Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 614040 (CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5977, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981)

Summary: <dev-libs/zziplib-0.13.69-r1: multiple vulnerabilities (CVE-2017-{5974,5975,5976,5977,5978,5979,5980,5981})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mr_bones_, teika, vapier
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/14985
Whiteboard: B3 [noglsa cve]
Package list:
dev-libs/zziplib-0.13.69-r1
Runtime testing required: ---
Bug Depends on: 646780    
Bug Blocks:    

Comment 1 Teika kazura 2017-06-14 06:11:45 UTC
Debian already released a fixed version:
https://www.debian.org/security/2017/dsa-3878

The list of the CVEs are: 
CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-15 20:29:15 UTC
CVE-2017-5974 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5974):
  Heap-based buffer overflow in the __zzip_get32 function in fetch.c in
  zziplib 0.13.62 allows remote attackers to cause a denial of service (crash)
  via a crafted ZIP file.

CVE-2017-5975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5975):
  Heap-based buffer overflow in the __zzip_get64 function in fetch.c in
  zziplib 0.13.62 allows remote attackers to cause a denial of service (crash)
  via a crafted ZIP file.

CVE-2017-5976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5976):
  Heap-based buffer overflow in the zzip_mem_entry_extra_block function in
  memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of
  service (crash) via a crafted ZIP file.

CVE-2017-5977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5977):
  The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.62
  allows remote attackers to cause a denial of service (invalid memory read
  and crash) via a crafted ZIP file.

CVE-2017-5978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5978):
  The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
  remote attackers to cause a denial of service (out-of-bounds read and crash)
  via a crafted ZIP file.

CVE-2017-5979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5979):
  The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remote
  attackers to cause a denial of service (NULL pointer dereference and crash)
  via a crafted ZIP file.

CVE-2017-5980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5980):
  The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  crash) via a crafted ZIP file.

CVE-2017-5981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5981):
  seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of
  service (assertion failure and crash) via a crafted ZIP file.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-15 20:33:40 UTC
(In reply to Teika kazura from comment #1)
> Debian already released a fixed version:
> https://www.debian.org/security/2017/dsa-3878

Not all vulnerabilities are fixed yet, even in Debian's release. See https://security-tracker.debian.org/tracker/CVE-2017-5977 for example.
Comment 4 Haelwenn (lanodan) Monnier 2019-10-17 15:15:13 UTC
Not sure if I should open another bug entry but as this one isn't resolved: I also found out that there is at least CVE-2018-17828 ( Fixed with https://github.com/gdraheim/zziplib/commit/81dfa6b3e08f6934885ba5c98939587d6850d08e ) too while browsing their github.
Comment 5 Larry the Git Cow gentoo-dev 2020-01-17 02:40:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ec605c4b65aee2fa1981227c221502063c252d4

commit 7ec605c4b65aee2fa1981227c221502063c252d4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-01-17 02:32:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-01-17 02:38:35 +0000

    dev-libs/zziplib: Fix multiple security vulnerabilities
    
    - CVE-2018-7725
    - CVE-2018-7726
    - CVE-2018-16548
    - CVE-2018-17828
    
    Patches fetched from openSUSE, many thanks.
    
    Bug: https://bugs.gentoo.org/614040
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/zziplib/Manifest                  | 1 +
 dev-libs/zziplib/zziplib-0.13.69-r1.ebuild | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)
Comment 6 Andreas Sturmlechner gentoo-dev 2020-01-17 02:44:43 UTC
Please note that patches for CVE-2018-7725 and CVE-2018-7726 apply cleanly even though those CVEs were claimed to be fixed in bug 646780.
Comment 7 Andreas Sturmlechner gentoo-dev 2020-01-29 00:06:18 UTC
Arches, please stabilise.

Security, please decide what to do here (either update the bug with new CVEs or open a new one depending on this one).
Comment 8 Agostino Sarubbo gentoo-dev 2020-01-29 10:17:27 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-01-30 11:00:50 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-01-30 11:05:17 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-01-30 11:06:38 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-01-30 12:12:00 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-01-30 12:14:49 UTC
x86 stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2020-02-06 11:27:01 UTC
hppa stable
Comment 15 Agostino Sarubbo gentoo-dev 2020-02-11 11:37:20 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-02-12 16:14:18 UTC
s390 stable
Comment 17 Mart Raudsepp gentoo-dev 2020-02-21 20:59:30 UTC
arm64 stable
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-16 22:52:32 UTC
@ maintainer(s): Please cleanup and drop =dev-libs/zziplib-0.13.69!
Comment 19 Larry the Git Cow gentoo-dev 2020-03-16 23:39:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f04160d12ea709df577a3829e093bd3e7aae928

commit 8f04160d12ea709df577a3829e093bd3e7aae928
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-03-16 23:38:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-03-16 23:38:58 +0000

    dev-libs/zziplib: Cleanup vulnerable 0.13.69 (r0)
    
    Bug: https://bugs.gentoo.org/614040
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/zziplib/zziplib-0.13.69.ebuild | 92 ---------------------------------
 1 file changed, 92 deletions(-)
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-17 01:15:19 UTC
GLSA Vote: No!

Repository is clean, all done!