Lucene search

Gentoo FoundationGLSA-200704-05

HistoryApr 03, 2007 - 12:00 a.m.

zziplib: Buffer Overflow

2007-04-0300:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.062

Percentile

93.6%

JSON

Background

The zziplib library is a lightweight library for extracting data from files archived in a single zip file.

Description

dmcox dmcox discovered a boundary error in the zzip_open_shared_io() function from zzip/file.c .

Impact

A remote attacker could entice a user to run a zziplib function with an overly long string as an argument which would trigger the buffer overflow and may lead to the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All zziplib users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=dev-libs/zziplib-0.13.49"

OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-libs/zziplib< 0.13.49UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	dev-libs/zziplib	< 0.13.49	UNKNOWN

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.062

Percentile

93.6%

JSON

Related for GLSA-200704-05