Source: zip Version: 3.0-11 Severity: normal Tags: security upstream Hi,
The following vulnerability was published for zip. Note it is really disputed as security issue, filling this bug only for tracking the underlying bug in case it get's fixed. A possible attack scenario would involve an untrusted party which controls the -TT value. Still fill a but for tracking the bug/issue. CVE-2018-13410[0]: | ** <A HREF="https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry">DISPUTED</A> ** Info-ZIP Zip 3.0, when the -T and -TT command-line | options are used, allows attackers to cause a denial of service | (invalid free and application crash) or possibly have unspecified other | impact because of an off-by-one error. NOTE: it is unclear whether | there are realistic scenarios in which an untrusted party controls the | -TT value, given that the entire purpose of -TT is execution of | arbitrary commands. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-13410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13410 [1] http://seclists.org/fulldisclosure/2018/Jul/24 Regards, Salvatore

