CVE-2019-13453

Vulnerability

Zipios versions before 0.1.7 fail to properly validate the "Offset of local header" field in the central directory of a ZIP archive. When this offset is larger than the archive size, the readUint32() function in zipheadio.h and the Zipfile::Zipfile() constructor in zipfile.cpp enter an infinite loop, leading to a denial of service. The vulnerability was discovered in Zipios 0.1.5.9 (used by FlightCrew) and affects all versions including the unofficial 0.1.6 [1], [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious ZIP file where the "Offset of local header" field exceeds the total archive size. No authentication or special network position is required; the attacker only needs to deliver the malformed zip archive to an application that parses it using the vulnerable Zipios library. The affected component is the ZipFile::confirmLocalHeaders() function during central directory processing [1], [2].

Impact

Successful exploitation causes the target application to hang indefinitely due to an infinite loop, effectively denying service. No sensitive data is disclosed, and no code execution is possible. The impact is limited to availability, potentially crashing applications without watchdog/timeout capability or exhausting server resources if repeatedly triggered [2].

Mitigation

The fix is included in Zipios version 0.1.7, released on or about July 2019. The infinite loop patch is available in the source repository's infinite_loop.patch file [2]. Users should upgrade to 0.1.7 or apply the patch to their local copy of the code. No workarounds are documented for unpatched versions [1], [2].