CVE-2017-5975 Gdraheim CVE debrief

Who should care

Teams that ship, embed, or package zziplib, especially software that opens untrusted ZIP files. Debian users and administrators should also review distro security guidance, since the NVD criteria list Debian 8.0 and 9.0 as affected.

Technical summary

NVD describes a heap-based buffer overflow in __zzip_get64 within fetch.c. The CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a user-interaction-required issue with high availability impact. The vulnerability is associated with crafted ZIP input and is listed for zziplib versions 0.13.56, 0.13.57, 0.13.58, 0.13.59, 0.13.60, 0.13.61, and 0.13.62.

Defensive priority

Medium. It is a crash/DoS issue rather than a confidentiality or integrity issue, but it affects archive parsing and may be reachable wherever untrusted ZIP content is processed.

Recommended defensive actions

• Identify all products and packages that depend on zziplib and confirm whether they include affected versions 0.13.56 through 0.13.62.
• Apply the vendor or distribution fix referenced by Debian security advisory DSA-3878 or equivalent upstream packaging updates.
• Restrict or sandbox processing of untrusted ZIP files until patched versions are deployed.
• Add monitoring for crashes or abnormal terminations in components that parse ZIP archives.
• If you maintain a downstream package, rebuild against the patched zziplib release provided by your distribution or upstream maintainer.

Evidence notes

The CVE was published on 2017-03-01. Earlier public references in the corpus include a Gentoo technical write-up dated 2017-02-09, an oss-security mailing list post dated 2017-02-14, Debian security advisory DSA-3878, and SecurityFocus BID 96268. NVD’s current record also lists the affected zziplib versions and the CVSS v3.1 vector.

Official resources