libgepub EPUB Archive Handling Integer Overflow Vulnerability Leading to Denial-of-Service

An integer overflow vulnerability has been identified in the libgepub library, which is used to read EPUB files. The issue arises in the EPUB archive parser, specifically within the gepub_archive_read_entry() function. Here, a 64-bit size value from archive_entry_size() is improperly cast to a 32-bit signed integer. This mismanagement allows specially crafted EPUB files with large declared file sizes to wrap into negative integers. The negative value is then passed to g_malloc0(), resulting in an attempt to allocate a very large unsigned memory size, which fails and causes the application to crash. This vulnerability can lead to a denial-of-service condition in applications that utilize libgepub, such as the desktop service Tumbler, which may automatically process malicious EPUB files when directories are browsed. While no direct remote attack vectors have been confirmed, any application that uses libgepub to parse user-supplied EPUB content could potentially be vulnerable.

Impact

Exploitation of this vulnerability causes a crash of the application using libgepub, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by opening a specially crafted EPUB file with a large declared file size in an application that uses libgepub for EPUB parsing. The integer overflow occurs when the file size is read and improperly cast, leading to an incorrect memory allocation that causes the application to crash. This issue has been observed in the Tumbler service on Linux, where the crafted EPUB file can trigger the vulnerability just by being in a directory that Tumbler processes.