Reachable Assertion in zziplib.sourceforge.net ZZIPlib



Published: 2017-03-01 | Updated: 2020-08-03
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-5981
CWE-ID CWE-617
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		ZZIPlib
Universal components / Libraries / Libraries used by multiple products

Vendor zziplib.sourceforge.net

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Reachable Assertion

EUVDB-ID: #VU33262

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5981

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (assertion failure and crash) via a crafted ZIP file.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ZZIPlib: 0.13.62

External links

http://www.debian.org/security/2017/dsa-3878
http://www.securityfocus.com/bid/96268
http://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###