Zipios News

After Mike Salvatore found and fixed a bug in version 0.1.5, Alexis Wilke created a new version with the patch applied.

The bug would create a DoS whenever an invalid size was passed as a certain loop would be stuck reading even after the end of the file was reached.

The patch is available in the infinite_loop.patch file in the source repository. The source repository was moved to GIT on SourceForge.net. (See the new tab at the top.)

The bug would not generate any security issue (no private data would be shared.) It could block an application that did not have any watchdog/timeout capability. It could also make a server crash if that happened too many times and the server runs out of processing time or out of memory.

If you have version 0.1.5 or older (or used the latest source code, unofficial version 0.1.6) then please upgrade to 0.1.7. Nothing changed in the interface, so it is just a matter of getting the latest and recompiling for your system.

For additional information, please check out Mike's post about the issue here: https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-2-of-3/

The CVE entry is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13453

I'm attaching the patch to this post for people who just want to apply it to their instance of the code and not touch anything else.