Memory leak in zziplib (Alpine package)

1) Memory leak

EUVDB-ID: #VU14700

Risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-16548

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to a memory leak in the __zzip_parse_root_directory function, as defined in the zip.c source code file. A local attacker can supply specially crafted input and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

zziplib (Alpine package): 0.13.66-r0 - 0.13.69-r2

CPE2.3

• cpe:2.3:o:alpine:zziplib_alpine_package:0.13.66-r0:*:*:*:*:alpine_linux:*:3.6
• cpe:2.3:o:alpine:zziplib_alpine_package:0.13.67-r0:*:*:*:*:alpine_linux:*:3.4
• cpe:2.3:o:alpine:zziplib_alpine_package:0.13.67-r1:*:*:*:*:alpine_linux:*:3.5

External links

https://git.alpinelinux.org/aports/commit/?id=32fe19c40e22ff217cc307569058a3d044b28f74
https://git.alpinelinux.org/aports/commit/?id=e8bb72e97b585f0525711395744a1299099465fd
https://git.alpinelinux.org/aports/commit/?id=a6036af519fc3513c23839868b5d371e556dd04a
https://git.alpinelinux.org/aports/commit/?id=ece6bfda34b9d7efde7f455ad7eb4e64a50a7117
https://git.alpinelinux.org/aports/commit/?id=8068beb7764186e23ef3384d64b0a90bb0523d60
https://git.alpinelinux.org/aports/commit/?id=c900bcd2c9de78c13b43a2a598d47e035c1cb1f7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.