Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614040 (CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5977, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981) - dev-libs/zziplib: multiple vulnerabilities (CVE-2017-{5974,5975,5976,5977,5978,5979,5980,5981})
Summary: dev-libs/zziplib: multiple vulnerabilities (CVE-2017-{5974,5975,5976,5977,597...
Status: IN_PROGRESS
Alias: CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5977, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream cve]
Keywords:
Depends on: CVE-2018-6381, CVE-2018-6484, CVE-2018-6540, CVE-2018-6541, CVE-2018-6542, CVE-2018-6869, CVE-2018-7725, CVE-2018-7726, CVE-2018-7727
Blocks:
  Show dependency tree
 
Reported: 2017-03-27 09:34 UTC by Agostino Sarubbo
Modified: 2018-02-06 16:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Teika kazura 2017-06-14 06:11:45 UTC
Debian already released a fixed version:
https://www.debian.org/security/2017/dsa-3878

The list of the CVEs are: 
CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-15 20:29:15 UTC
CVE-2017-5974 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5974):
  Heap-based buffer overflow in the __zzip_get32 function in fetch.c in
  zziplib 0.13.62 allows remote attackers to cause a denial of service (crash)
  via a crafted ZIP file.

CVE-2017-5975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5975):
  Heap-based buffer overflow in the __zzip_get64 function in fetch.c in
  zziplib 0.13.62 allows remote attackers to cause a denial of service (crash)
  via a crafted ZIP file.

CVE-2017-5976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5976):
  Heap-based buffer overflow in the zzip_mem_entry_extra_block function in
  memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of
  service (crash) via a crafted ZIP file.

CVE-2017-5977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5977):
  The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.62
  allows remote attackers to cause a denial of service (invalid memory read
  and crash) via a crafted ZIP file.

CVE-2017-5978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5978):
  The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
  remote attackers to cause a denial of service (out-of-bounds read and crash)
  via a crafted ZIP file.

CVE-2017-5979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5979):
  The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remote
  attackers to cause a denial of service (NULL pointer dereference and crash)
  via a crafted ZIP file.

CVE-2017-5980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5980):
  The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  crash) via a crafted ZIP file.

CVE-2017-5981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5981):
  seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of
  service (assertion failure and crash) via a crafted ZIP file.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-15 20:33:40 UTC
(In reply to Teika kazura from comment #1)
> Debian already released a fixed version:
> https://www.debian.org/security/2017/dsa-3878

Not all vulnerabilities are fixed yet, even in Debian's release. See https://security-tracker.debian.org/tracker/CVE-2017-5977 for example.