Your submission was sent successfully! Close

CVE-2018-13410

Published: 6 July 2018

** DISPUTED ** Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
zip
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Ignored
(disputed)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Ignored
(disputed)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(disputed)
jammy Ignored
(disputed)
precise Ignored
(end of ESM support, was needs-triage)
trusty Ignored
(disputed)
upstream Needs triage

xenial Ignored
(disputed)

Notes

AuthorNote
rodrigo-zaiden
suse does not have plans to fix it and debian marked as
negligible.
There is no obvious security impact since there is no
scenarios where an untrusted party controls the -TT input value.
Ubuntu is ignoring it as it is being disputed and there is
no update as of 2022-02-01.

References

Bugs