleweed unzip-doc-6.00-39.1 as a component of openSUSE Tumbleweed Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete. CVE-2005-2475 openSUSE Tumbleweed:unzip-6.00-39.1 openSUSE Tumbleweed:unzip-doc-6.00-39.1 moderate 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-2475.html CVE-2005-2475 https://bugzilla.suse.com/274156 SUSE Bug 274156 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. CVE-2014-9636 openSUSE Tumbleweed:unzip-6.00-39.1 openSUSE Tumbleweed:unzip-doc-6.00-39.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9636.html CVE-2014-9636 https://bugzilla.suse.com/914442 SUSE Bug 914442 Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. CVE-2016-9844 openSUSE Tumbleweed:unzip-6.00-39.1 openSUSE Tumbleweed:unzip-doc-6.00-39.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9844.html CVE-2016-9844 https://bugzilla.suse.com/1013992 SUSE Bug 1013992 https://bugzilla.suse.com/1159417 SUSE Bug 1159417 A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution. CVE-2018-1000035 openSUSE Tumbleweed:unzip-6.00-39.1 openSUSE Tumbleweed:unzip-doc-6.00-39.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000035.html CVE-2018-1000035 https://bugzilla.suse.com/1076531 SUSE Bug 1076531 https://bugzilla.suse.com/1080074 SUSE Bug 1080074 https://bugzilla.suse.com/1149684 SUSE Bug 1149684 https://bugzilla.suse.com/1159417 SUSE Bug 1159417 https://bugzilla.suse.com/1196768 SUSE Bug 1196768 Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12. CVE-2018-18384 openSUSE Tumbleweed:unzip-6.00-39.1 openSUSE Tumbleweed:unzip-doc-6.00-39.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18384.html CVE-2018-18384 https://bugzilla.suse.com/1110194 SUSE Bug 1110194 https://bugzilla.suse.com/1148898 SUSE Bug 1148898 https://bugzilla.suse.com/1153715 SUSE Bug 1153715