ALAS-2015-504


Amazon Linux AMI Security Advisory: ALAS-2015-504
Advisory Release Date: 2015-04-15 22:15 Pacific
Severity: Medium

Issue Overview:

A buffer overflow was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash or, possibly, execute arbitrary code when the archive was tested with unzip's '-t' option. (CVE-2014-9636 )

A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. (CVE-2014-8139 )

An integer underflow flaw, leading to a buffer overflow, was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. (CVE-2014-8140 )

A buffer overflow flaw was found in the way unzip handled Zip64 files. A specially crafted Zip archive could possibly cause unzip to crash when the archive was uncompressed. (CVE-2014-8141 )


Affected Packages:

unzip


Issue Correction:
Run yum update unzip to update your system.

New Packages:
i686:
    unzip-debuginfo-6.0-2.9.amzn1.i686
    unzip-6.0-2.9.amzn1.i686

src:
    unzip-6.0-2.9.amzn1.src

x86_64:
    unzip-debuginfo-6.0-2.9.amzn1.x86_64
    unzip-6.0-2.9.amzn1.x86_64