Nixpkgs security tracker
5.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- perlPackages.FileType
- perl5Packages.FileType
- perl538Packages.FileType
- perl540Packages.FileType
- @LeSuisse dismissed
file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
References
Affected products
- ==>= 20.0.0, < 21.3.2
Ignored packages (4)
pkgs.perlPackages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file
pkgs.perl5Packages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file
pkgs.perl538Packages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file
pkgs.perl540Packages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file