Your submission was sent successfully! Close


Published: 04 July 2019

FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

From the Ubuntu security team

Mike Salvatore discovered that FlightCrew mishandled certain malformed EPUB files. An attacker could use this vulnerability to write arbitrary files to the filesystem.



CVSS 3 base score: 7.8


Package Release Status
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.7.2+dfsg-10ubuntu0.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (0.7.2+dfsg-6ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist