Main Vulnerability Database SB2017090110

SB2017090110 - Denial of service in libzip

Published: September 1, 2017 Updated: August 3, 2020

Security Bulletin ID SB2017090110

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2017-14107)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing EOCD records in _zip_read_eocd64() function in zip_open.c in libzip. A remote attacker can create a specially crafted ZIP archive, trick the victim into opening it and consume all available memory on the system.

Remediation

Install update from vendor's website.

References

https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/
https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5