CVE-2017-5976 Gdraheim CVE debrief

Who should care

Administrators and developers who ship or embed zziplib, plus any product that opens, inspects, or extracts untrusted ZIP files using affected zziplib releases. Debian 8.0 and 9.0 are listed in the NVD CPE set, so packaged deployments should also verify whether their distro backport includes a fix.

Technical summary

The vulnerable code path is in zzip_mem_entry_extra_block within memdisk.c. NVD lists affected zziplib versions 0.13.56 through 0.13.62 and maps the issue to CWE-787 (out-of-bounds write). The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a crash-oriented availability impact and that user interaction is required. The record description says remote attackers can cause a denial of service via a crafted ZIP file, while the CVSS vector suggests practical exploitation depends on a local parsing context and a user opening or otherwise processing the archive.

Defensive priority

Medium overall; raise to high for systems that automatically process untrusted ZIP archives, run with elevated privileges, or expose archive handling in a service or desktop workflow.

Recommended defensive actions

• Upgrade zziplib to a version that includes the vendor fix or a distribution backport, and confirm the fix in your packaged build.
• Inventory applications and libraries that depend on zziplib, including indirect dependencies in archive viewers, installers, and document-processing tools.
• Treat untrusted ZIP files as hostile: disable or gate automatic archive processing where possible.
• Run archive-processing components with least privilege and, where feasible, isolate them with sandboxing or container controls.
• Monitor for crashes in ZIP-handling code paths and use crash reports to confirm whether affected versions are still deployed.
• If you maintain software that embeds zziplib, add regression tests and fuzz coverage around memdisk.c archive parsing paths.

Evidence notes

The CVE was published on 2017-03-01 and later modified in the NVD record on 2026-05-13; timing context here uses the published CVE date. Evidence in the supplied corpus includes the official CVE record, the NVD detail page, Debian security advisory DSA-3878, an oss-security mailing list reference, a SecurityFocus entry, and a Gentoo blog advisory referencing the heap overflow. The corpus also contains a description/CVSS-vector mismatch: the textual description says remote attackers, while the CVSS vector indicates local attack conditions with user interaction.

Official resources