Out-of-Bounds Affecting unzip package, versions <5.52-7


Severity

Recommended
low

Based on Debian security rating.

Threat Intelligence

EPSS
1.02% (84th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN10-UNZIP-358295
  • published31 Dec 2005
  • disclosed31 Dec 2005

Introduced: 31 Dec 2005

CVE-2005-4667  (opens in a new tab)
CWE-119  (opens in a new tab)

How to fix?

Upgrade Debian:10 unzip to version 5.52-7 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream unzip package and not the unzip package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.

CVSS Scores

version 3.1