The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of UnZip: denial of service via Better Zip Bomb Overlapping

Synthesis of the vulnerability 

An attacker can trigger a fatal error via Better Zip Bomb Overlapping of UnZip, in order to trigger a denial of service.
Vulnerable software: Debian, QRadar SIEM, RHEL.
Severity of this announce: 2/4.
Creation date: 08/07/2019.
Références of this computer vulnerability: 6347610, CVE-2019-13232, DLA-1846-1, DLA-1846-2, RHSA-2020:1181-01, RHSA-2020:1787-01, RHSA-2020:2486-01, VIGILANCE-VUL-29701.

Description of the vulnerability 

An attacker can trigger a fatal error via Better Zip Bomb Overlapping of UnZip, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Debian, QRadar SIEM, RHEL.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat note.

Solutions for this threat 

Debian 8: new unzip packages.
New packages are available:
  Debian 8: unzip 6.0-16+deb8u5

IBM QRadar SIEM: patch for UnZip.
A patch is indicated in information sources.

RHEL 7.7: new unzip packages.
New packages are available:
  RHEL 7.7: unzip 6.0-20.el7_7.1

RHEL 7, 8: new unzip packages.
New packages are available:
  RHEL 7.0-7.7: unzip 6.0-21.el7
  RHEL 8.0-8.1: unzip 6.0-43.el8

Wind River Linux: version 10.17.41.19.
The version 10.17.41.19 is fixed.

Wind River Linux: version 10.18.44.12.
The version 10.18.44.12 is fixed:
  https://support2.windriver.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.