[Secure-testing-team] Bug#874010: libzip: CVE-2017-14107: memory allocation failure in _zip_cdir_grow (zip_dirent.c)
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 1 21:14:02 UTC 2017
Source: libzip
Version: 0.11.2-1.2
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libzip.
CVE-2017-14107[0]:
| The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0
| mishandles EOCD records, which allows remote attackers to cause a
| denial of service (memory allocation failure in _zip_cdir_grow in
| zip_dirent.c) via a crafted ZIP archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107
[1] https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/
[2] https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5
Regards,
Salvatore
More information about the Secure-testing-team
mailing list