629574 – (CVE-2017-14107) <dev-libs/libzip-1.2.0-r2: _zip_read_eocd64 function in zip_open.c in libzip mishandles EOCD records (CVE-2017-14107)

Bug 629574 (CVE-2017-14107) - <dev-libs/libzip-1.2.0-r2: _zip_read_eocd64 function in zip_open.c in libzip mishandles EOCD records (CVE-2017-14107)

Summary: <dev-libs/libzip-1.2.0-r2: _zip_read_eocd64 function in zip_open.c in libzip...

Status:	RESOLVED FIXED

Alias:	CVE-2017-14107

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blogs.gentoo.org/ago/2017/09/...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-12858
	Show dependency tree

Reported:	2017-09-01 22:28 UTC by D'juan McDonald (domhnall)
Modified:	2017-10-24 02:55 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2017-12858
Package list:	dev-libs/libzip-1.3.0
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2017-09-01 22:28:08 UTC

The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.

CVE Details::(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14107)


see 628800

Comment 1 D'juan McDonald (domhnall) 2017-09-02 04:12:36 UTC

Upstream Patch:

https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5

Comment 2 Andreas Sturmlechner gentoo-dev

2017-09-02 08:49:21 UTC

1.2.0-r2 security revbump added in git commit 496ef5159327a6ec7726c0ec5ec849e16f416b7a

Comment 3 Yury German Gentoo Infrastructure

2017-09-03 05:17:06 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 4 Michael Palimaka (kensington) gentoo-dev

2017-09-03 05:17:50 UTC

Upstream released 1.3.0, let's target that instead.

Comment 5 Yury German Gentoo Infrastructure

2017-09-11 22:44:30 UTC

(In reply to Michael Palimaka (kensington) from comment #4)
> Upstream released 1.3.0, let's target that instead.

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-15 07:32:45 UTC

ia64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-09-20 10:00:03 UTC

amd64 stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-23 19:39:32 UTC

ppc64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-24 18:51:30 UTC

ppc stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2017-10-22 21:52:21 UTC

Stable on alpha.

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-23 18:43:25 UTC

x86 stable

@ Maintainer(s): Please cleanup!

Comment 12 Andreas Sturmlechner gentoo-dev

2017-10-23 23:35:24 UTC

Thanks, cleanup done in git commit b4a9cb3e5493b414c2d671e6e5c1e8bcf084915c.

Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-24 00:31:38 UTC

Thank you all,

@Security please vote.

GLSA Vote: No