ZZIPlib through version 0.13.68 is vulnerable to a memory leak in unzzipcat-mem.c:unzzip_cat() and unzip-mem.c:main(), where a ZZIP_MEM_DISK is allocated but not released. An attacker could exploit this to cause a denial of service via a crafted zip file. Upstream Issue: https://github.com/gdraheim/zziplib/issues/40 Upstream Patches: https://github.com/gdraheim/zziplib/commit/83a2da55922f67e07f22048ac9671a44cc0d35c4
Created zziplib tracking bugs for this issue: Affects: fedora-all [bug 1554673]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3229 https://access.redhat.com/errata/RHSA-2018:3229