Bug 3999

Summary: libzip missing security update for CVE-2011-0421
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, fundawang, geiger.david68210, pterjan, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libzip-0.9.3-3.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-01-01 21:49:50 CET 
Mandriva issued this advisory on May 24:
http://lists.mandriva.com/security-announce/2011-05/msg00024.php
Comment 1 Manuel Hiebel 2012-01-01 23:18:55 CET 
As php 5.3.8 is in testing maybe we don't need this one ?

The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.

CC: (none) => fundawang, pterjan

Comment 2 David Walser 2012-01-01 23:29:41 CET 
libzip is its own SRPM.  PHP just uses that code.  CVEs are like that sometimes, mentioning a program or something rather than the library that is the actual source of the problem.
Comment 3 D Morgan 2012-01-02 21:51:48 CET 
just fixed and pushed in updates_testing

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2012-01-03 23:02:05 CET 
This is only used by libepub0 on my system, which is used by okular.  Tested on i586 by opening a free epub book in okular.  Looks good.
Comment 5 Dave Hodgins 2012-01-06 23:02:29 CET 
Also testing on i586.

Used ziptorrent to convert an existing zip to ziptorrent format
(see http://www.makelinux.net/man/3/Z/zip_set_archive_flag ),
zipmerge to combine two zip files, and zipcmp to show the
differences between two zip files.

Still need x86-64 testing.

CC: (none) => davidwhodgins

Comment 6 David GEIGER 2012-01-09 10:11:20 CET 
(In reply to comment #4)
> This is only used by libepub0 on my system, which is used by okular.  Tested on
> i586 by opening a free epub book in okular.  Looks good.

Testing complete the srpm libzip-0.9.3-3.1.mga1.src.rpm on Mageia release 1 (Official) for x86_64 ,works too when I open a free epub book files with Okular.

CC: (none) => geiger.david68210

Comment 7 David Walser 2012-01-09 14:45:02 CET 
Validating

Advisory:
========================

Updated libzip packages fix security vulnerability:

The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:099
========================

Updated packages in core/updates_testing:
========================
libzip-0.9.3-3.1.mga1
libzip-devel-0.9.3-3.1.mga1
libzip1-0.9.3-3.1.mga1

from libzip-0.9.3-3.1.mga1.src.rpm
========================

Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 8 Thomas Backlund 2012-01-09 15:32:28 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED