660606 – (CVE-2018-13410) app-arch/zip: Denial of Service

Bug 660606 (CVE-2018-13410) - app-arch/zip: Denial of Service

Summary: app-arch/zip: Denial of Service

Status:	RESOLVED INVALID

Alias:	CVE-2018-13410

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/fulldisclosure/20...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-07 17:46 UTC by Florian Schuhmacher
Modified:	2019-04-27 05:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Schuhmacher 2018-07-07 17:46:24 UTC

** DISPUTED ** Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands.

Gentoo Security Scout
Florian Schuhmacher

Comment 1 Yury German Gentoo Infrastructure

2019-04-27 05:12:44 UTC

This is disputed, not only by upstream but by most other distress.

Closing