CVE-2018-13410

Name
CVE-2018-13410
Description
** DISPUTED ** Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List http://seclists.org/fulldisclosure/2018/Jul/24

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:info-zip_project:zip:3.0:*:*:*:*:*:*:* zip == None == 3.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
zip edge-main 3.0-r9 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
zip 3.14-main 3.0-r9 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
zip 3.13-main 3.0-r9 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
zip 3.12-main 3.0-r8 Carlo Landmeter <clandmeter@gmail.com> fixed
zip 3.11-main 3.0-r7 Carlo Landmeter <clandmeter@gmail.com> fixed
zip 3.15-main 3.0-r9 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable