SB2017090731 - Resource exhaustion in libzip (Alpine package)
Published: September 7, 2017
Security Bulletin ID
SB2017090731
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2017-14107)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to a boundary error when processing EOCD
records in _zip_read_eocd64() function in zip_open.c in libzip. A remote
attacker can create a specially crafted ZIP archive, trick the victim
into opening it and consume all available memory on the system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5013382dd6bc02ba3a3e2069cb1ddd7c7ba7726a
- https://git.alpinelinux.org/aports/commit/?id=47bb26fb2b8fefcfbdd1cadcc7ad4efc3d994806
- https://git.alpinelinux.org/aports/commit/?id=a5d68c47df1d5ceb3012f7bd47e0cbcc961cf69f
- https://git.alpinelinux.org/aports/commit/?id=8600ad8feb1cb96843315aa76e0b2ac0deec0dc4