CVE-2018-6869
An uncontrolled memory allocation was found in ZZIPlib that could lead to a crash in the __zzip_parse_root_directory function of zzip/zip.c if the package is compiled with Address Sanitizer. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.
Find out more about CVE-2018-6869 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat Product Security has rated this issue as having security impact of Low. This issue does not affect the versions of ZZIPlib as shipped in Red Hat Enterprise Linux 7, unless the package is recompiled with Address Sanitizer. The flaw is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 4.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | Low |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | zziplib | Will not fix |