Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629574 (CVE-2017-14107) - <dev-libs/libzip-1.2.0-r2: _zip_read_eocd64 function in zip_open.c in libzip mishandles EOCD records (CVE-2017-14107)
Summary: <dev-libs/libzip-1.2.0-r2: _zip_read_eocd64 function in zip_open.c in libzip...
Status: RESOLVED FIXED
Alias: CVE-2017-14107
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2017/09/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-12858
  Show dependency tree
 
Reported: 2017-09-01 22:28 UTC by D'juan McDonald (domhnall)
Modified: 2017-10-24 02:55 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/libzip-1.3.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-09-01 22:28:08 UTC
The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.

CVE Details::(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14107)


see 628800
Comment 1 D'juan McDonald (domhnall) 2017-09-02 04:12:36 UTC
Upstream Patch:

https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5
Comment 2 Andreas Sturmlechner gentoo-dev 2017-09-02 08:49:21 UTC
1.2.0-r2 security revbump added in git commit 496ef5159327a6ec7726c0ec5ec849e16f416b7a
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-09-03 05:17:06 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-09-03 05:17:50 UTC
Upstream released 1.3.0, let's target that instead.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-09-11 22:44:30 UTC
(In reply to Michael Palimaka (kensington) from comment #4)
> Upstream released 1.3.0, let's target that instead.

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-15 07:32:45 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-09-20 10:00:03 UTC
amd64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 19:39:32 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 18:51:30 UTC
ppc stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:52:21 UTC
Stable on alpha.
Comment 11 Thomas Deutschmann gentoo-dev 2017-10-23 18:43:25 UTC
x86 stable

@ Maintainer(s): Please cleanup!
Comment 12 Andreas Sturmlechner gentoo-dev 2017-10-23 23:35:24 UTC
Thanks, cleanup done in git commit b4a9cb3e5493b414c2d671e6e5c1e8bcf084915c.
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-24 00:31:38 UTC
Thank you all,

@Security please vote.

GLSA Vote: No