2373117 – (CVE-2025-6196) CVE-2025-6196 libgepub: Integer Overflow in libgepub's EPUB Archive Handling

Bug 2373117 (CVE-2025-6196) - CVE-2025-6196 libgepub: Integer Overflow in libgepub's EPUB Archive Handling

Summary: CVE-2025-6196 libgepub: Integer Overflow in libgepub's EPUB Archive Handling

Keywords:
Status:	NEW
Alias:	CVE-2025-6196
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2373118 2373122
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-17 06:52 UTC by OSIDB Bzimport
Modified:	2025-06-17 14:26 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-17 06:52:18 UTC

An integer overflow vulnerability exists in the EPUB archive parser of the libgepub library. In the gepub_archive_read_entry() function, a 64-bit size value from archive_entry_size() is incorrectly cast to a 32-bit signed integer (gint). When processing a specially crafted EPUB file with a large declared file size, the value can wrap into a negative integer. This is subsequently passed to g_malloc0(), resulting in a very large unsigned allocation attempt that fails and causes a crash.

This can lead to denial of service in applications using libgepub. The issue has been observed in desktop components such as tumbler, where merely browsing a directory containing a crafted EPUB file may trigger the bug. No known web-facing services are confirmed to be affected, but the library could be used in such contexts.

Note You need to log in before you can comment on or make changes to this bug.