CVE-2012-1163
published 2012-07-12CVE-2012-1163: Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values…
PriorityP434medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
2.57%
83.2th percentile
Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libzip | < libzip 0.10.1-1 (bookworm) | libzip 0.10.1-1 (bookworm) |
| libzip | libzip | >= 0 < 0.10.1-1 | 0.10.1-1 |
| libzip | libzip | >= 0 < 0.10.1-1 | 0.10.1-1 |
| libzip | libzip | >= 0 < 0.10.1-1 | 0.10.1-1 |
| libzip | libzip | >= 0 < 0.10.1-1 | 0.10.1-1 |
| nih | libzip | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-29xg-c3jw-cp68: Integer overflow in the _zip_readcdir function in zip_open
ghsa_unreviewed·2022-05-17
CVE-2012-1163 [MEDIUM] GHSA-29xg-c3jw-cp68: Integer overflow in the _zip_readcdir function in zip_open
Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.
OSV
CVE-2012-1163: Integer overflow in the _zip_readcdir function in zip_open
osv·2012-07-12·CVSS 6.8
CVE-2012-1163 [MEDIUM] CVE-2012-1163: Integer overflow in the _zip_readcdir function in zip_open
Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.
Red Hat
libzip: integer overflow when processing malformed zip file
vendor_redhat·2012-03-20·CVSS 6.8
CVE-2012-1163 [MEDIUM] CWE-190 libzip: integer overflow when processing malformed zip file
libzip: integer overflow when processing malformed zip file
Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.
Statement: Not vulnerable. This issue did not affect the versions of libzip and php as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of php53 as shipped with Red Hat Enterprise Linux 5.
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: libzip (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2012-1163: libzip - Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allo...
vendor_debian·2012·CVSS 6.8
CVE-2012-1163 [MEDIUM] CVE-2012-1163: libzip - Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allo...
Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.
Scope: local
bookworm: resolved (fixed in 0.10.1-1)
bullseye: resolved (fixed in 0.10.1-1)
forky: resolved (fixed in 0.10.1-1)
sid: resolved (fixed in 0.10.1-1)
trixie: resolved (fixed in 0.10.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-3548 wireshark (X >= 1.6.8): DoS (excessive CPU use and infinite loop) in DRDA dissector
bugzilla·2012-08-21·CVSS 4.3
CVE-2012-3548 [MEDIUM] CVE-2012-3548 wireshark (X >= 1.6.8): DoS (excessive CPU use and infinite loop) in DRDA dissector
CVE-2012-3548 wireshark (X >= 1.6.8): DoS (excessive CPU use and infinite loop) in DRDA dissector
Description of problem:
When opening certain capture files, wireshark hangs forever in an endless loop.
Version-Release number of selected component (if applicable):
wireshark-1.6.8-1.fc16.x86_64
I compiled wireshark 1.8.2 from source and did not see this problem any more.
How reproducible:
always
Steps to Reproduce:
1. open capture file with wireshark
Actual results:
hangs after reading ~25% of the data
Expected results:
opens file successfully
Additional info:
#0 tvb_get_ntohs (tvb=, offset=) at tvbuff.c:1163
#1 0x00007fe66e6884ca in dissect_drda (tvb=0x7fe673ab7a40, pinfo=0x7fff420367f0, tree=0x0) at packet-drda.c:695
#2 0x00007fe66e688a9f in dissect_drda_heur (tree=0x0, pinfo=0x7f
Bugzilla
CVE-2012-1162 CVE-2012-1163 libzip various flaws [fedora-all]
bugzilla·2012-03-20·CVSS 7.5
CVE-2012-1162 [HIGH] CVE-2012-1162 CVE-2012-1163 libzip various flaws [fedora-all]
CVE-2012-1162 CVE-2012-1163 libzip various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=802564
Bugzilla
CVE-2012-1162 CVE-2012-1163 php various flaws [fedora-all]
bugzilla·2012-03-20·CVSS 7.5
CVE-2012-1162 [HIGH] CVE-2012-1162 CVE-2012-1163 php various flaws [fedora-all]
CVE-2012-1162 CVE-2012-1163 php various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=802564
Ple
Bugzilla
CVE-2012-1163 libzip: integer overflow when processing malformed zip file
bugzilla·2012-03-13·CVSS 6.8
CVE-2012-1163 [MEDIUM] CVE-2012-1163 libzip: integer overflow when processing malformed zip file
CVE-2012-1163 libzip: integer overflow when processing malformed zip file
An integer overflow vulnerability was reported in libzip <= 0.10 when processing certain corrupt zip files. When libzip opens a zip file, it reads in the size and the offset of the central directory structure and, while it performs a consistency check on these values, it does not anticipate an integer overflow. In this case libzip will continue to process the zip file, which may result in the improper restrictions of operations within the bounds of a memory buffer.
Acknowledgements:
Red Hat would like to thank Timo Warns for reporting this issue.
Discussion:
Created attachment 570438
patch from upstream
---
This is now public:
http://nih.at/listarchive/libzip-discuss/msg00252.html
http://hg.nih.at/libzip?fd=
http://nih.at/listarchive/libzip-discuss/msg00252.htmlhttp://www.gentoo.org/security/en/glsa/glsa-201203-23.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2012:034http://www.nih.at/libzip/NEWS.htmlhttp://www.openwall.com/lists/oss-security/2012/03/21/2http://www.openwall.com/lists/oss-security/2012/03/29/11http://nih.at/listarchive/libzip-discuss/msg00252.htmlhttp://www.gentoo.org/security/en/glsa/glsa-201203-23.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2012:034http://www.nih.at/libzip/NEWS.htmlhttp://www.openwall.com/lists/oss-security/2012/03/21/2http://www.openwall.com/lists/oss-security/2012/03/29/11
2012-07-12
Published