Bug 197772

Summary:	archivers/unzip: Port should be marked vulnerable to CVE-2015-1315
Product:	Ports & Packages	Reporter:	rsimmons0
Component:	Individual Port(s)	Assignee:	Xin LI <delphij>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	delphij, ports-secteam
Priority:	---	Flags:	bugzilla: maintainer-feedback? (ehaupt)
Version:	Latest
Hardware:	amd64
OS:	Any

Description rsimmons0 2015-02-17 20:54:57 UTC

I have not had time to check over the patch listed on Ubuntu's repository, but here is a link:
https://launchpad.net/ubuntu/+source/unzip/6.0-12ubuntu1.3


Here's a link to more info:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1315.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1315
https://security-tracker.debian.org/tracker/CVE-2015-1315

Comment 1 Bugzilla Automation freebsd_committer

2015-02-17 20:54:57 UTC

Auto-assigned to maintainer ehaupt@FreeBSD.org

Comment 2 rsimmons0 2015-02-17 20:56:28 UTC

I may have time this evening to work up a patch for our port, but I don't have time right this second.

Comment 3 Xin LI freebsd_committer

2015-02-17 22:03:18 UTC

Take.

Comment 4 commit-hook freebsd_committer

2015-02-17 22:03:56 UTC

A commit references this bug:

Author: delphij
Date: Tue Feb 17 22:03:34 UTC 2015
New revision: 379193
URL: https://svnweb.freebsd.org/changeset/ports/379193

Log:
  Document unzip heap based buffer overflow in iconv patch.

  PR:		ports/197772

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Xin LI freebsd_committer

2015-02-17 22:05:29 UTC

I've committed a fix as r379192-379193 and merged to quaterly branch as 379194.