14401 – The unzip Binary is from older version which has security vulnerabilities.

Bug 14401 - The unzip Binary is from older version which has security vulnerabilities.

Summary: The unzip Binary is from older version which has security vulnerabilities.

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.33.x
Hardware:	All All

Importance:	P5 major
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-29 08:18 UTC by Sandeep Kumar
Modified:	2023-09-07 18:29 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sandeep Kumar 2021-11-29 08:18:13 UTC

Current unzip binary has following security issues:
https://nvd.nist.gov/vuln/detail/CVE-2005-0602
https://nvd.nist.gov/vuln/detail/CVE-2001-1268
https://nvd.nist.gov/vuln/detail/CVE-2001-1269

Comment 1 clausstrommer 2023-09-07 18:29:46 UTC

Vulnerability scans still identify Busybox's unzip version as 4.1.0.  Is this accurate, and if so is there any plan to update the version?