CVE-2014-9636

Description

unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.

References

Link	Tags
http://seclists.org/oss-sec/2014/q4/1131	mailing list
http://secunia.com/advisories/62738	third party advisory
https://security.gentoo.org/glsa/201611-01	vendor advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148849.html	vendor advisory
http://secunia.com/advisories/62751	third party advisory
http://seclists.org/oss-sec/2015/q1/216	mailing list
http://www.securityfocus.com/bid/71825	vdb entry
http://www.ubuntu.com/usn/USN-2489-1	vendor advisory
http://www.debian.org/security/2015/dsa-3152	vendor advisory
http://seclists.org/oss-sec/2014/q4/489	mailing list
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148792.html	vendor advisory
http://seclists.org/oss-sec/2014/q4/496	mailing list
http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450	patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2014-9636?: CVE-2014-9636 has been scored as a medium severity vulnerability.
How to fix CVE-2014-9636?: To fix CVE-2014-9636, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2014-9636 being actively exploited in the wild?: It is possible that CVE-2014-9636 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~59% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer

References

Frequently Asked Questions