Bug 1545813 - zziplib: improper fix for CVE-2018-6869 and CVE-2018-6484
Summary: zziplib: improper fix for CVE-2018-6869 and CVE-2018-6484
Keywords:
Status: CLOSED DUPLICATE of bug 1554672
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1545818 1545819
Blocks: 1543953
TreeView+ depends on / blocked
 
Reported: 2018-02-15 15:44 UTC by Riccardo Schirone
Modified: 2021-02-17 00:49 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-03-21 08:21:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Riccardo Schirone 2018-02-15 15:44:07 UTC 
It was discovered that the original fix for CVE-2018-6869 did not fully correct
CVE-2018-6484 and CVE-2018-6869. Function __zzip_fetch_disk_trailer uses signed
comparisons to check untrusted values which, in some configurations, are later
used in __zzip_parse_root_directory as parameter to mmap. Remote attackers
could leverage this vulnerability to cause a Denial of Service via a crafted
zip file.

Upstream issue:
https://github.com/gdraheim/zziplib/issues/27

Upstream patch:
https://github.com/gdraheim/zziplib/commit/8f48323c181e20b7e527b8be7229d6eb1148ec5f
Comment 1 Riccardo Schirone 2018-02-15 15:44:09 UTC 
Acknowledgments:

Name: Riccardo Schirone (Red Hat)
Comment 2 Riccardo Schirone 2018-02-15 15:48:54 UTC 
Created zziplib tracking bugs for this issue:

Affects: fedora-all [bug 1545819]
Comment 4 Riccardo Schirone 2018-03-21 08:21:48 UTC 
Closing this as it triggers the same vulnerability as CVE-2018-7726.

*** This bug has been marked as a duplicate of bug 1554672 ***
Note You need to log in before you can comment on or make changes to this bug.