CVE-2019-14452

Published: 30 July 2019

Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

From the Ubuntu security team

Mike Salvatore discovered that Sigil mishandled certain malformed EPUB files. An attacker could use this vulnerability to write arbitrary files to the filesystem.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
sigil
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.16)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.9.9+dfsg-1ubuntu0.1~esm1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (0.9.5+dfsg-0ubuntu1+esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist