Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629574 (CVE-2017-14107)

Summary: <dev-libs/libzip-1.2.0-r2: _zip_read_eocd64 function in zip_open.c in libzip mishandles EOCD records (CVE-2017-14107)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: creffett
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=628800
Whiteboard: B3 [noglsa cve]
Package list:
dev-libs/libzip-1.3.0
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 628800    

Description D'juan McDonald (domhnall) 2017-09-01 22:28:08 UTC 
The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.

CVE Details::(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14107)


see 628800
Comment 1 D'juan McDonald (domhnall) 2017-09-02 04:12:36 UTC 
Upstream Patch:

https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5
Comment 2 Andreas Sturmlechner gentoo-dev 2017-09-02 08:49:21 UTC 
1.2.0-r2 security revbump added in git commit 496ef5159327a6ec7726c0ec5ec849e16f416b7a
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-09-03 05:17:06 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-09-03 05:17:50 UTC 
Upstream released 1.3.0, let's target that instead.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-09-11 22:44:30 UTC 
(In reply to Michael Palimaka (kensington) from comment #4)
> Upstream released 1.3.0, let's target that instead.

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-15 07:32:45 UTC 
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-09-20 10:00:03 UTC 
amd64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 19:39:32 UTC 
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 18:51:30 UTC 
ppc stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:52:21 UTC 
Stable on alpha.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-23 18:43:25 UTC 
x86 stable

@ Maintainer(s): Please cleanup!
Comment 12 Andreas Sturmlechner gentoo-dev 2017-10-23 23:35:24 UTC 
Thanks, cleanup done in git commit b4a9cb3e5493b414c2d671e6e5c1e8bcf084915c.
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-24 00:31:38 UTC 
Thank you all,

@Security please vote.

GLSA Vote: No