Subject: [ASA-201801-17] zziplib: denial of service

Arch Linux Security Advisory ASA-201801-17
==========================================

Severity: Medium
Date    : 2018-01-18
CVE-ID  : CVE-2017-5977 CVE-2017-5978
Package : zziplib
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-273

Summary
=======

The package zziplib before version 0.13.67-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 0.13.67-1.

# pacman -Syu "zziplib>=0.13.67-1"

The problems have been fixed upstream in version 0.13.67.

Workaround
==========

None.

Description
===========

- CVE-2017-5977 (denial of service)

The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.62
allows remote attackers to cause a denial of service (invalid memory
read and crash) via a crafted ZIP file.

- CVE-2017-5978 (denial of service)

The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows
remote attackers to cause a denial of service (out-of-bounds read and
crash) via a crafted ZIP file.

Impact
======

A remote attacker is able to use a specially crafted zip archive to
crash the application.

References
==========

https://bugs.archlinux.org/task/53133
http://www.openwall.com/lists/oss-security/2017/02/14/3
https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/
https://github.com/gdraheim/zziplib/commit/9e8f867a976311a3e5fb0184c947e22ec35f2fcb
https://github.com/gdraheim/zziplib/commit/1e5b1ac48186e34e871945769623becfa3650956
https://github.com/gdraheim/zziplib/issues/3
https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/
https://github.com/gdraheim/zziplib/commit/98403bb3c0661e56a2185777fd244ba3a67bc220
https://security.archlinux.org/CVE-2017-5977
https://security.archlinux.org/CVE-2017-5978