{
  "threat_severity" : "Low",
  "public_date" : "2014-12-22T00:00:00Z",
  "bugzilla" : {
    "description" : "unzip: out-of-bounds write issue in test_compr_eb() (oCERT-2014-011)",
    "id" : "1174851",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1174851"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-190->CWE-120",
  "details" : [ "Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.", "An integer underflow flaw, leading to a buffer overflow, was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option." ],
  "statement" : "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates in Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/",
  "acknowledgement" : "Red Hat would like to thank oCERT for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-03-18T00:00:00Z",
    "advisory" : "RHSA-2015:0700",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "unzip-0:6.0-2.el6_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-03-18T00:00:00Z",
    "advisory" : "RHSA-2015:0700",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "unzip-0:6.0-15.ael7b"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "unzip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-8140\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8140\nhttp://www.ocert.org/advisories/ocert-2014-011.html" ],
  "name" : "CVE-2014-8140",
  "csaw" : false
}