CVE-2019-13453
Published: 15 July 2019
Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().
From the Ubuntu Security Team
Mike Salvatore discovered that Zipios mishandled certain malformed ZIP files. An attacker could use this vulnerability to cause a denial of service or consume system resources.
Priority
Status
Package | Release | Status |
---|---|---|
flightcrew Launchpad, Ubuntu, Debian |
bionic |
Released
(0.7.2+dfsg-10ubuntu0.1)
|
cosmic |
Released
(0.7.2+dfsg-12ubuntu0.1)
|
|
disco |
Released
(0.7.2+dfsg-13ubuntu0.19.04.1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(0.7.2+dfsg-6ubuntu0.1)
|
|
xenial |
Released
(0.7.2+dfsg-6ubuntu0.1)
|
|
Patches: upstream: https://github.com/Sigil-Ebook/flightcrew/commit/5b8e9309bbdf4c15fd8b3b8162d66141f0459c5b |
||
zipios++ Launchpad, Ubuntu, Debian |
bionic |
Released
(0.1.5.9+cvs.2007.04.28-10ubuntu0.18.04.1)
|
cosmic |
Released
(0.1.5.9+cvs.2007.04.28-10ubuntu0.18.10.1)
|
|
disco |
Released
(0.1.5.9+cvs.2007.04.28-10ubuntu0.19.04.1)
|
|
upstream |
Released
(0.1.5.9+cvs.2007.04.28-5.2ubuntu0.16.04.1)
|
|
xenial |
Released
(0.1.5.9+cvs.2007.04.28-5.2ubuntu0.16.04.1)
|
|
trusty |
Released
(0.1.5.9+cvs.2007.04.28-5.1ubuntu0.14.04.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: https://sourceforge.net/p/zipios/code-git/ci/96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13453
- https://ubuntu.com/security/notices/USN-4055-1
- https://ubuntu.com/security/notices/USN-4057-1
- https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-2-of-3/
- https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/
- https://github.com/Sigil-Ebook/flightcrew/issues/54
- NVD
- Launchpad
- Debian