[Buildroot] [PATCH] package/zip: add patch for CVE-2018-13410
Julien Olivain
ju.o at free.fr
Thu Oct 9 21:31:25 UTC 2025
On 09/10/2025 22:14, Thomas Perale via buildroot wrote:
> Fixes the following vulnerability:
>
> - CVE-2018-13410
>
> Info-ZIP Zip 3.0, when the -T and -TT command-line options are
> used,
> allows attackers to cause a denial of service (invalid free and
> application crash) or possibly have unspecified other impact
> because
> of an off-by-one error. NOTE: it is unclear whether there are
> realistic scenarios in which an untrusted party controls the -TT
> value, given that the entire purpose of -TT is execution of
> arbitrary commands
>
> For more information, see:
> - https://nvd.nist.gov//vuln/detail/CVE-2018-13410
>
> This patch also includes the patch 0009 which address a buffer overflow
> when passing unicode characters that doesn't have a CVE assigned.
>
> Tested with `./support/testing/run-tests -d dl -o output_folder -k
> tests.package.test_zip`
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to master, thanks.
More information about the buildroot
mailing list