CVE-2014-9636

Published: 31 December 2014

unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.

Priority

Status

Package	Release	Status
unzip Launchpad, Ubuntu, Debian	lucid	Released (6.0-1ubuntu0.2)
	precise	Released (6.0-4ubuntu2.2)
	trusty	Released (6.0-9ubuntu1.2)
	upstream	Needed
	utopic	Released (6.0-12ubuntu1.2)
	Patches: other: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=95e98be32f791909977347bca032d3bc

References

http://seclists.org/oss-sec/2014/q4/489
http://seclists.org/oss-sec/2014/q4/507
https://ubuntu.com/security/notices/USN-2489-1
https://www.cve.org/CVERecord?id=CVE-2014-9636
NVD
Launchpad
Debian

Bugs

http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›