A flaw was found in ZZIPlib prior to version 0.13.68. There is an uncontrolled memory allocation and, when the library is compiled with AddressSanitizer v4, a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. Upstream issue: https://github.com/gdraheim/zziplib/issues/22 Upstream patch: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3
Created zziplib tracking bugs for this issue: Affects: fedora-all [bug 1543942]
Patch: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3
In [1] it is stated that version 0.13.68 is affected as well, but after further analysis we could not reproduce the issue there. Moreover the crash happens only when the library is compiled with AddressSanitizer v4, which reports an error when it tries to allocate a huge amount of memory [2]. When the library is compiled with AddressSanitizer v5 and the option `allocator_may_return_null=1` is used, the library correctly handles the malformed zip. [1] https://github.com/gdraheim/zziplib/issues/22 [2] https://github.com/google/sanitizers/issues/889
Statement: Red Hat Product Security has rated this issue as having security impact of Low. This issue does not affect the versions of ZZIPlib as shipped in Red Hat Enterprise Linux 7, unless the package is recompiled with Address Sanitizer. The flaw is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.