CVE-2008-0888 — unzip - potential code execution

Description

The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.

How to fix CVE-2008-0888

To remediate CVE-2008-0888, upgrade the affected package to a fixed version below.

Debian/unzip—upgrade to 5.52-11 or later
Debian/unzip—upgrade to 5.52-1sarge5 or later

Is CVE-2008-0888 being exploited?

Moderate — EPSS is 16.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 5.52-11
from 0, < 5.52-1sarge5

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-0888