Made to Order Software Corporation Logo

Help with version 0.1.7 of Zipios (CVE-2019-13453)

Here is yet another example of why opensource is a really good way of getting things fixed.

Assuming you have a project that is getting used by many, you are likely to see people post issues about bugs and possible enhancements. Your software is even very likely to get improved on its own by enthousiast users. On Github, for example, it is very easy to fork a project (make a copy) and then work on your version of the software. You can then offer a fix to the main authors of the project with a near one to one copy of the project.

In our case, a security professional, Mike Salvatore, was asked to review a software. He tested and found a DoS problem (Denial of Service.) That problem was due to a loop reading data from a file and totally ignoring any errors while reading. That meant that once the end of the file was reached or an I/O error occurred, the loop would go on forever. That happened because the size being read would never increase and that was the only way the loop would end (with any error, including EOF, the size would stop increasing.)

The fix was simply to add a test on the stream, if an error, including EOF was detected, break the loop, whatever the size. Then throw an error since we can't return a correct result.

I created version 0.1.7 with the fix and made it available on SourceForge.net. If you were using any older versions, please make sure to upgrade. If you were using the CVS source, please make sure to switch to the GIT source (the CVS is read-only now so I could not update it.)

If you have any question, feel free to contact us.

Note: if you have a little time, you may want to instead consider upgrading to version 2.x. The new version includes a full coverage test and therefore is less likely to include such a bug.

Links:

CVE-2019-13453
Zipios++ v0.1.7
Post by Mike Salvatore about this issue
Zipios v2.x