The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive. CVE Details::(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14107) see 628800
Upstream Patch: https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5
1.2.0-r2 security revbump added in git commit 496ef5159327a6ec7726c0ec5ec849e16f416b7a
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Upstream released 1.3.0, let's target that instead.
(In reply to Michael Palimaka (kensington) from comment #4) > Upstream released 1.3.0, let's target that instead. Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
ia64 stable
amd64 stable
ppc64 stable
ppc stable
Stable on alpha.
x86 stable @ Maintainer(s): Please cleanup!
Thanks, cleanup done in git commit b4a9cb3e5493b414c2d671e6e5c1e8bcf084915c.
Thank you all, @Security please vote. GLSA Vote: No