ASA-201801-17 generated external raw

[ASA-201801-17] zziplib: denial of service
Arch Linux Security Advisory ASA-201801-17 ========================================== Severity: Medium Date : 2018-01-18 CVE-ID : CVE-2017-5977 CVE-2017-5978 Package : zziplib Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-273 Summary ======= The package zziplib before version 0.13.67-1 is vulnerable to denial of service. Resolution ========== Upgrade to 0.13.67-1. # pacman -Syu "zziplib>=0.13.67-1" The problems have been fixed upstream in version 0.13.67. Workaround ========== None. Description =========== - CVE-2017-5977 (denial of service) The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted ZIP file. - CVE-2017-5978 (denial of service) The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted ZIP file. Impact ====== A remote attacker is able to use a specially crafted zip archive to crash the application. References ========== https://bugs.archlinux.org/task/53133 http://www.openwall.com/lists/oss-security/2017/02/14/3 https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/ https://github.com/gdraheim/zziplib/commit/9e8f867a976311a3e5fb0184c947e22ec35f2fcb https://github.com/gdraheim/zziplib/commit/1e5b1ac48186e34e871945769623becfa3650956 https://github.com/gdraheim/zziplib/issues/3 https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/ https://github.com/gdraheim/zziplib/commit/98403bb3c0661e56a2185777fd244ba3a67bc220 https://security.archlinux.org/CVE-2017-5977 https://security.archlinux.org/CVE-2017-5978