PublicDateAtUSN: 2018-02-08
Candidate: CVE-2018-1056
PublicDate: 2018-07-27 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1056
 https://ubuntu.com/security/notices/USN-3570-1
Description:
 An out-of-bounds heap buffer read flaw was found in the way advancecomp
 before 2.1-2018/02 handled processing of ZIP files. An attacker could
 potentially use this flaw to crash the advzip utility by tricking it into
 processing crafted ZIP files.
Ubuntu-Description:
Notes:
 ratliff> w/o ASAN errors out on trusty, segfaults on xenial
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889270
Priority: medium
Discovered-by: Joonun Jang
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_advancecomp:
 upstream: https://github.com/amadvance/advancecomp/commit/7deeafc02b29cc51d51079e66f4f43f986ff9cc5
upstream_advancecomp: released (2.1-1)
precise/esm_advancecomp: DNE
trusty_advancecomp: released (1.18-1ubuntu0.1)
trusty/esm_advancecomp: DNE (trusty was released [1.18-1ubuntu0.1])
xenial_advancecomp: released (1.20-1ubuntu0.1)
esm-infra/xenial_advancecomp: released (1.20-1ubuntu0.1)
artful_advancecomp: released (2.0-1ubuntu0.1)
devel_advancecomp: not-affected (2.1-1)