Bug 614040 (CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5977, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981)

Debian already released a fixed version:
https://www.debian.org/security/2017/dsa-3878

The list of the CVEs are: 
CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981.

Comment 2 GLSAMaker/CVETool Bot 2017-06-15 20:29:15 UTC

CVE-2017-5974 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5974):
  Heap-based buffer overflow in the __zzip_get32 function in fetch.c in
  zziplib 0.13.62 allows remote attackers to cause a denial of service (crash)
  via a crafted ZIP file.

CVE-2017-5975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5975):
  Heap-based buffer overflow in the __zzip_get64 function in fetch.c in
  zziplib 0.13.62 allows remote attackers to cause a denial of service (crash)
  via a crafted ZIP file.

CVE-2017-5976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5976):
  Heap-based buffer overflow in the zzip_mem_entry_extra_block function in
  memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of
  service (crash) via a crafted ZIP file.

CVE-2017-5977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5977):
  The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.62
  allows remote attackers to cause a denial of service (invalid memory read
  and crash) via a crafted ZIP file.

CVE-2017-5978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5978):
  The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
  remote attackers to cause a denial of service (out-of-bounds read and crash)
  via a crafted ZIP file.

CVE-2017-5979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5979):
  The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remote
  attackers to cause a denial of service (NULL pointer dereference and crash)
  via a crafted ZIP file.

CVE-2017-5980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5980):
  The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  crash) via a crafted ZIP file.

CVE-2017-5981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5981):
  seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of
  service (assertion failure and crash) via a crafted ZIP file.

Comment 3 Thomas Deutschmann (RETIRED) 2017-06-15 20:33:40 UTC

(In reply to Teika kazura from comment #1)
> Debian already released a fixed version:
> https://www.debian.org/security/2017/dsa-3878

Not all vulnerabilities are fixed yet, even in Debian's release. See https://security-tracker.debian.org/tracker/CVE-2017-5977 for example.

Not sure if I should open another bug entry but as this one isn't resolved: I also found out that there is at least CVE-2018-17828 ( Fixed with https://github.com/gdraheim/zziplib/commit/81dfa6b3e08f6934885ba5c98939587d6850d08e ) too while browsing their github.

Comment 5 Larry the Git Cow 2020-01-17 02:40:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ec605c4b65aee2fa1981227c221502063c252d4

commit 7ec605c4b65aee2fa1981227c221502063c252d4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-01-17 02:32:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-01-17 02:38:35 +0000

    dev-libs/zziplib: Fix multiple security vulnerabilities
    
    - CVE-2018-7725
    - CVE-2018-7726
    - CVE-2018-16548
    - CVE-2018-17828
    
    Patches fetched from openSUSE, many thanks.
    
    Bug: https://bugs.gentoo.org/614040
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/zziplib/Manifest                  | 1 +
 dev-libs/zziplib/zziplib-0.13.69-r1.ebuild | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)

Comment 6 Andreas Sturmlechner 2020-01-17 02:44:43 UTC

Please note that patches for CVE-2018-7725 and CVE-2018-7726 apply cleanly even though those CVEs were claimed to be fixed in bug 646780.

Comment 7 Andreas Sturmlechner 2020-01-29 00:06:18 UTC

Arches, please stabilise.

Security, please decide what to do here (either update the bug with new CVEs or open a new one depending on this one).

Comment 8 Agostino Sarubbo 2020-01-29 10:17:27 UTC

amd64 stable

Comment 9 Agostino Sarubbo 2020-01-30 11:00:50 UTC

ppc64 stable

Comment 10 Agostino Sarubbo 2020-01-30 11:05:17 UTC

ppc stable

Comment 11 Agostino Sarubbo 2020-01-30 11:06:38 UTC

sparc stable

Comment 12 Agostino Sarubbo 2020-01-30 12:12:00 UTC

ia64 stable

Comment 13 Agostino Sarubbo 2020-01-30 12:14:49 UTC

x86 stable

Comment 14 Sergei Trofimovich (RETIRED) 2020-02-06 11:27:01 UTC

hppa stable

Comment 15 Agostino Sarubbo 2020-02-11 11:37:20 UTC

arm stable

Comment 16 Agostino Sarubbo 2020-02-12 16:14:18 UTC

s390 stable

Comment 17 Mart Raudsepp 2020-02-21 20:59:30 UTC

arm64 stable

Comment 18 Thomas Deutschmann (RETIRED) 2020-03-16 22:52:32 UTC

@ maintainer(s): Please cleanup and drop =dev-libs/zziplib-0.13.69!

Comment 19 Larry the Git Cow 2020-03-16 23:39:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f04160d12ea709df577a3829e093bd3e7aae928

commit 8f04160d12ea709df577a3829e093bd3e7aae928
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-03-16 23:38:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-03-16 23:38:58 +0000

    dev-libs/zziplib: Cleanup vulnerable 0.13.69 (r0)
    
    Bug: https://bugs.gentoo.org/614040
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/zziplib/zziplib-0.13.69.ebuild | 92 ---------------------------------
 1 file changed, 92 deletions(-)

Comment 20 Thomas Deutschmann (RETIRED) 2020-03-17 01:15:19 UTC

GLSA Vote: No!

Repository is clean, all done!