CVE-2019-13453

Published: 15 July 2019

Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().

From the Ubuntu security team

Mike Salvatore discovered that Zipios mishandled certain malformed ZIP files. An attacker could use this vulnerability to cause a denial of service or consume system resources.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
flightcrew
Launchpad, Ubuntu, Debian
Upstream
Released (0.7.2+dfsg-6ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.7.2+dfsg-10ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (0.7.2+dfsg-6ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/Sigil-Ebook/flightcrew/commit/5b8e9309bbdf4c15fd8b3b8162d66141f0459c5b
zipios++
Launchpad, Ubuntu, Debian
Upstream
Released (0.1.5.9+cvs.2007.04.28-5.2ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.1.5.9+cvs.2007.04.28-10ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (0.1.5.9+cvs.2007.04.28-5.2ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://sourceforge.net/p/zipios/code-git/ci/96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch