Denial of service in ZZIPlib
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-7727 CVE-2018-7725 CVE-2018-7726 |
| CWE-ID | CWE-401 CWE-119 |
| Exploitation vector | Local |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
ZZIPlib Universal components / Libraries / Libraries used by multiple products |
| Vendor | zziplib.sourceforge.net |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU11083
Risk: Low
CVSSv3.1: 3.6 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-7727
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the zzip_mem_disk_new function due to boundary error. A local attacker can send a specially crafted input, trigger memory leaks and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsZZIPlib: 0.13.68
External linkshttp://github.com/gdraheim/zziplib/issues/40
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Memory corruption
EUVDB-ID: #VU11084
Risk: Low
CVSSv3.1: 3.6 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-7725
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the zzip_disk_fread function due to boundary error. A local attacker can send a specially crafted input, trigger invalid memory address dereference condition and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsZZIPlib: 0.13.68
External linkshttp://github.com/gdraheim/zziplib/issues/39
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Memory corruption
EUVDB-ID: #VU11085
Risk: Low
CVSSv3.1: 3.6 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-7726
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the __zzip_parse_root_directory function due to boundary error. A local attacker can supply a specially crafted .zip file to be processed, trigger a bus error and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsZZIPlib: 0.13.68
External linkshttp://github.com/gdraheim/zziplib/issues/41
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
