Bug 13112 - libzip causes crashes in php-zip
Summary: libzip causes crashes in php-zip
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/593611/
Whiteboard: MGA4-64-OK mga4-32-ok advisory has_pr...
Keywords: validated_update
Depends on:
Blocks: 13050
  Show dependency treegraph
 
Reported: 2014-03-28 16:49 CET by David Walser
Modified: 2014-04-07 23:14 CEST (History)
3 users (show)

See Also:
Source RPM: libzip-0.11.1-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-28 16:49:21 CET
The exact problem I was seeing was backing up a course in Moodle, it would crash halfway through performing the backup, causing httpd to segfault.

Upgrading libzip fixes this problem.

Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
----------------------------------------

The libzip library has been updated to version 0.11.2, which fixes crashes
that affected php-zip and possibly other users of the library.

References:
http://www.nih.at/listarchive/libzip-discuss/msg00417.html
----------------------------------------
Updated packages in core/updates_testing:
----------------------------------------
libzip-0.11.2-1.mga4
libzip2-0.11.2-1.mga4
libzip-devel-0.11.2-1.mga4

from libzip-0.11.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-04 18:53:32 CEST

Blocks: (none) => 13050

Comment 1 David Walser 2014-04-04 18:55:06 CEST
There's a simple PoC on Bug 13050:
<?php
$za = new ZipArchive();
$flags = ZIPARCHIVE::CREATE;
$result = $za->open("/tmp/test.zip", $flags);
var_dump($result);
$za->addEmptyDir('activities/');
?>

Save that in a file called ziptest.php, install php-zip and php-cli, and run it as "php ziptest.php"

It should segfault before the libzip update, and not segfault after it.

I've confirmed the PoC is fixed on Mageia 4 i586.
Comment 2 Shlomi Fish 2014-04-04 19:21:40 CEST
PoC is fixed on Mageia 4 x86-64 (in a VBox VM). It was broken before the upgrade.

CC: (none) => shlomif
Whiteboard: (none) => MGA4-64-OK has_procedure

Comment 3 David Walser 2014-04-04 19:29:26 CEST
Thanks Shlomi!  Since I've confirmed the fix on i586 with both Moodle and the script in Comment 1, this could be validated.
Comment 4 Shlomi Fish 2014-04-04 19:35:57 CEST
PoC exploit segfaults on a Mageia 4 i586 VM before the update and is fixed on it after the update. Marking as MGA4-32-OK .
Comment 5 Shlomi Fish 2014-04-04 19:36:43 CEST
Marking now.

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Comment 6 claire robinson 2014-04-04 19:38:11 CEST
Advisory uploaded. Validating.

Could sysadmin please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => MGA4-64-OK mga4-32-ok advisory has_procedure
CC: (none) => sysadmin-bugs

Comment 7 Damien Lallement 2014-04-04 19:55:45 CEST
http://advisories.mageia.org/MGASA-2014-0164.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

David Walser 2014-04-07 23:14:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/593611/


Note You need to log in before you can comment on or make changes to this bug.