Headline
Ubuntu Security Notice USN-5673-1
Ubuntu Security Notice 5673-1 - It was discovered that unzip did not properly handle unicode strings under certain circumstances. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that unzip did not properly perform bounds checking while converting wide strings to local strings. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code.
==========================================================================Ubuntu Security Notice USN-5673-1October 13, 2022unzip vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in unzip.Software Description:- unzip: De-archiver for .zip filesDetails:It was discovered that unzip did not properly handle unicode strings undercertain circumstances. If a user were tricked into opening a specially craftedzip file, an attacker could possibly use this issue to cause unzip to crash,resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-4217)It was discovered that unzip did not properly perform bounds checking whileconverting wide strings to local strings. If a user were tricked into opening aspecially crafted zip file, an attacker could possibly use this issue to causeunzip to crash, resulting in a denial of service, or possibly execute arbitrarycode. (CVE-2022-0529, CVE-2022-0530)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS: unzip 6.0-26ubuntu3.1Ubuntu 20.04 LTS: unzip 6.0-25ubuntu1.1Ubuntu 18.04 LTS: unzip 6.0-21ubuntu1.2Ubuntu 16.04 ESM: unzip 6.0-20ubuntu1.1+esm1Ubuntu 14.04 ESM: unzip 6.0-9ubuntu1.6+esm1In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-5673-1 CVE-2021-4217, CVE-2022-0529, CVE-2022-0530, https://launchpad.net/bugs/1957077Package Information: https://launchpad.net/ubuntu/+source/unzip/6.0-26ubuntu3.1 https://launchpad.net/ubuntu/+source/unzip/6.0-25ubuntu1.1 https://launchpad.net/ubuntu/+source/unzip/6.0-21ubuntu1.2Related news
Ubuntu Security Notice 7054-1 - It was discovered that unzip did not properly handle unicode strings under certain circumstances. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code.
Gentoo Linux Security Advisory 202310-17 - Multiple vulnerabilities have been discovered in UnZip, the worst of which could lead to code execution. Versions greater than or equal to 6.0_p27 are affected.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, macOS Monterey 12.4, iOS 15.5 and iPadOS 15.5. An application may be able to execute arbitrary code with kernel privileges.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
Apple Security Advisory 2022-05-16-4 - Security Update 2022-004 Catalina addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-3 - macOS Big Sur 11.6.6 addresses bypass, code execution, denial of service, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-2 - macOS Monterey 12.4 addresses buffer overflow, bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.