CVE-2014-9636

Description

unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.

How to fix CVE-2014-9636

To remediate CVE-2014-9636, upgrade the affected package to a fixed version below.

• Alpine/unzip—upgrade to 6.0-r3 or later
• Debian/unzip—upgrade to 6.0-15 or later
• Debian/unzip—upgrade to 6.0-8+deb7u2 or later

Is CVE-2014-9636 being exploited?

Likely — EPSS is 58.4%, placing CVE-2014-9636 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

• from 0, < 6.0-r3
• from 0, < 6.0-15
• from 0, < 6.0-8+deb7u2

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2014-9636
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9636