These are heap overflow and integer overflow vulnerabilities that were just announced. libzip 0.10.1 has been issued to fix this, but we have an older version in Mageia 1. PHP (likely the php-zip subpackage) is also vulnerable to this, but PHP has not issued an update yet. Cauldron is also vulnerable. I checked the 0.10.1 update into SVN, but have not tested it or asked for a freeze push yet. Obviously PHP in Cauldron is still vulnerable. References: http://seclists.org/oss-sec/2012/q1/710 https://bugzilla.redhat.com/show_bug.cgi?id=802564 https://bugzilla.redhat.com/show_bug.cgi?id=803028
Blocks: (none) => 5046
Mandriva has issued an advisory for this today (March 23): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 They just upgraded the 2010.2 version to the new one, so now we know how to proceed.
ennael tried to build this in Cauldron, but one of the tests failed when building on the build system. Hopefully someone can help fix this. For Mageia 1, updating to the new version will change the major of the lib package, so I think php, ebook-tools, and mysql-workbench will need to be rebuilt along with this.
CC: (none) => fundawang
CC: (none) => pterjan
For cauldron, the decryption test fails on x86_64 (indicating a real bug), their CRC32 macro giving a wrong value, but I did not manage to fix it so far.
Reported on http://www.nih.at/listarchive/libzip-discuss/msg00258.html
IMHO the problem ist the static const uLongf *crc = NULL; because: typedef unsigned long int uLong; typedef uLong uLongf; will be 32bit on i586 and 64bit on x86_64 ...
CC: (none) => herbert
Well the table really contains longs, this uLongf comes from the zlib API. However I don't think accessing the table directly is part of the API... on i586 crc[0x1b] = 8a65c9ec on x86_64 crc[0x1b] = cfba9599
OK you are right, the problem is that it doesn't read the right address in the table, and changing the declaration of crc to be uint32_t fixes it :) I am sure zlib stored UL numbers in the table, I will check again.
Seeing crc32.h and crc32.c in zlib, the type is definitely unsigned long and it gets filled with 0x00000000UL, 0x77073096UL, ... So I don't understand what is happening...
Ah sorry I had missed something, it is #define dependent. Since 1.2.5.1 (10 Sep 2011) crc_table_t is now 4 bytes unless NOBYFOUR is defined, so even if get_crc_table returns an unsigned long *, it is actually an uint32_t.
I committed the fix to svn.
Blocks: 5046 => (none)
Updated and rebuilt packages uploaded for Mageia 1. Note to QA: the thing to really focus on here for testing is to make sure that php-zip works. Advisory: ======================== Updated libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). Additionally, php, mysql-workbench, and ebook-tools have been rebuilt to make use of the updated library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.10-1.1.mga1 php-cgi-5.3.10-1.1.mga1 php-fpm-5.3.10-1.1.mga1 apache-mod_php-5.3.10-1.1.mga1 libphp5_common5-5.3.10-1.1.mga1 php-devel-5.3.10-1.1.mga1 php-openssl-5.3.10-1.1.mga1 php-zlib-5.3.10-1.1.mga1 php-doc-5.3.10-1.1.mga1 php-bcmath-5.3.10-1.1.mga1 php-bz2-5.3.10-1.1.mga1 php-calendar-5.3.10-1.1.mga1 php-ctype-5.3.10-1.1.mga1 php-curl-5.3.10-1.1.mga1 php-dba-5.3.10-1.1.mga1 php-dom-5.3.10-1.1.mga1 php-enchant-5.3.10-1.1.mga1 php-exif-5.3.10-1.1.mga1 php-fileinfo-5.3.10-1.1.mga1 php-filter-5.3.10-1.1.mga1 php-ftp-5.3.10-1.1.mga1 php-gd-5.3.10-1.1.mga1 php-gettext-5.3.10-1.1.mga1 php-gmp-5.3.10-1.1.mga1 php-hash-5.3.10-1.1.mga1 php-iconv-5.3.10-1.1.mga1 php-imap-5.3.10-1.1.mga1 php-intl-5.3.10-1.1.mga1 php-json-5.3.10-1.1.mga1 php-ldap-5.3.10-1.1.mga1 php-mbstring-5.3.10-1.1.mga1 php-mcrypt-5.3.10-1.1.mga1 php-mssql-5.3.10-1.1.mga1 php-mysql-5.3.10-1.1.mga1 php-mysqli-5.3.10-1.1.mga1 php-mysqlnd-5.3.10-1.1.mga1 php-odbc-5.3.10-1.1.mga1 php-pcntl-5.3.10-1.1.mga1 php-pdo-5.3.10-1.1.mga1 php-pdo_dblib-5.3.10-1.1.mga1 php-pdo_mysql-5.3.10-1.1.mga1 php-pdo_odbc-5.3.10-1.1.mga1 php-pdo_pgsql-5.3.10-1.1.mga1 php-pdo_sqlite-5.3.10-1.1.mga1 php-pgsql-5.3.10-1.1.mga1 php-phar-5.3.10-1.1.mga1 php-posix-5.3.10-1.1.mga1 php-pspell-5.3.10-1.1.mga1 php-readline-5.3.10-1.1.mga1 php-recode-5.3.10-1.1.mga1 php-session-5.3.10-1.1.mga1 php-shmop-5.3.10-1.1.mga1 php-snmp-5.3.10-1.1.mga1 php-soap-5.3.10-1.1.mga1 php-sockets-5.3.10-1.1.mga1 php-sqlite3-5.3.10-1.1.mga1 php-sqlite-5.3.10-1.1.mga1 php-sybase_ct-5.3.10-1.1.mga1 php-sysvmsg-5.3.10-1.1.mga1 php-sysvsem-5.3.10-1.1.mga1 php-sysvshm-5.3.10-1.1.mga1 php-tidy-5.3.10-1.1.mga1 php-tokenizer-5.3.10-1.1.mga1 php-xml-5.3.10-1.1.mga1 php-xmlreader-5.3.10-1.1.mga1 php-xmlrpc-5.3.10-1.1.mga1 php-xmlwriter-5.3.10-1.1.mga1 php-xsl-5.3.10-1.1.mga1 php-wddx-5.3.10-1.1.mga1 php-zip-5.3.10-1.1.mga1 mysql-workbench-5.2.33b-1.1.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.10-1.1.mga1.src.rpm mysql-workbench-5.2.33b-1.1.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
Assignee: bugsquad => qa-bugsSeverity: normal => major
I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet. If you already knew about it, sorry for the noise.
I'm still in the process of identifying and testing all of the packages that are affected by the update to mysql, and expect to complete the testing of the related bugs at the same time.
CC: (none) => davidwhodgins
I found about another PHP CVE and fixed it. There's a PoC on Bug 5575. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). Scripts that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack (CVE-2012-1172). Additionally, php, mysql-workbench, and ebook-tools have been rebuilt to make use of the updated libzip library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172 https://bugzilla.novell.com/show_bug.cgi?id=752030 ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.10-1.2.mga1 php-cgi-5.3.10-1.2.mga1 php-fpm-5.3.10-1.2.mga1 apache-mod_php-5.3.10-1.2.mga1 libphp5_common5-5.3.10-1.2.mga1 php-devel-5.3.10-1.2.mga1 php-openssl-5.3.10-1.2.mga1 php-zlib-5.3.10-1.2.mga1 php-doc-5.3.10-1.2.mga1 php-bcmath-5.3.10-1.2.mga1 php-bz2-5.3.10-1.2.mga1 php-calendar-5.3.10-1.2.mga1 php-ctype-5.3.10-1.2.mga1 php-curl-5.3.10-1.2.mga1 php-dba-5.3.10-1.2.mga1 php-dom-5.3.10-1.2.mga1 php-enchant-5.3.10-1.2.mga1 php-exif-5.3.10-1.2.mga1 php-fileinfo-5.3.10-1.2.mga1 php-filter-5.3.10-1.2.mga1 php-ftp-5.3.10-1.2.mga1 php-gd-5.3.10-1.2.mga1 php-gettext-5.3.10-1.2.mga1 php-gmp-5.3.10-1.2.mga1 php-hash-5.3.10-1.2.mga1 php-iconv-5.3.10-1.2.mga1 php-imap-5.3.10-1.2.mga1 php-intl-5.3.10-1.2.mga1 php-json-5.3.10-1.2.mga1 php-ldap-5.3.10-1.2.mga1 php-mbstring-5.3.10-1.2.mga1 php-mcrypt-5.3.10-1.2.mga1 php-mssql-5.3.10-1.2.mga1 php-mysql-5.3.10-1.2.mga1 php-mysqli-5.3.10-1.2.mga1 php-mysqlnd-5.3.10-1.2.mga1 php-odbc-5.3.10-1.2.mga1 php-pcntl-5.3.10-1.2.mga1 php-pdo-5.3.10-1.2.mga1 php-pdo_dblib-5.3.10-1.2.mga1 php-pdo_mysql-5.3.10-1.2.mga1 php-pdo_odbc-5.3.10-1.2.mga1 php-pdo_pgsql-5.3.10-1.2.mga1 php-pdo_sqlite-5.3.10-1.2.mga1 php-pgsql-5.3.10-1.2.mga1 php-phar-5.3.10-1.2.mga1 php-posix-5.3.10-1.2.mga1 php-pspell-5.3.10-1.2.mga1 php-readline-5.3.10-1.2.mga1 php-recode-5.3.10-1.2.mga1 php-session-5.3.10-1.2.mga1 php-shmop-5.3.10-1.2.mga1 php-snmp-5.3.10-1.2.mga1 php-soap-5.3.10-1.2.mga1 php-sockets-5.3.10-1.2.mga1 php-sqlite3-5.3.10-1.2.mga1 php-sqlite-5.3.10-1.2.mga1 php-sybase_ct-5.3.10-1.2.mga1 php-sysvmsg-5.3.10-1.2.mga1 php-sysvsem-5.3.10-1.2.mga1 php-sysvshm-5.3.10-1.2.mga1 php-tidy-5.3.10-1.2.mga1 php-tokenizer-5.3.10-1.2.mga1 php-xml-5.3.10-1.2.mga1 php-xmlreader-5.3.10-1.2.mga1 php-xmlrpc-5.3.10-1.2.mga1 php-xmlwriter-5.3.10-1.2.mga1 php-xsl-5.3.10-1.2.mga1 php-wddx-5.3.10-1.2.mga1 php-zip-5.3.10-1.2.mga1 mysql-workbench-5.2.33b-1.1.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.10-1.2.mga1.src.rpm mysql-workbench-5.2.33b-1.1.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
Just making a minor change in the references. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). Scripts that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack (CVE-2012-1172). Additionally, php, mysql-workbench, and ebook-tools have been rebuilt to make use of the updated libzip library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172 http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.10-1.2.mga1 php-cgi-5.3.10-1.2.mga1 php-fpm-5.3.10-1.2.mga1 apache-mod_php-5.3.10-1.2.mga1 libphp5_common5-5.3.10-1.2.mga1 php-devel-5.3.10-1.2.mga1 php-openssl-5.3.10-1.2.mga1 php-zlib-5.3.10-1.2.mga1 php-doc-5.3.10-1.2.mga1 php-bcmath-5.3.10-1.2.mga1 php-bz2-5.3.10-1.2.mga1 php-calendar-5.3.10-1.2.mga1 php-ctype-5.3.10-1.2.mga1 php-curl-5.3.10-1.2.mga1 php-dba-5.3.10-1.2.mga1 php-dom-5.3.10-1.2.mga1 php-enchant-5.3.10-1.2.mga1 php-exif-5.3.10-1.2.mga1 php-fileinfo-5.3.10-1.2.mga1 php-filter-5.3.10-1.2.mga1 php-ftp-5.3.10-1.2.mga1 php-gd-5.3.10-1.2.mga1 php-gettext-5.3.10-1.2.mga1 php-gmp-5.3.10-1.2.mga1 php-hash-5.3.10-1.2.mga1 php-iconv-5.3.10-1.2.mga1 php-imap-5.3.10-1.2.mga1 php-intl-5.3.10-1.2.mga1 php-json-5.3.10-1.2.mga1 php-ldap-5.3.10-1.2.mga1 php-mbstring-5.3.10-1.2.mga1 php-mcrypt-5.3.10-1.2.mga1 php-mssql-5.3.10-1.2.mga1 php-mysql-5.3.10-1.2.mga1 php-mysqli-5.3.10-1.2.mga1 php-mysqlnd-5.3.10-1.2.mga1 php-odbc-5.3.10-1.2.mga1 php-pcntl-5.3.10-1.2.mga1 php-pdo-5.3.10-1.2.mga1 php-pdo_dblib-5.3.10-1.2.mga1 php-pdo_mysql-5.3.10-1.2.mga1 php-pdo_odbc-5.3.10-1.2.mga1 php-pdo_pgsql-5.3.10-1.2.mga1 php-pdo_sqlite-5.3.10-1.2.mga1 php-pgsql-5.3.10-1.2.mga1 php-phar-5.3.10-1.2.mga1 php-posix-5.3.10-1.2.mga1 php-pspell-5.3.10-1.2.mga1 php-readline-5.3.10-1.2.mga1 php-recode-5.3.10-1.2.mga1 php-session-5.3.10-1.2.mga1 php-shmop-5.3.10-1.2.mga1 php-snmp-5.3.10-1.2.mga1 php-soap-5.3.10-1.2.mga1 php-sockets-5.3.10-1.2.mga1 php-sqlite3-5.3.10-1.2.mga1 php-sqlite-5.3.10-1.2.mga1 php-sybase_ct-5.3.10-1.2.mga1 php-sysvmsg-5.3.10-1.2.mga1 php-sysvsem-5.3.10-1.2.mga1 php-sysvshm-5.3.10-1.2.mga1 php-tidy-5.3.10-1.2.mga1 php-tokenizer-5.3.10-1.2.mga1 php-xml-5.3.10-1.2.mga1 php-xmlreader-5.3.10-1.2.mga1 php-xmlrpc-5.3.10-1.2.mga1 php-xmlwriter-5.3.10-1.2.mga1 php-xsl-5.3.10-1.2.mga1 php-wddx-5.3.10-1.2.mga1 php-zip-5.3.10-1.2.mga1 mysql-workbench-5.2.33b-1.1.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.10-1.2.mga1.src.rpm mysql-workbench-5.2.33b-1.1.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
Mandriva has issued this advisory this morning (April 27): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065 They upgraded to PHP 5.3.11 and upgraded some other packages.
PHP now takes the lead on this one. Needed updates submitted. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). PHP scripts that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack (CVE-2012-1172). Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header (CVE-2012-0807). php-timezonedb and php-xdebug have been updated to allow upgrading from Mandriva 2010.2. Additionally, mysql-workbench and ebook-tools have been rebuilt to make use of the updated libzip library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172 http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807 http://www.php.net/ChangeLog-5.php#5.3.11 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065 ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.11-1.mga1 php-cgi-5.3.11-1.mga1 php-fpm-5.3.11-1.mga1 apache-mod_php-5.3.11-1.mga1 libphp5_common5-5.3.11-1.mga1 php-devel-5.3.11-1.mga1 php-openssl-5.3.11-1.mga1 php-zlib-5.3.11-1.mga1 php-doc-5.3.11-1.mga1 php-bcmath-5.3.11-1.mga1 php-bz2-5.3.11-1.mga1 php-calendar-5.3.11-1.mga1 php-ctype-5.3.11-1.mga1 php-curl-5.3.11-1.mga1 php-dba-5.3.11-1.mga1 php-dom-5.3.11-1.mga1 php-enchant-5.3.11-1.mga1 php-exif-5.3.11-1.mga1 php-fileinfo-5.3.11-1.mga1 php-filter-5.3.11-1.mga1 php-ftp-5.3.11-1.mga1 php-gd-5.3.11-1.mga1 php-gettext-5.3.11-1.mga1 php-gmp-5.3.11-1.mga1 php-hash-5.3.11-1.mga1 php-iconv-5.3.11-1.mga1 php-imap-5.3.11-1.mga1 php-intl-5.3.11-1.mga1 php-json-5.3.11-1.mga1 php-ldap-5.3.11-1.mga1 php-mbstring-5.3.11-1.mga1 php-mcrypt-5.3.11-1.mga1 php-mssql-5.3.11-1.mga1 php-mysql-5.3.11-1.mga1 php-mysqli-5.3.11-1.mga1 php-mysqlnd-5.3.11-1.mga1 php-odbc-5.3.11-1.mga1 php-pcntl-5.3.11-1.mga1 php-pdo-5.3.11-1.mga1 php-pdo_dblib-5.3.11-1.mga1 php-pdo_mysql-5.3.11-1.mga1 php-pdo_odbc-5.3.11-1.mga1 php-pdo_pgsql-5.3.11-1.mga1 php-pdo_sqlite-5.3.11-1.mga1 php-pgsql-5.3.11-1.mga1 php-phar-5.3.11-1.mga1 php-posix-5.3.11-1.mga1 php-pspell-5.3.11-1.mga1 php-readline-5.3.11-1.mga1 php-recode-5.3.11-1.mga1 php-session-5.3.11-1.mga1 php-shmop-5.3.11-1.mga1 php-snmp-5.3.11-1.mga1 php-soap-5.3.11-1.mga1 php-sockets-5.3.11-1.mga1 php-sqlite3-5.3.11-1.mga1 php-sqlite-5.3.11-1.mga1 php-sybase_ct-5.3.11-1.mga1 php-sysvmsg-5.3.11-1.mga1 php-sysvsem-5.3.11-1.mga1 php-sysvshm-5.3.11-1.mga1 php-tidy-5.3.11-1.mga1 php-tokenizer-5.3.11-1.mga1 php-xml-5.3.11-1.mga1 php-xmlreader-5.3.11-1.mga1 php-xmlrpc-5.3.11-1.mga1 php-xmlwriter-5.3.11-1.mga1 php-xsl-5.3.11-1.mga1 php-wddx-5.3.11-1.mga1 php-zip-5.3.11-1.mga1 php-ini-5.3.11-1.mga1 php-suhosin-0.9.33-1.mga1 php-timezonedb-2012.3-1.mga1 php-xdebug-2.1.4-1.mga1 mysql-workbench-5.2.33b-1.1.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.11-1.mga1.src.rpm php-ini-5.3.11-1.mga1.src.rpm php-suhosin-0.9.33-1.mga1.src.rpm php-timezonedb-2012.3-1.mga1.src.rpm php-xdebug-2.1.4-1.mga1.src.rpm mysql-workbench-5.2.33b-1.1.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
There are newly announced major PHP vulnerabilities CVE-2012-1823 and CVE-2012-2311 that need to be fixed now as well. https://bugzilla.redhat.com/show_bug.cgi?id=818907
Mandriva has issued an advisory for CVE-2012-1823, but it is an incomplete fix, hence CVE-2012-2311 (which hasn't been fixed yet). Here's the MDV advisory: http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068
Summary: libzip new security issues CVE-2012-1162 and CVE-2012-1163 => libzip and php new security issues CVE-2012-116[23], CVE-2012-1172, CVE-2012-1823, and CVE-2012-2311
OK, hopefully we can finally get this pushed now. Patched package uploaded. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). PHP scripts that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack (CVE-2012-1172). PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server (CVE-2012-1823, CVE-2012-2311). Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header (CVE-2012-0807). php-timezonedb and php-xdebug have been updated to allow upgrading from Mandriva 2010.2. Additionally, mysql-workbench and ebook-tools have been rebuilt to make use of the updated libzip library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172 http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807 http://www.php.net/ChangeLog-5.php#5.3.11 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311 https://bugs.php.net/bug.php?id=61910 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068 ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.12-1.1.mga1 php-cgi-5.3.12-1.1.mga1 php-fpm-5.3.12-1.1.mga1 apache-mod_php-5.3.12-1.1.mga1 libphp5_common5-5.3.12-1.1.mga1 php-devel-5.3.12-1.1.mga1 php-openssl-5.3.12-1.1.mga1 php-zlib-5.3.12-1.1.mga1 php-doc-5.3.12-1.1.mga1 php-bcmath-5.3.12-1.1.mga1 php-bz2-5.3.12-1.1.mga1 php-calendar-5.3.12-1.1.mga1 php-ctype-5.3.12-1.1.mga1 php-curl-5.3.12-1.1.mga1 php-dba-5.3.12-1.1.mga1 php-dom-5.3.12-1.1.mga1 php-enchant-5.3.12-1.1.mga1 php-exif-5.3.12-1.1.mga1 php-fileinfo-5.3.12-1.1.mga1 php-filter-5.3.12-1.1.mga1 php-ftp-5.3.12-1.1.mga1 php-gd-5.3.12-1.1.mga1 php-gettext-5.3.12-1.1.mga1 php-gmp-5.3.12-1.1.mga1 php-hash-5.3.12-1.1.mga1 php-iconv-5.3.12-1.1.mga1 php-imap-5.3.12-1.1.mga1 php-intl-5.3.12-1.1.mga1 php-json-5.3.12-1.1.mga1 php-ldap-5.3.12-1.1.mga1 php-mbstring-5.3.12-1.1.mga1 php-mcrypt-5.3.12-1.1.mga1 php-mssql-5.3.12-1.1.mga1 php-mysql-5.3.12-1.1.mga1 php-mysqli-5.3.12-1.1.mga1 php-mysqlnd-5.3.12-1.1.mga1 php-odbc-5.3.12-1.1.mga1 php-pcntl-5.3.12-1.1.mga1 php-pdo-5.3.12-1.1.mga1 php-pdo_dblib-5.3.12-1.1.mga1 php-pdo_mysql-5.3.12-1.1.mga1 php-pdo_odbc-5.3.12-1.1.mga1 php-pdo_pgsql-5.3.12-1.1.mga1 php-pdo_sqlite-5.3.12-1.1.mga1 php-pgsql-5.3.12-1.1.mga1 php-phar-5.3.12-1.1.mga1 php-posix-5.3.12-1.1.mga1 php-pspell-5.3.12-1.1.mga1 php-readline-5.3.12-1.1.mga1 php-recode-5.3.12-1.1.mga1 php-session-5.3.12-1.1.mga1 php-shmop-5.3.12-1.1.mga1 php-snmp-5.3.12-1.1.mga1 php-soap-5.3.12-1.1.mga1 php-sockets-5.3.12-1.1.mga1 php-sqlite3-5.3.12-1.1.mga1 php-sqlite-5.3.12-1.1.mga1 php-sybase_ct-5.3.12-1.1.mga1 php-sysvmsg-5.3.12-1.1.mga1 php-sysvsem-5.3.12-1.1.mga1 php-sysvshm-5.3.12-1.1.mga1 php-tidy-5.3.12-1.1.mga1 php-tokenizer-5.3.12-1.1.mga1 php-xml-5.3.12-1.1.mga1 php-xmlreader-5.3.12-1.1.mga1 php-xmlrpc-5.3.12-1.1.mga1 php-xmlwriter-5.3.12-1.1.mga1 php-xsl-5.3.12-1.1.mga1 php-wddx-5.3.12-1.1.mga1 php-zip-5.3.12-1.1.mga1 php-ini-5.3.12-1.mga1 php-suhosin-0.9.33-1.mga1 php-timezonedb-2012.3-1.mga1 php-xdebug-2.1.4-1.mga1 mysql-workbench-5.2.33b-1.1.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.1.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.12-1.1.mga1.src.rpm php-ini-5.3.12-1.mga1.src.rpm php-suhosin-0.9.33-1.mga1.src.rpm php-timezonedb-2012.3-1.mga1.src.rpm php-xdebug-2.1.4-1.mga1.src.rpm mysql-workbench-5.2.33b-1.1.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
I'm trying to test using ocsinventory, as it requires php-zip. I've created the mysql user and database specified in /etc/httpd/conf/webapps.d/ocsinventory-server.conf, and granted all permissions on the database to the user. When I go to http://localhost/ocsinventory/ocsreports, I get an error ... Can't call method "rollback" on an undefined value at /usr/lib/perl5/vendor_perl/5.12.3/Apache/Ocsinventory/Server/System.pm line 265. I'm not sure if this is a configuration error, a problem in the application, php, or perl.
/usr/bin/mysqldiskusage from mysql-utilities has an blank line at the start, so the shebang is not recognized. It works once the line is removed.
(In reply to comment #21) > I'm trying to test using ocsinventory, as it requires php-zip. I've created > the mysql user and database specified in > /etc/httpd/conf/webapps.d/ocsinventory-server.conf, and granted all > permissions on the database to the user. > > When I go to http://localhost/ocsinventory/ocsreports, I get an error ... > Can't call method "rollback" on an undefined value at > /usr/lib/perl5/vendor_perl/5.12.3/Apache/Ocsinventory/Server/System.pm line > 265. > > I'm not sure if this is a configuration error, a problem in the application, > php, or perl. Can you add a note about this to Bug 5252, so that it can be looked at if we ever make the security update for it? As for testing php-zip, there are some simple examples you can use here: http://php.net/manual/en/zip.examples.php
(In reply to comment #22) > /usr/bin/mysqldiskusage from mysql-utilities has an blank line at the start, > so the shebang is not recognized. It works once the line is removed. OK, should be fixed in mysql-workbench-5.2.33b-1.2.mga1
php-eaccelerator needed rebuilt for this update (Bug 5781). Updated advisory. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). PHP scripts that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack (CVE-2012-1172). PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server (CVE-2012-1823, CVE-2012-2311). Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header (CVE-2012-0807). php-timezonedb and php-xdebug have been updated to allow upgrading from Mandriva 2010.2. Additionally, mysql-workbench and ebook-tools have been rebuilt to make use of the updated libzip library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172 http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807 http://www.php.net/ChangeLog-5.php#5.3.11 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311 https://bugs.php.net/bug.php?id=61910 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068 ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.12-1.1.mga1 php-cgi-5.3.12-1.1.mga1 php-fpm-5.3.12-1.1.mga1 apache-mod_php-5.3.12-1.1.mga1 libphp5_common5-5.3.12-1.1.mga1 php-devel-5.3.12-1.1.mga1 php-openssl-5.3.12-1.1.mga1 php-zlib-5.3.12-1.1.mga1 php-doc-5.3.12-1.1.mga1 php-bcmath-5.3.12-1.1.mga1 php-bz2-5.3.12-1.1.mga1 php-calendar-5.3.12-1.1.mga1 php-ctype-5.3.12-1.1.mga1 php-curl-5.3.12-1.1.mga1 php-dba-5.3.12-1.1.mga1 php-dom-5.3.12-1.1.mga1 php-enchant-5.3.12-1.1.mga1 php-exif-5.3.12-1.1.mga1 php-fileinfo-5.3.12-1.1.mga1 php-filter-5.3.12-1.1.mga1 php-ftp-5.3.12-1.1.mga1 php-gd-5.3.12-1.1.mga1 php-gettext-5.3.12-1.1.mga1 php-gmp-5.3.12-1.1.mga1 php-hash-5.3.12-1.1.mga1 php-iconv-5.3.12-1.1.mga1 php-imap-5.3.12-1.1.mga1 php-intl-5.3.12-1.1.mga1 php-json-5.3.12-1.1.mga1 php-ldap-5.3.12-1.1.mga1 php-mbstring-5.3.12-1.1.mga1 php-mcrypt-5.3.12-1.1.mga1 php-mssql-5.3.12-1.1.mga1 php-mysql-5.3.12-1.1.mga1 php-mysqli-5.3.12-1.1.mga1 php-mysqlnd-5.3.12-1.1.mga1 php-odbc-5.3.12-1.1.mga1 php-pcntl-5.3.12-1.1.mga1 php-pdo-5.3.12-1.1.mga1 php-pdo_dblib-5.3.12-1.1.mga1 php-pdo_mysql-5.3.12-1.1.mga1 php-pdo_odbc-5.3.12-1.1.mga1 php-pdo_pgsql-5.3.12-1.1.mga1 php-pdo_sqlite-5.3.12-1.1.mga1 php-pgsql-5.3.12-1.1.mga1 php-phar-5.3.12-1.1.mga1 php-posix-5.3.12-1.1.mga1 php-pspell-5.3.12-1.1.mga1 php-readline-5.3.12-1.1.mga1 php-recode-5.3.12-1.1.mga1 php-session-5.3.12-1.1.mga1 php-shmop-5.3.12-1.1.mga1 php-snmp-5.3.12-1.1.mga1 php-soap-5.3.12-1.1.mga1 php-sockets-5.3.12-1.1.mga1 php-sqlite3-5.3.12-1.1.mga1 php-sqlite-5.3.12-1.1.mga1 php-sybase_ct-5.3.12-1.1.mga1 php-sysvmsg-5.3.12-1.1.mga1 php-sysvsem-5.3.12-1.1.mga1 php-sysvshm-5.3.12-1.1.mga1 php-tidy-5.3.12-1.1.mga1 php-tokenizer-5.3.12-1.1.mga1 php-xml-5.3.12-1.1.mga1 php-xmlreader-5.3.12-1.1.mga1 php-xmlrpc-5.3.12-1.1.mga1 php-xmlwriter-5.3.12-1.1.mga1 php-xsl-5.3.12-1.1.mga1 php-wddx-5.3.12-1.1.mga1 php-zip-5.3.12-1.1.mga1 php-ini-5.3.12-1.mga1 php-suhosin-0.9.33-1.mga1 php-timezonedb-2012.3-1.mga1 php-xdebug-2.1.4-1.mga1 php-eaccelerator-0.9.6.1-6.4.mga1 php-eaccelerator-admin-0.9.6.1-6.4.mga1 mysql-workbench-5.2.33b-1.2.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.2.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.12-1.1.mga1.src.rpm php-ini-5.3.12-1.mga1.src.rpm php-suhosin-0.9.33-1.mga1.src.rpm php-timezonedb-2012.3-1.mga1.src.rpm php-xdebug-2.1.4-1.mga1.src.rpm php-eaccelerator-0.9.6.1-6.4.mga1.src.rpm mysql-workbench-5.2.33b-1.2.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
Testing complete on i586 for php/zip/php-cli using the first example from http://php.net/manual/en/zip.examples.php Note when testing, change the "/too.php" and "/testfromfile.php" to "./too.php","./testfromfile.php", and create ./too.php in the current directory. (It'll be called testfromfile.php in the zip). Testing complete on i586 for mysql-workbench, using it to create a new table. Testing complete on i586 for ebook-tools, using einfo on an epub file. Note that lit2epub fails as the command clit is not found, but that is not a regression. The command is not in any Mageia or Mandriva 2010.2 rpm package. Testing complete on i586 for php itself using phpmyadmin. I'm not going to try and ensure each php module is tested, just that they all install cleanly. I consider testing for this update complete for i586.
The fix to the latest PHP security problem is *still* incomplete, so PHP and Mandriva issued another update to PHP 5.3.13 to fix CVE-2012-2335, CVE-2012-2336. Now that Cauldron is frozen, this will need to be built as an update for Mageia 2 and tested there as well. http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068-1
As discussed on IRC, QA is not responsible for testing updates in Cauldron. Until Cauldron is branched into final release, testing of updates there should be carried out in the usual manner and updates push requests posted to the dev ML as normal. Thanks.
OK, it passes all of my QA tests with a local build of 5.3.13 in both Mageia 1 and Cauldron. I've made a Freeze push request for Cauldron. Once that gets built I'll submit the Mageia 1 build and update the advisory.
OK, built for Cauldron and Mageia 1. Advisory: ======================== Updated php and libzip packages fix security vulnerabilities: libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files (CVE-2012-1162). libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks) (CVE-2012-1163). PHP scripts that accept multiple file uploads in a single request are potentially vulnerable to a directory traversal attack (CVE-2012-1172). PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server (CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, CVE-2012-2336). Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header (CVE-2012-0807). php-timezonedb and php-xdebug have been updated to allow upgrading from Mandriva 2010.2. Additionally, mysql-workbench and ebook-tools have been rebuilt to make use of the updated libzip library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163 http://seclists.org/oss-sec/2012/q1/710 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172 http://lists.opensuse.org/opensuse-updates/2012-04/msg00058.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807 http://www.php.net/ChangeLog-5.php#5.3.11 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311 https://bugs.php.net/bug.php?id=61910 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2336 http://www.openwall.com/lists/oss-security/2012/05/09/9 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:068-1 ======================== Updated packages in core/updates_testing: ======================== libzip-0.10.1-1.mga1 libzip2-0.10.1-1.mga1 libzip-devel-0.10.1-1.mga1 php-cli-5.3.13-1.mga1 php-cgi-5.3.13-1.mga1 php-fpm-5.3.13-1.mga1 apache-mod_php-5.3.13-1.mga1 libphp5_common5-5.3.13-1.mga1 php-devel-5.3.13-1.mga1 php-openssl-5.3.13-1.mga1 php-zlib-5.3.13-1.mga1 php-doc-5.3.13-1.mga1 php-bcmath-5.3.13-1.mga1 php-bz2-5.3.13-1.mga1 php-calendar-5.3.13-1.mga1 php-ctype-5.3.13-1.mga1 php-curl-5.3.13-1.mga1 php-dba-5.3.13-1.mga1 php-dom-5.3.13-1.mga1 php-enchant-5.3.13-1.mga1 php-exif-5.3.13-1.mga1 php-fileinfo-5.3.13-1.mga1 php-filter-5.3.13-1.mga1 php-ftp-5.3.13-1.mga1 php-gd-5.3.13-1.mga1 php-gettext-5.3.13-1.mga1 php-gmp-5.3.13-1.mga1 php-hash-5.3.13-1.mga1 php-iconv-5.3.13-1.mga1 php-imap-5.3.13-1.mga1 php-intl-5.3.13-1.mga1 php-json-5.3.13-1.mga1 php-ldap-5.3.13-1.mga1 php-mbstring-5.3.13-1.mga1 php-mcrypt-5.3.13-1.mga1 php-mssql-5.3.13-1.mga1 php-mysql-5.3.13-1.mga1 php-mysqli-5.3.13-1.mga1 php-mysqlnd-5.3.13-1.mga1 php-odbc-5.3.13-1.mga1 php-pcntl-5.3.13-1.mga1 php-pdo-5.3.13-1.mga1 php-pdo_dblib-5.3.13-1.mga1 php-pdo_mysql-5.3.13-1.mga1 php-pdo_odbc-5.3.13-1.mga1 php-pdo_pgsql-5.3.13-1.mga1 php-pdo_sqlite-5.3.13-1.mga1 php-pgsql-5.3.13-1.mga1 php-phar-5.3.13-1.mga1 php-posix-5.3.13-1.mga1 php-pspell-5.3.13-1.mga1 php-readline-5.3.13-1.mga1 php-recode-5.3.13-1.mga1 php-session-5.3.13-1.mga1 php-shmop-5.3.13-1.mga1 php-snmp-5.3.13-1.mga1 php-soap-5.3.13-1.mga1 php-sockets-5.3.13-1.mga1 php-sqlite3-5.3.13-1.mga1 php-sqlite-5.3.13-1.mga1 php-sybase_ct-5.3.13-1.mga1 php-sysvmsg-5.3.13-1.mga1 php-sysvsem-5.3.13-1.mga1 php-sysvshm-5.3.13-1.mga1 php-tidy-5.3.13-1.mga1 php-tokenizer-5.3.13-1.mga1 php-xml-5.3.13-1.mga1 php-xmlreader-5.3.13-1.mga1 php-xmlrpc-5.3.13-1.mga1 php-xmlwriter-5.3.13-1.mga1 php-xsl-5.3.13-1.mga1 php-wddx-5.3.13-1.mga1 php-zip-5.3.13-1.mga1 php-ini-5.3.13-1.mga1 php-eaccelerator-0.9.6.1-6.5.mga1 php-eaccelerator-admin-0.9.6.1-6.5.mga1 php-suhosin-0.9.33-1.mga1 php-timezonedb-2012.3-1.mga1 php-xdebug-2.1.4-1.mga1 mysql-workbench-5.2.33b-1.2.mga1 mysql-utilities-1.0.0-0.5.2.33b.1.2.mga1 ebook-tools-0.1.1-5.1.mga1 libepub0-0.1.1-5.1.mga1 ebook-tools-devel-0.1.1-5.1.mga1 from SRPMS: libzip-0.10.1-1.mga1.src.rpm php-5.3.13-1.mga1.src.rpm php-ini-5.3.13-1.mga1.src.rpm php-eaccelerator-0.9.6.1-6.5.mga1.src.rpm php-suhosin-0.9.33-1.mga1.src.rpm php-timezonedb-2012.3-1.mga1.src.rpm php-xdebug-2.1.4-1.mga1.src.rpm mysql-workbench-5.2.33b-1.2.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm
Testing x86_64 Tested libzip with the info in Daves comment 26 Tested php with zoneminder, phpmyadmin, mediawiki, wordpress and some test scripts Checked eaccelerator and apc with their admin packages also php -i shows no errors Used mysql-workbench to connect to localhost. Downloaded an epub book from project gutenburg $ einfo -vvv thebook.epub Shows ebook info however: $ lit2epub Gives an error that it is missing 'clit' so I guess there is a missing require but I'm not sure what it is missing.. which: no clit in (/usr/local/bin:/bin:/usr/bin:/usr/games:/usr/lib/qt4/bin:/home/claire/bin) Can't find clit, please make sure it is in your path # urpmq -a clit lib64pcsclite-devel lib64pcsclite-static-devel lib64pcsclite1 libpcsclite-devel libpcsclite-static-devel libpcsclite1 It is not a regression though so I'll create a new bug for that. Testing complete x86_64
bug 5871 created for lit2epub
Validating the update. Could someone from the sysadmin team push the srpms libzip-0.10.1-1.mga1.src.rpm php-5.3.13-1.mga1.src.rpm php-ini-5.3.13-1.mga1.src.rpm php-eaccelerator-0.9.6.1-6.5.mga1.src.rpm php-suhosin-0.9.33-1.mga1.src.rpm php-timezonedb-2012.3-1.mga1.src.rpm php-xdebug-2.1.4-1.mga1.src.rpm mysql-workbench-5.2.33b-1.2.mga1.src.rpm ebook-tools-0.1.1-5.1.mga1.src.rpm from Core Updates Testing to Core Updates. See Comment 30 for the advisory.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED