Unzip 5.52 vulnerability.

[Ag. Hatzimanikas]

Tavis Ormandy of the Google Security Team (aka taviso from gentoo) discovered that the NEEDBITS macro in the inflate_dynamic() function in the file inflate.c can be invoked using invalid buffers, which can lead to a double free.

Impact ======

Remote attackers could entice a user or automated system to open a specially crafted ZIP file that might lead to the execution of arbitrary code or a Denial of Service.

See:

​http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0888

​http://www.debian.org/security/2008/dsa-1522

​http://bugs.gentoo.org/show_bug.cgi?id=213761

As a side note, I can't really verify the following statement in the book, as the link [1] to this patch is no longer available.

"Note that if you applied the patch described above for locale issues, the required security patch will have some offsets."

Please also note that the patch from gentoo and debian differs, as the gentoo one, crops the last two statements as unnecessary (see gentoo bug #213761 link above).

1. ​https://bugzilla.altlinux.ru/attachment.cgi?id=532

[Ag. Hatzimanikas]

Gentoo patch

[Ag. Hatzimanikas]

Attached the gentoo patch; apply with -p0.

[Ag. Hatzimanikas]

Replying to ag@linuxfromscratch.org:

As a side note, I can't really verify the following statement in the book, as the link [1] to this patch is no longer available.

"Note that if you applied the patch described above for locale issues, the required security patch will have some offsets."

I got it now and the patch still applies with some offsets.

[bdubbs@…]

I can confirm that the optional patch will create offsets for the security_fix-1.patch.

[bdubbs@…]

Added security patch to repository and added instructions to unzip. Also moved locale patch to repository.

Fixed at revision 7383.