Bug 5063

Mandriva has issued an advisory for this today (March 23):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034

They just upgraded the 2010.2 version to the new one, so now we know how to proceed.

ennael tried to build this in Cauldron, but one of the tests failed when building on the build system.  Hopefully someone can help fix this.

For Mageia 1, updating to the new version will change the major of the lib package, so I think php, ebook-tools, and mysql-workbench will need to be rebuilt along with this.

For cauldron, the decryption test fails on x86_64 (indicating a real bug), their CRC32 macro giving a wrong value, but I did not manage to fix it so far.

Reported on http://www.nih.at/listarchive/libzip-discuss/msg00258.html

IMHO the problem ist the 

static const uLongf *crc = NULL;

because:

typedef unsigned long int uLong;
typedef uLong uLongf;

will be 32bit on i586 and 64bit on x86_64 ...

CC: (none) => herbert

Well the table really contains longs, this uLongf comes from the zlib API.
However I don't think accessing the table directly is part of the API...

on i586   crc[0x1b] = 8a65c9ec
on x86_64 crc[0x1b] = cfba9599

OK you are right, the problem is that it doesn't read the right address in the table, and changing the declaration of crc to be uint32_t fixes it :)
I am sure zlib stored UL numbers in the table, I will check again.

Seeing crc32.h and crc32.c in zlib, the type is definitely unsigned long and it gets filled with 0x00000000UL, 0x77073096UL, ...

So I don't understand what is happening...

Ah sorry I had missed something, it is #define dependent.

Since 1.2.5.1 (10 Sep 2011) crc_table_t is now 4 bytes unless NOBYFOUR is defined, so even if get_crc_table returns an unsigned long *, it is actually an uint32_t.

I committed the fix to svn.

Updated and rebuilt packages uploaded for Mageia 1.

Note to QA: the thing to really focus on here for testing is to make sure that php-zip works.

Advisory:
========================

Updated libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

Additionally, php, mysql-workbench, and ebook-tools have been rebuilt
to make use of the updated library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.10-1.1.mga1
php-cgi-5.3.10-1.1.mga1
php-fpm-5.3.10-1.1.mga1
apache-mod_php-5.3.10-1.1.mga1
libphp5_common5-5.3.10-1.1.mga1
php-devel-5.3.10-1.1.mga1
php-openssl-5.3.10-1.1.mga1
php-zlib-5.3.10-1.1.mga1
php-doc-5.3.10-1.1.mga1
php-bcmath-5.3.10-1.1.mga1
php-bz2-5.3.10-1.1.mga1
php-calendar-5.3.10-1.1.mga1
php-ctype-5.3.10-1.1.mga1
php-curl-5.3.10-1.1.mga1
php-dba-5.3.10-1.1.mga1
php-dom-5.3.10-1.1.mga1
php-enchant-5.3.10-1.1.mga1
php-exif-5.3.10-1.1.mga1
php-fileinfo-5.3.10-1.1.mga1
php-filter-5.3.10-1.1.mga1
php-ftp-5.3.10-1.1.mga1
php-gd-5.3.10-1.1.mga1
php-gettext-5.3.10-1.1.mga1
php-gmp-5.3.10-1.1.mga1
php-hash-5.3.10-1.1.mga1
php-iconv-5.3.10-1.1.mga1
php-imap-5.3.10-1.1.mga1
php-intl-5.3.10-1.1.mga1
php-json-5.3.10-1.1.mga1
php-ldap-5.3.10-1.1.mga1
php-mbstring-5.3.10-1.1.mga1
php-mcrypt-5.3.10-1.1.mga1
php-mssql-5.3.10-1.1.mga1
php-mysql-5.3.10-1.1.mga1
php-mysqli-5.3.10-1.1.mga1
php-mysqlnd-5.3.10-1.1.mga1
php-odbc-5.3.10-1.1.mga1
php-pcntl-5.3.10-1.1.mga1
php-pdo-5.3.10-1.1.mga1
php-pdo_dblib-5.3.10-1.1.mga1
php-pdo_mysql-5.3.10-1.1.mga1
php-pdo_odbc-5.3.10-1.1.mga1
php-pdo_pgsql-5.3.10-1.1.mga1
php-pdo_sqlite-5.3.10-1.1.mga1
php-pgsql-5.3.10-1.1.mga1
php-phar-5.3.10-1.1.mga1
php-posix-5.3.10-1.1.mga1
php-pspell-5.3.10-1.1.mga1
php-readline-5.3.10-1.1.mga1
php-recode-5.3.10-1.1.mga1
php-session-5.3.10-1.1.mga1
php-shmop-5.3.10-1.1.mga1
php-snmp-5.3.10-1.1.mga1
php-soap-5.3.10-1.1.mga1
php-sockets-5.3.10-1.1.mga1
php-sqlite3-5.3.10-1.1.mga1
php-sqlite-5.3.10-1.1.mga1
php-sybase_ct-5.3.10-1.1.mga1
php-sysvmsg-5.3.10-1.1.mga1
php-sysvsem-5.3.10-1.1.mga1
php-sysvshm-5.3.10-1.1.mga1
php-tidy-5.3.10-1.1.mga1
php-tokenizer-5.3.10-1.1.mga1
php-xml-5.3.10-1.1.mga1
php-xmlreader-5.3.10-1.1.mga1
php-xmlrpc-5.3.10-1.1.mga1
php-xmlwriter-5.3.10-1.1.mga1
php-xsl-5.3.10-1.1.mga1
php-wddx-5.3.10-1.1.mga1
php-zip-5.3.10-1.1.mga1
mysql-workbench-5.2.33b-1.1.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.10-1.1.mga1.src.rpm
mysql-workbench-5.2.33b-1.1.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => major

I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet.  If you already knew about it, sorry for the noise.

I'm still in the process of identifying and testing all of the
packages that are affected by the update to mysql, and expect
to complete the testing of the related bugs at the same time.

CC: (none) => davidwhodgins

I found about another PHP CVE and fixed it.  There's a PoC on Bug 5575.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

Scripts that accept multiple file uploads in a single request are
potentially vulnerable to a directory traversal attack (CVE-2012-1172).

Additionally, php, mysql-workbench, and ebook-tools have been rebuilt
to make use of the updated libzip library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
https://bugzilla.novell.com/show_bug.cgi?id=752030
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.10-1.2.mga1
php-cgi-5.3.10-1.2.mga1
php-fpm-5.3.10-1.2.mga1
apache-mod_php-5.3.10-1.2.mga1
libphp5_common5-5.3.10-1.2.mga1
php-devel-5.3.10-1.2.mga1
php-openssl-5.3.10-1.2.mga1
php-zlib-5.3.10-1.2.mga1
php-doc-5.3.10-1.2.mga1
php-bcmath-5.3.10-1.2.mga1
php-bz2-5.3.10-1.2.mga1
php-calendar-5.3.10-1.2.mga1
php-ctype-5.3.10-1.2.mga1
php-curl-5.3.10-1.2.mga1
php-dba-5.3.10-1.2.mga1
php-dom-5.3.10-1.2.mga1
php-enchant-5.3.10-1.2.mga1
php-exif-5.3.10-1.2.mga1
php-fileinfo-5.3.10-1.2.mga1
php-filter-5.3.10-1.2.mga1
php-ftp-5.3.10-1.2.mga1
php-gd-5.3.10-1.2.mga1
php-gettext-5.3.10-1.2.mga1
php-gmp-5.3.10-1.2.mga1
php-hash-5.3.10-1.2.mga1
php-iconv-5.3.10-1.2.mga1
php-imap-5.3.10-1.2.mga1
php-intl-5.3.10-1.2.mga1
php-json-5.3.10-1.2.mga1
php-ldap-5.3.10-1.2.mga1
php-mbstring-5.3.10-1.2.mga1
php-mcrypt-5.3.10-1.2.mga1
php-mssql-5.3.10-1.2.mga1
php-mysql-5.3.10-1.2.mga1
php-mysqli-5.3.10-1.2.mga1
php-mysqlnd-5.3.10-1.2.mga1
php-odbc-5.3.10-1.2.mga1
php-pcntl-5.3.10-1.2.mga1
php-pdo-5.3.10-1.2.mga1
php-pdo_dblib-5.3.10-1.2.mga1
php-pdo_mysql-5.3.10-1.2.mga1
php-pdo_odbc-5.3.10-1.2.mga1
php-pdo_pgsql-5.3.10-1.2.mga1
php-pdo_sqlite-5.3.10-1.2.mga1
php-pgsql-5.3.10-1.2.mga1
php-phar-5.3.10-1.2.mga1
php-posix-5.3.10-1.2.mga1
php-pspell-5.3.10-1.2.mga1
php-readline-5.3.10-1.2.mga1
php-recode-5.3.10-1.2.mga1
php-session-5.3.10-1.2.mga1
php-shmop-5.3.10-1.2.mga1
php-snmp-5.3.10-1.2.mga1
php-soap-5.3.10-1.2.mga1
php-sockets-5.3.10-1.2.mga1
php-sqlite3-5.3.10-1.2.mga1
php-sqlite-5.3.10-1.2.mga1
php-sybase_ct-5.3.10-1.2.mga1
php-sysvmsg-5.3.10-1.2.mga1
php-sysvsem-5.3.10-1.2.mga1
php-sysvshm-5.3.10-1.2.mga1
php-tidy-5.3.10-1.2.mga1
php-tokenizer-5.3.10-1.2.mga1
php-xml-5.3.10-1.2.mga1
php-xmlreader-5.3.10-1.2.mga1
php-xmlrpc-5.3.10-1.2.mga1
php-xmlwriter-5.3.10-1.2.mga1
php-xsl-5.3.10-1.2.mga1
php-wddx-5.3.10-1.2.mga1
php-zip-5.3.10-1.2.mga1
mysql-workbench-5.2.33b-1.1.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.10-1.2.mga1.src.rpm
mysql-workbench-5.2.33b-1.1.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

Just making a minor change in the references.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

Scripts that accept multiple file uploads in a single request are
potentially vulnerable to a directory traversal attack (CVE-2012-1172).

Additionally, php, mysql-workbench, and ebook-tools have been rebuilt
to make use of the updated libzip library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.10-1.2.mga1
php-cgi-5.3.10-1.2.mga1
php-fpm-5.3.10-1.2.mga1
apache-mod_php-5.3.10-1.2.mga1
libphp5_common5-5.3.10-1.2.mga1
php-devel-5.3.10-1.2.mga1
php-openssl-5.3.10-1.2.mga1
php-zlib-5.3.10-1.2.mga1
php-doc-5.3.10-1.2.mga1
php-bcmath-5.3.10-1.2.mga1
php-bz2-5.3.10-1.2.mga1
php-calendar-5.3.10-1.2.mga1
php-ctype-5.3.10-1.2.mga1
php-curl-5.3.10-1.2.mga1
php-dba-5.3.10-1.2.mga1
php-dom-5.3.10-1.2.mga1
php-enchant-5.3.10-1.2.mga1
php-exif-5.3.10-1.2.mga1
php-fileinfo-5.3.10-1.2.mga1
php-filter-5.3.10-1.2.mga1
php-ftp-5.3.10-1.2.mga1
php-gd-5.3.10-1.2.mga1
php-gettext-5.3.10-1.2.mga1
php-gmp-5.3.10-1.2.mga1
php-hash-5.3.10-1.2.mga1
php-iconv-5.3.10-1.2.mga1
php-imap-5.3.10-1.2.mga1
php-intl-5.3.10-1.2.mga1
php-json-5.3.10-1.2.mga1
php-ldap-5.3.10-1.2.mga1
php-mbstring-5.3.10-1.2.mga1
php-mcrypt-5.3.10-1.2.mga1
php-mssql-5.3.10-1.2.mga1
php-mysql-5.3.10-1.2.mga1
php-mysqli-5.3.10-1.2.mga1
php-mysqlnd-5.3.10-1.2.mga1
php-odbc-5.3.10-1.2.mga1
php-pcntl-5.3.10-1.2.mga1
php-pdo-5.3.10-1.2.mga1
php-pdo_dblib-5.3.10-1.2.mga1
php-pdo_mysql-5.3.10-1.2.mga1
php-pdo_odbc-5.3.10-1.2.mga1
php-pdo_pgsql-5.3.10-1.2.mga1
php-pdo_sqlite-5.3.10-1.2.mga1
php-pgsql-5.3.10-1.2.mga1
php-phar-5.3.10-1.2.mga1
php-posix-5.3.10-1.2.mga1
php-pspell-5.3.10-1.2.mga1
php-readline-5.3.10-1.2.mga1
php-recode-5.3.10-1.2.mga1
php-session-5.3.10-1.2.mga1
php-shmop-5.3.10-1.2.mga1
php-snmp-5.3.10-1.2.mga1
php-soap-5.3.10-1.2.mga1
php-sockets-5.3.10-1.2.mga1
php-sqlite3-5.3.10-1.2.mga1
php-sqlite-5.3.10-1.2.mga1
php-sybase_ct-5.3.10-1.2.mga1
php-sysvmsg-5.3.10-1.2.mga1
php-sysvsem-5.3.10-1.2.mga1
php-sysvshm-5.3.10-1.2.mga1
php-tidy-5.3.10-1.2.mga1
php-tokenizer-5.3.10-1.2.mga1
php-xml-5.3.10-1.2.mga1
php-xmlreader-5.3.10-1.2.mga1
php-xmlrpc-5.3.10-1.2.mga1
php-xmlwriter-5.3.10-1.2.mga1
php-xsl-5.3.10-1.2.mga1
php-wddx-5.3.10-1.2.mga1
php-zip-5.3.10-1.2.mga1
mysql-workbench-5.2.33b-1.1.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.10-1.2.mga1.src.rpm
mysql-workbench-5.2.33b-1.1.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

Mandriva has issued this advisory this morning (April 27):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065

They upgraded to PHP 5.3.11 and upgraded some other packages.

PHP now takes the lead on this one.  Needed updates submitted.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

PHP scripts that accept multiple file uploads in a single request are
potentially vulnerable to a directory traversal attack (CVE-2012-1172).

Stack-based buffer overflow in the suhosin_encrypt_single_cookie
function in the transparent cookie-encryption feature in the Suhosin
extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might allow remote attackers to
execute arbitrary code via a long string that is used in a Set-Cookie
HTTP header (CVE-2012-0807).

php-timezonedb and php-xdebug have been updated to allow upgrading
from Mandriva 2010.2.

Additionally, mysql-workbench and ebook-tools have been rebuilt to
make use of the updated libzip library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807
http://www.php.net/ChangeLog-5.php#5.3.11
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.11-1.mga1
php-cgi-5.3.11-1.mga1
php-fpm-5.3.11-1.mga1
apache-mod_php-5.3.11-1.mga1
libphp5_common5-5.3.11-1.mga1
php-devel-5.3.11-1.mga1
php-openssl-5.3.11-1.mga1
php-zlib-5.3.11-1.mga1
php-doc-5.3.11-1.mga1
php-bcmath-5.3.11-1.mga1
php-bz2-5.3.11-1.mga1
php-calendar-5.3.11-1.mga1
php-ctype-5.3.11-1.mga1
php-curl-5.3.11-1.mga1
php-dba-5.3.11-1.mga1
php-dom-5.3.11-1.mga1
php-enchant-5.3.11-1.mga1
php-exif-5.3.11-1.mga1
php-fileinfo-5.3.11-1.mga1
php-filter-5.3.11-1.mga1
php-ftp-5.3.11-1.mga1
php-gd-5.3.11-1.mga1
php-gettext-5.3.11-1.mga1
php-gmp-5.3.11-1.mga1
php-hash-5.3.11-1.mga1
php-iconv-5.3.11-1.mga1
php-imap-5.3.11-1.mga1
php-intl-5.3.11-1.mga1
php-json-5.3.11-1.mga1
php-ldap-5.3.11-1.mga1
php-mbstring-5.3.11-1.mga1
php-mcrypt-5.3.11-1.mga1
php-mssql-5.3.11-1.mga1
php-mysql-5.3.11-1.mga1
php-mysqli-5.3.11-1.mga1
php-mysqlnd-5.3.11-1.mga1
php-odbc-5.3.11-1.mga1
php-pcntl-5.3.11-1.mga1
php-pdo-5.3.11-1.mga1
php-pdo_dblib-5.3.11-1.mga1
php-pdo_mysql-5.3.11-1.mga1
php-pdo_odbc-5.3.11-1.mga1
php-pdo_pgsql-5.3.11-1.mga1
php-pdo_sqlite-5.3.11-1.mga1
php-pgsql-5.3.11-1.mga1
php-phar-5.3.11-1.mga1
php-posix-5.3.11-1.mga1
php-pspell-5.3.11-1.mga1
php-readline-5.3.11-1.mga1
php-recode-5.3.11-1.mga1
php-session-5.3.11-1.mga1
php-shmop-5.3.11-1.mga1
php-snmp-5.3.11-1.mga1
php-soap-5.3.11-1.mga1
php-sockets-5.3.11-1.mga1
php-sqlite3-5.3.11-1.mga1
php-sqlite-5.3.11-1.mga1
php-sybase_ct-5.3.11-1.mga1
php-sysvmsg-5.3.11-1.mga1
php-sysvsem-5.3.11-1.mga1
php-sysvshm-5.3.11-1.mga1
php-tidy-5.3.11-1.mga1
php-tokenizer-5.3.11-1.mga1
php-xml-5.3.11-1.mga1
php-xmlreader-5.3.11-1.mga1
php-xmlrpc-5.3.11-1.mga1
php-xmlwriter-5.3.11-1.mga1
php-xsl-5.3.11-1.mga1
php-wddx-5.3.11-1.mga1
php-zip-5.3.11-1.mga1
php-ini-5.3.11-1.mga1
php-suhosin-0.9.33-1.mga1
php-timezonedb-2012.3-1.mga1
php-xdebug-2.1.4-1.mga1
mysql-workbench-5.2.33b-1.1.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.11-1.mga1.src.rpm
php-ini-5.3.11-1.mga1.src.rpm
php-suhosin-0.9.33-1.mga1.src.rpm
php-timezonedb-2012.3-1.mga1.src.rpm
php-xdebug-2.1.4-1.mga1.src.rpm
mysql-workbench-5.2.33b-1.1.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

There are newly announced major PHP vulnerabilities CVE-2012-1823 and CVE-2012-2311 that need to be fixed now as well.
https://bugzilla.redhat.com/show_bug.cgi?id=818907

Mandriva has issued an advisory for CVE-2012-1823, but it is an incomplete fix, hence CVE-2012-2311 (which hasn't been fixed yet).  Here's the MDV advisory:
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068

OK, hopefully we can finally get this pushed now.  Patched package uploaded.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

PHP scripts that accept multiple file uploads in a single request are
potentially vulnerable to a directory traversal attack (CVE-2012-1172).

PHP-CGI-based setups contain a vulnerability when parsing query string
parameters from php files. A remote unauthenticated attacker could
obtain sensitive information, cause a denial of service condition or
may be able to execute arbitrary code with the privileges of the web
server (CVE-2012-1823, CVE-2012-2311).

Stack-based buffer overflow in the suhosin_encrypt_single_cookie
function in the transparent cookie-encryption feature in the Suhosin
extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might allow remote attackers to
execute arbitrary code via a long string that is used in a Set-Cookie
HTTP header (CVE-2012-0807).

php-timezonedb and php-xdebug have been updated to allow upgrading
from Mandriva 2010.2.

Additionally, mysql-workbench and ebook-tools have been rebuilt to
make use of the updated libzip library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807
http://www.php.net/ChangeLog-5.php#5.3.11
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.12-1.1.mga1
php-cgi-5.3.12-1.1.mga1
php-fpm-5.3.12-1.1.mga1
apache-mod_php-5.3.12-1.1.mga1
libphp5_common5-5.3.12-1.1.mga1
php-devel-5.3.12-1.1.mga1
php-openssl-5.3.12-1.1.mga1
php-zlib-5.3.12-1.1.mga1
php-doc-5.3.12-1.1.mga1
php-bcmath-5.3.12-1.1.mga1
php-bz2-5.3.12-1.1.mga1
php-calendar-5.3.12-1.1.mga1
php-ctype-5.3.12-1.1.mga1
php-curl-5.3.12-1.1.mga1
php-dba-5.3.12-1.1.mga1
php-dom-5.3.12-1.1.mga1
php-enchant-5.3.12-1.1.mga1
php-exif-5.3.12-1.1.mga1
php-fileinfo-5.3.12-1.1.mga1
php-filter-5.3.12-1.1.mga1
php-ftp-5.3.12-1.1.mga1
php-gd-5.3.12-1.1.mga1
php-gettext-5.3.12-1.1.mga1
php-gmp-5.3.12-1.1.mga1
php-hash-5.3.12-1.1.mga1
php-iconv-5.3.12-1.1.mga1
php-imap-5.3.12-1.1.mga1
php-intl-5.3.12-1.1.mga1
php-json-5.3.12-1.1.mga1
php-ldap-5.3.12-1.1.mga1
php-mbstring-5.3.12-1.1.mga1
php-mcrypt-5.3.12-1.1.mga1
php-mssql-5.3.12-1.1.mga1
php-mysql-5.3.12-1.1.mga1
php-mysqli-5.3.12-1.1.mga1
php-mysqlnd-5.3.12-1.1.mga1
php-odbc-5.3.12-1.1.mga1
php-pcntl-5.3.12-1.1.mga1
php-pdo-5.3.12-1.1.mga1
php-pdo_dblib-5.3.12-1.1.mga1
php-pdo_mysql-5.3.12-1.1.mga1
php-pdo_odbc-5.3.12-1.1.mga1
php-pdo_pgsql-5.3.12-1.1.mga1
php-pdo_sqlite-5.3.12-1.1.mga1
php-pgsql-5.3.12-1.1.mga1
php-phar-5.3.12-1.1.mga1
php-posix-5.3.12-1.1.mga1
php-pspell-5.3.12-1.1.mga1
php-readline-5.3.12-1.1.mga1
php-recode-5.3.12-1.1.mga1
php-session-5.3.12-1.1.mga1
php-shmop-5.3.12-1.1.mga1
php-snmp-5.3.12-1.1.mga1
php-soap-5.3.12-1.1.mga1
php-sockets-5.3.12-1.1.mga1
php-sqlite3-5.3.12-1.1.mga1
php-sqlite-5.3.12-1.1.mga1
php-sybase_ct-5.3.12-1.1.mga1
php-sysvmsg-5.3.12-1.1.mga1
php-sysvsem-5.3.12-1.1.mga1
php-sysvshm-5.3.12-1.1.mga1
php-tidy-5.3.12-1.1.mga1
php-tokenizer-5.3.12-1.1.mga1
php-xml-5.3.12-1.1.mga1
php-xmlreader-5.3.12-1.1.mga1
php-xmlrpc-5.3.12-1.1.mga1
php-xmlwriter-5.3.12-1.1.mga1
php-xsl-5.3.12-1.1.mga1
php-wddx-5.3.12-1.1.mga1
php-zip-5.3.12-1.1.mga1
php-ini-5.3.12-1.mga1
php-suhosin-0.9.33-1.mga1
php-timezonedb-2012.3-1.mga1
php-xdebug-2.1.4-1.mga1
mysql-workbench-5.2.33b-1.1.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.12-1.1.mga1.src.rpm
php-ini-5.3.12-1.mga1.src.rpm
php-suhosin-0.9.33-1.mga1.src.rpm
php-timezonedb-2012.3-1.mga1.src.rpm
php-xdebug-2.1.4-1.mga1.src.rpm
mysql-workbench-5.2.33b-1.1.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

I'm trying to test using ocsinventory, as it requires php-zip. I've created
the mysql user and database specified in
/etc/httpd/conf/webapps.d/ocsinventory-server.conf, and granted all
permissions on the database to the user.

When I go to http://localhost/ocsinventory/ocsreports, I get an error ...
Can't call method "rollback" on an undefined value at
/usr/lib/perl5/vendor_perl/5.12.3/Apache/Ocsinventory/Server/System.pm line
265.

I'm not sure if this is a configuration error, a problem in the application,
php, or perl.

/usr/bin/mysqldiskusage from mysql-utilities has an blank line at the start,
so the shebang is not recognized.  It works once the line is removed.

(In reply to comment #21)
> I'm trying to test using ocsinventory, as it requires php-zip. I've created
> the mysql user and database specified in
> /etc/httpd/conf/webapps.d/ocsinventory-server.conf, and granted all
> permissions on the database to the user.
> 
> When I go to http://localhost/ocsinventory/ocsreports, I get an error ...
> Can't call method "rollback" on an undefined value at
> /usr/lib/perl5/vendor_perl/5.12.3/Apache/Ocsinventory/Server/System.pm line
> 265.
> 
> I'm not sure if this is a configuration error, a problem in the application,
> php, or perl.

Can you add a note about this to Bug 5252, so that it can be looked at if we ever make the security update for it?

As for testing php-zip, there are some simple examples you can use here:
http://php.net/manual/en/zip.examples.php

(In reply to comment #22)
> /usr/bin/mysqldiskusage from mysql-utilities has an blank line at the start,
> so the shebang is not recognized.  It works once the line is removed.

OK, should be fixed in mysql-workbench-5.2.33b-1.2.mga1

php-eaccelerator needed rebuilt for this update (Bug 5781).  Updated advisory.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

PHP scripts that accept multiple file uploads in a single request are
potentially vulnerable to a directory traversal attack (CVE-2012-1172).

PHP-CGI-based setups contain a vulnerability when parsing query string
parameters from php files. A remote unauthenticated attacker could
obtain sensitive information, cause a denial of service condition or
may be able to execute arbitrary code with the privileges of the web
server (CVE-2012-1823, CVE-2012-2311).

Stack-based buffer overflow in the suhosin_encrypt_single_cookie
function in the transparent cookie-encryption feature in the Suhosin
extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might allow remote attackers to
execute arbitrary code via a long string that is used in a Set-Cookie
HTTP header (CVE-2012-0807).

php-timezonedb and php-xdebug have been updated to allow upgrading
from Mandriva 2010.2.

Additionally, mysql-workbench and ebook-tools have been rebuilt to
make use of the updated libzip library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807
http://www.php.net/ChangeLog-5.php#5.3.11
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.12-1.1.mga1
php-cgi-5.3.12-1.1.mga1
php-fpm-5.3.12-1.1.mga1
apache-mod_php-5.3.12-1.1.mga1
libphp5_common5-5.3.12-1.1.mga1
php-devel-5.3.12-1.1.mga1
php-openssl-5.3.12-1.1.mga1
php-zlib-5.3.12-1.1.mga1
php-doc-5.3.12-1.1.mga1
php-bcmath-5.3.12-1.1.mga1
php-bz2-5.3.12-1.1.mga1
php-calendar-5.3.12-1.1.mga1
php-ctype-5.3.12-1.1.mga1
php-curl-5.3.12-1.1.mga1
php-dba-5.3.12-1.1.mga1
php-dom-5.3.12-1.1.mga1
php-enchant-5.3.12-1.1.mga1
php-exif-5.3.12-1.1.mga1
php-fileinfo-5.3.12-1.1.mga1
php-filter-5.3.12-1.1.mga1
php-ftp-5.3.12-1.1.mga1
php-gd-5.3.12-1.1.mga1
php-gettext-5.3.12-1.1.mga1
php-gmp-5.3.12-1.1.mga1
php-hash-5.3.12-1.1.mga1
php-iconv-5.3.12-1.1.mga1
php-imap-5.3.12-1.1.mga1
php-intl-5.3.12-1.1.mga1
php-json-5.3.12-1.1.mga1
php-ldap-5.3.12-1.1.mga1
php-mbstring-5.3.12-1.1.mga1
php-mcrypt-5.3.12-1.1.mga1
php-mssql-5.3.12-1.1.mga1
php-mysql-5.3.12-1.1.mga1
php-mysqli-5.3.12-1.1.mga1
php-mysqlnd-5.3.12-1.1.mga1
php-odbc-5.3.12-1.1.mga1
php-pcntl-5.3.12-1.1.mga1
php-pdo-5.3.12-1.1.mga1
php-pdo_dblib-5.3.12-1.1.mga1
php-pdo_mysql-5.3.12-1.1.mga1
php-pdo_odbc-5.3.12-1.1.mga1
php-pdo_pgsql-5.3.12-1.1.mga1
php-pdo_sqlite-5.3.12-1.1.mga1
php-pgsql-5.3.12-1.1.mga1
php-phar-5.3.12-1.1.mga1
php-posix-5.3.12-1.1.mga1
php-pspell-5.3.12-1.1.mga1
php-readline-5.3.12-1.1.mga1
php-recode-5.3.12-1.1.mga1
php-session-5.3.12-1.1.mga1
php-shmop-5.3.12-1.1.mga1
php-snmp-5.3.12-1.1.mga1
php-soap-5.3.12-1.1.mga1
php-sockets-5.3.12-1.1.mga1
php-sqlite3-5.3.12-1.1.mga1
php-sqlite-5.3.12-1.1.mga1
php-sybase_ct-5.3.12-1.1.mga1
php-sysvmsg-5.3.12-1.1.mga1
php-sysvsem-5.3.12-1.1.mga1
php-sysvshm-5.3.12-1.1.mga1
php-tidy-5.3.12-1.1.mga1
php-tokenizer-5.3.12-1.1.mga1
php-xml-5.3.12-1.1.mga1
php-xmlreader-5.3.12-1.1.mga1
php-xmlrpc-5.3.12-1.1.mga1
php-xmlwriter-5.3.12-1.1.mga1
php-xsl-5.3.12-1.1.mga1
php-wddx-5.3.12-1.1.mga1
php-zip-5.3.12-1.1.mga1
php-ini-5.3.12-1.mga1
php-suhosin-0.9.33-1.mga1
php-timezonedb-2012.3-1.mga1
php-xdebug-2.1.4-1.mga1
php-eaccelerator-0.9.6.1-6.4.mga1
php-eaccelerator-admin-0.9.6.1-6.4.mga1
mysql-workbench-5.2.33b-1.2.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.2.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.12-1.1.mga1.src.rpm
php-ini-5.3.12-1.mga1.src.rpm
php-suhosin-0.9.33-1.mga1.src.rpm
php-timezonedb-2012.3-1.mga1.src.rpm
php-xdebug-2.1.4-1.mga1.src.rpm
php-eaccelerator-0.9.6.1-6.4.mga1.src.rpm
mysql-workbench-5.2.33b-1.2.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

Testing complete on i586 for php/zip/php-cli using the first example from
http://php.net/manual/en/zip.examples.php

Note when testing, change the "/too.php" and "/testfromfile.php" to
"./too.php","./testfromfile.php", and create ./too.php in the current
directory. (It'll be called testfromfile.php in the zip).

Testing complete on i586 for mysql-workbench, using it to create a
new table.

Testing complete on i586 for ebook-tools, using einfo on an epub file.
Note that lit2epub fails as the command clit is not found, but that
is not a regression. The command is not in any Mageia or Mandriva 2010.2
rpm package.

Testing complete on i586 for php itself using phpmyadmin.  I'm not going
to try and ensure each php module is tested, just that they all install
cleanly.

I consider testing for this update complete for i586.

The fix to the latest PHP security problem is *still* incomplete, so PHP and Mandriva issued another update to PHP 5.3.13 to fix CVE-2012-2335, CVE-2012-2336.

Now that Cauldron is frozen, this will need to be built as an update for Mageia 2 and tested there as well.

http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068-1

As discussed on IRC, QA is not responsible for testing updates in Cauldron. Until Cauldron is branched into final release, testing of updates there should be carried out in the usual manner and updates push requests posted to the dev ML as normal.

Thanks.

OK, it passes all of my QA tests with a local build of 5.3.13 in both Mageia 1 and Cauldron.  I've made a Freeze push request for Cauldron.  Once that gets built I'll submit the Mageia 1 build and update the advisory.

OK, built for Cauldron and Mageia 1.

Advisory:
========================

Updated php and libzip packages fix security vulnerabilities:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

PHP scripts that accept multiple file uploads in a single request are
potentially vulnerable to a directory traversal attack (CVE-2012-1172).

PHP-CGI-based setups contain a vulnerability when parsing query string
parameters from php files. A remote unauthenticated attacker could
obtain sensitive information, cause a denial of service condition or
may be able to execute arbitrary code with the privileges of the web
server (CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, CVE-2012-2336).

Stack-based buffer overflow in the suhosin_encrypt_single_cookie
function in the transparent cookie-encryption feature in the Suhosin
extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might allow remote attackers to
execute arbitrary code via a long string that is used in a Set-Cookie
HTTP header (CVE-2012-0807).

php-timezonedb and php-xdebug have been updated to allow upgrading
from Mandriva 2010.2.

Additionally, mysql-workbench and ebook-tools have been rebuilt to
make use of the updated libzip library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
http://seclists.org/oss-sec/2012/q1/710
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807
http://www.php.net/ChangeLog-5.php#5.3.11
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2336
http://www.openwall.com/lists/oss-security/2012/05/09/9
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068-1
========================

Updated packages in core/updates_testing:
========================
libzip-0.10.1-1.mga1
libzip2-0.10.1-1.mga1
libzip-devel-0.10.1-1.mga1
php-cli-5.3.13-1.mga1
php-cgi-5.3.13-1.mga1
php-fpm-5.3.13-1.mga1
apache-mod_php-5.3.13-1.mga1
libphp5_common5-5.3.13-1.mga1
php-devel-5.3.13-1.mga1
php-openssl-5.3.13-1.mga1
php-zlib-5.3.13-1.mga1
php-doc-5.3.13-1.mga1
php-bcmath-5.3.13-1.mga1
php-bz2-5.3.13-1.mga1
php-calendar-5.3.13-1.mga1
php-ctype-5.3.13-1.mga1
php-curl-5.3.13-1.mga1
php-dba-5.3.13-1.mga1
php-dom-5.3.13-1.mga1
php-enchant-5.3.13-1.mga1
php-exif-5.3.13-1.mga1
php-fileinfo-5.3.13-1.mga1
php-filter-5.3.13-1.mga1
php-ftp-5.3.13-1.mga1
php-gd-5.3.13-1.mga1
php-gettext-5.3.13-1.mga1
php-gmp-5.3.13-1.mga1
php-hash-5.3.13-1.mga1
php-iconv-5.3.13-1.mga1
php-imap-5.3.13-1.mga1
php-intl-5.3.13-1.mga1
php-json-5.3.13-1.mga1
php-ldap-5.3.13-1.mga1
php-mbstring-5.3.13-1.mga1
php-mcrypt-5.3.13-1.mga1
php-mssql-5.3.13-1.mga1
php-mysql-5.3.13-1.mga1
php-mysqli-5.3.13-1.mga1
php-mysqlnd-5.3.13-1.mga1
php-odbc-5.3.13-1.mga1
php-pcntl-5.3.13-1.mga1
php-pdo-5.3.13-1.mga1
php-pdo_dblib-5.3.13-1.mga1
php-pdo_mysql-5.3.13-1.mga1
php-pdo_odbc-5.3.13-1.mga1
php-pdo_pgsql-5.3.13-1.mga1
php-pdo_sqlite-5.3.13-1.mga1
php-pgsql-5.3.13-1.mga1
php-phar-5.3.13-1.mga1
php-posix-5.3.13-1.mga1
php-pspell-5.3.13-1.mga1
php-readline-5.3.13-1.mga1
php-recode-5.3.13-1.mga1
php-session-5.3.13-1.mga1
php-shmop-5.3.13-1.mga1
php-snmp-5.3.13-1.mga1
php-soap-5.3.13-1.mga1
php-sockets-5.3.13-1.mga1
php-sqlite3-5.3.13-1.mga1
php-sqlite-5.3.13-1.mga1
php-sybase_ct-5.3.13-1.mga1
php-sysvmsg-5.3.13-1.mga1
php-sysvsem-5.3.13-1.mga1
php-sysvshm-5.3.13-1.mga1
php-tidy-5.3.13-1.mga1
php-tokenizer-5.3.13-1.mga1
php-xml-5.3.13-1.mga1
php-xmlreader-5.3.13-1.mga1
php-xmlrpc-5.3.13-1.mga1
php-xmlwriter-5.3.13-1.mga1
php-xsl-5.3.13-1.mga1
php-wddx-5.3.13-1.mga1
php-zip-5.3.13-1.mga1
php-ini-5.3.13-1.mga1
php-eaccelerator-0.9.6.1-6.5.mga1
php-eaccelerator-admin-0.9.6.1-6.5.mga1
php-suhosin-0.9.33-1.mga1
php-timezonedb-2012.3-1.mga1
php-xdebug-2.1.4-1.mga1
mysql-workbench-5.2.33b-1.2.mga1
mysql-utilities-1.0.0-0.5.2.33b.1.2.mga1
ebook-tools-0.1.1-5.1.mga1
libepub0-0.1.1-5.1.mga1
ebook-tools-devel-0.1.1-5.1.mga1

from SRPMS:
libzip-0.10.1-1.mga1.src.rpm
php-5.3.13-1.mga1.src.rpm
php-ini-5.3.13-1.mga1.src.rpm
php-eaccelerator-0.9.6.1-6.5.mga1.src.rpm
php-suhosin-0.9.33-1.mga1.src.rpm
php-timezonedb-2012.3-1.mga1.src.rpm
php-xdebug-2.1.4-1.mga1.src.rpm
mysql-workbench-5.2.33b-1.2.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm

Testing x86_64
Tested libzip with the info in Daves comment 26

Tested php with zoneminder, phpmyadmin, mediawiki, wordpress and some test scripts
Checked eaccelerator and apc with their admin packages also php -i shows no errors

Used mysql-workbench to connect to localhost.

Downloaded an epub book from project gutenburg

$ einfo -vvv thebook.epub

Shows ebook info however:

$ lit2epub

Gives an error that it is missing 'clit' so I guess there is a missing require but I'm not sure what it is missing..

which: no clit in (/usr/local/bin:/bin:/usr/bin:/usr/games:/usr/lib/qt4/bin:/home/claire/bin)
Can't find clit, please make sure it is in your path

# urpmq -a clit
lib64pcsclite-devel
lib64pcsclite-static-devel
lib64pcsclite1
libpcsclite-devel
libpcsclite-static-devel
libpcsclite1

It is not a regression though so I'll create a new bug for that.


Testing complete x86_64

bug 5871 created for lit2epub

Validating the update.

Could someone from the sysadmin team push the srpms
libzip-0.10.1-1.mga1.src.rpm
php-5.3.13-1.mga1.src.rpm
php-ini-5.3.13-1.mga1.src.rpm
php-eaccelerator-0.9.6.1-6.5.mga1.src.rpm
php-suhosin-0.9.33-1.mga1.src.rpm
php-timezonedb-2012.3-1.mga1.src.rpm
php-xdebug-2.1.4-1.mga1.src.rpm
mysql-workbench-5.2.33b-1.2.mga1.src.rpm
ebook-tools-0.1.1-5.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

See Comment 30 for the advisory.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED