CVE-2014-8139

CWE-787Out-of-bounds WriteCWE-190Integer OverflowCWE-125Out-of-bounds Read11 documents10 sources
Severity
7.8HIGH
EPSS
8.1%
top 7.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
ETJ Archive::unzip::burstUnzip Project UnzipInfo-zip Unzip+6 more
Timeline
PublishedJan 31
Latest updateMay 17

Description

Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

CVEListV5info-zip/unzip6.0 and earlier
Debianunzip< 6.0-16+3
CVEListV5etj/archive::unzip::burst0.010.09

Also affects: Enterprise Linux 6.6, 7.3, 7.4, 7.6, 7.7, 7.1, 7.2, 7.5

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-fhcq-p46p-2xvm: Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 62022-05-17
CVEList
CVE-2014-8139: Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 62020-01-31
OSV
CVE-2014-8139: Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 62020-01-31

📋Vendor Advisories

5
Microsoft
Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip 2020-01-14
Ubuntu
unzip vulnerabilities2015-01-14
Red Hat
unzip: CRC32 verification heap-based buffer overread (oCERT-2014-011)2014-12-22
Debian
CVE-2014-8139: unzip - Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and e...2014
Apple
CVE-2014-8139: OS X Yosemite v10.10.4 and Security Update 2015-005

💬Community

2
Bugzilla
CVE-2014-8139 CVE-2014-8141 CVE-2014-8140 unzip: various flaws [fedora-all]2015-02-10
Bugzilla
CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-2014-011)2014-12-16