The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of UnZip: denial of service via Better Zip Bomb Overlapping

Synthesis of the vulnerability 

An attacker can trigger a fatal error via Better Zip Bomb Overlapping of UnZip, in order to trigger a denial of service.
Vulnerable software: Debian, BIG-IP Hardware, TMOS, QRadar SIEM, RHEL, Ubuntu.
Severity of this announce: 2/4.
Creation date: 08/07/2019.
Références of this computer vulnerability: 6347610, CERTFR-2021-AVI-418, CVE-2019-13232, DLA-1846-1, DLA-1846-2, K80311892, RHSA-2020:1181-01, RHSA-2020:1787-01, RHSA-2020:2486-01, USN-4672-1, VIGILANCE-VUL-29701.

Description of the vulnerability 

An attacker can trigger a fatal error via Better Zip Bomb Overlapping of UnZip, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Debian, BIG-IP Hardware, TMOS, QRadar SIEM, RHEL, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat note.

Solutions for this threat 

Debian 8: new unzip packages.
New packages are available:
  Debian 8: unzip 6.0-16+deb8u5

F5 BIG-IP: solution for InfoZIP.
The solution is indicated in information sources.

IBM QRadar SIEM: patch for UnZip.
A patch is indicated in information sources.

RHEL 7.7: new unzip packages.
New packages are available:
  RHEL 7.7: unzip 6.0-20.el7_7.1

RHEL 7, 8: new unzip packages.
New packages are available:
  RHEL 7.0-7.7: unzip 6.0-21.el7
  RHEL 8.0-8.1: unzip 6.0-43.el8

Ubuntu: new unzip packages.
New packages are available:
  Ubuntu 18.04 LTS: unzip 6.0-21ubuntu1.1
  Ubuntu 16.04 LTS: unzip 6.0-20ubuntu1.1
  Ubuntu 14.04 ESM: unzip 6.0-9ubuntu1.6
  Ubuntu 12.04 ESM: unzip 6.0-4ubuntu2.6

Wind River Linux: version 10.17.41.19.
The version 10.17.41.19 is fixed.
This bulletin fixes more than 100 vulnerabilities, but only the 100 recent vulnerabilities were associated to this bulletin.

Wind River Linux: version 10.18.44.12.
The version 10.18.44.12 is fixed:
  https://support2.windriver.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.