Arbitrary Code Execution Affecting zipruby Open this link in a new tab package, versions >0.0.0


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-RUBY-ZIPRUBY-20433

  • published

    7 Dec 2017

  • disclosed

    12 Jul 2012

  • credit

    Michael Grosser

How to fix?

There is no fix version for zipruby.

Overview

zipruby is Ruby bindings for libzip.

Affected versions of the package are vulnerable to Arbitrary Code Execution. Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.