Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201711-13 ========================================= Severity: High Date : 2017-11-07 CVE-ID : CVE-2017-12858 Package : libzip Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-390 Summary ====== The package libzip before version 1.3.0-1 is vulnerable to arbitrary code execution. Resolution ========= Upgrade to 1.3.0-1. # pacman -Syu "libzip>=1.3.0-1" The problem has been fixed upstream in version 1.3.0. Workaround ========= None. Description ========== Double free vulnerability in the _zip_dirent_read function in zip_dirent.c in libzip allows attackers to execute arbitrary code via a crafted zip file. Impact ===== A remote attacker can execute arbitrary code on the affected host by tricking the user or an application using libzip into opening a crafted zip file. References ========= https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796 https://security.archlinux.org/CVE-2017-12858