Bug 1080074 - (CVE-2018-1000035) VUL-1: CVE-2018-1000035: unzip: [Heap-based buffer overflow in password protected ZIP archives]
(CVE-2018-1000035)
VUL-1: CVE-2018-1000035: unzip: [Heap-based buffer overflow in password prote...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/199646/
CVSSv3:SUSE:CVE-2018-1000035:7.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-08 13:41 UTC by Karol Babioch
Modified: 2020-04-23 15:11 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Fix for CVE-2018-1000035 (1.04 KB, text/plain)
2018-02-08 13:41 UTC, Karol Babioch
Details
Final patch used in openSUSE:Factory/unzip (1.26 KB, patch)
2018-02-08 14:17 UTC, Karol Babioch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-02-08 13:41:23 UTC
Created attachment 759403 [details]
Fix for CVE-2018-1000035

CVE-2018-1000035

InfoZip’s UnZip suffers from a heap-based buffer overflow when uncompressing password protected ZIP archives. An attacker can exploit this vulnerability to overwrite heap chunks t-D_FORTIFY_SOURCE=2o get arbitrary code execution on the target system.

Since we build with -D_FORTIFY_SOURCE=2 this is not exploitable, but will still crash the process.

Unfortunately the upstream situation is unclear to me. The versions mentioned in the original blog (see references) cannot be found on the "original" website/FTP/SourceForge.

I've found a fix in some (original?) forum:
http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548

References:
https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000035
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html
Comment 1 Karol Babioch 2018-02-08 14:17:03 UTC
Fixed for openSUSE:Factory: https://build.opensuse.org/request/show/574265

Attaching final fix with updated line numbers. Should be fixed with next maintenance update.
Comment 2 Karol Babioch 2018-02-08 14:17:40 UTC
Created attachment 759406 [details]
Final patch used in openSUSE:Factory/unzip
Comment 6 Swamp Workflow Management 2018-02-13 16:56:35 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-02-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63970
Comment 7 Swamp Workflow Management 2018-02-16 20:07:51 UTC
SUSE-SU-2018:0465-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1080074
CVE References: CVE-2018-1000035
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    unzip-6.00-11.18.3.1
Comment 11 Swamp Workflow Management 2018-07-05 10:13:00 UTC
SUSE-SU-2018:1883-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1080074,910683,914442
CVE References: CVE-2014-9636,CVE-2018-1000035
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    unzip-6.00-4.3.1
Comment 12 Swamp Workflow Management 2018-07-07 01:08:32 UTC
openSUSE-SU-2018:1914-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1080074,910683,914442
CVE References: CVE-2014-9636,CVE-2018-1000035
Sources used:
openSUSE Leap 15.0 (src):    unzip-6.00-lp150.3.3.1, unzip-rcc-6.00-lp150.3.3.1
Comment 13 Swamp Workflow Management 2018-10-02 19:16:18 UTC
SUSE-SU-2018:2978-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1013992,1013993,1080074,910683,914442,950110,950111
CVE References: CVE-2014-9636,CVE-2014-9913,CVE-2015-7696,CVE-2015-7697,CVE-2016-9844,CVE-2018-1000035
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    unzip-6.00-33.8.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    unzip-6.00-33.8.1
Comment 14 Swamp Workflow Management 2018-10-05 19:18:56 UTC
openSUSE-SU-2018:3043-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1013992,1013993,1080074,910683,914442,950110,950111
CVE References: CVE-2014-9636,CVE-2014-9913,CVE-2015-7696,CVE-2015-7697,CVE-2016-9844,CVE-2018-1000035
Sources used:
openSUSE Leap 42.3 (src):    unzip-6.00-31.3.1, unzip-rcc-6.00-31.3.1
Comment 15 Alexandros Toptsoglou 2020-04-23 15:11:50 UTC
Done