SB2018021006 - Multiple vulnerabilities in Info-ZIP UnZip

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2018-1000031)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.

2) Buffer overflow (CVE-ID: CVE-2018-1000032)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.

3) Out-of-bounds read (CVE-ID: CVE-2018-1000033)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.

4) Out-of-bounds read (CVE-ID: CVE-2018-1000034)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.

Remediation

Install update from vendor's website.

References

• https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
• http://www.securityfocus.com/bid/103031
• http://www.securityfocus.com/bid/103111