Vulnerability Description
The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libzip | Libzip | < 1.3.0 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zipPatchThird Party AdvisoryVDB Entry
- https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/12/msg00022.htmlMailing ListThird Party Advisory
- https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zipPatchThird Party AdvisoryVDB Entry
- https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/12/msg00022.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2017-14107?
CVE-2017-14107 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in z...
How severe is CVE-2017-14107?
CVE-2017-14107 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-14107?
Check the references section above for vendor advisories and patch information. Affected products include: Libzip Libzip, Debian Debian Linux.