a vulnerability has been reported in ZZIPlib Library, which potentially can be exploited by malicious people to gain escalated privileges or compromise a vulnerable system. The vulnerability is caused due to a boundary error in "zzip_open_shared_io()" within zzip/file.c when processing arguments. This can be exploited to cause a stack-based buffer overflow via an overly long string passed as the filename argument to the said function. Successful exploitation may allow execution of arbitrary code. solution: update to version 0.13.49
new version in portage. Everyone stable up. I'll force it stable and whack the old ebuilds after a reasonable time.
Stable for HPPA.
x86 stable
0.13.38 was the last version that worked right in sparc (didn't sigbus), all the newer ones do. Otherwise .38 is fixed to address the security issue or .49 is debugged to get the nasty unaligned memory accesses out. The problem seems to be in __zip_find_disk_trailer in zzip/zip.c but it'll take me some time to track it down since there were many changes between 38->49.
Ok easy way out for sparc, since only dev-php[45]/pecl-zip-1.0 use dev-libs/zziplib for us and we already have 1.8.6 stable which uses zlib just kill the whole thing (including pecl-zip-1.0 keywords).
pecl-zip-1.0 unkeyworded, -sparc for the broken zziplib versions, feel free to remove the old ones when this is done.
Seems to work fine on alpha but fails the testsuite only when the USE="sdl" is enable. ---- 8< ---- make[3]: *** No rule to make target `../bins/zzip-config', needed by `zzip-config'. Stop. ---- 8< ---- Anyway, stable.
I'm getting this on ppc64: [...] Package 'zzip-zlib-config', required by 'zziplib', not found ../../SDL/SDL_rwops_zzip.c:9:23: error: zzip/zzip.h: No such file or directory ../../SDL/SDL_rwops_zzip.c: In function ‘_zzip_seek’: ../../SDL/SDL_rwops_zzip.c:20: warning: implicit declaration of function ‘zzip_seek’ ../../SDL/SDL_rwops_zzip.c:20: error: ‘ZZIP_FILE’ undeclared (first use in this function) ../../SDL/SDL_rwops_zzip.c:20: error: (Each undeclared identifier is reported only once ../../SDL/SDL_rwops_zzip.c:20: error: for each function it appears in.) ../../SDL/SDL_rwops_zzip.c:20: error: expected expression before ‘)’ token ../../SDL/SDL_rwops_zzip.c: In function ‘_zzip_close’: ../../SDL/SDL_rwops_zzip.c:37: warning: implicit declaration of function ‘zzip_close’ ../../SDL/SDL_rwops_zzip.c:37: error: ‘ZZIP_FILE’ undeclared (first use in this function) ../../SDL/SDL_rwops_zzip.c:37: error: expected expression before ‘)’ token $ emerge --info Portage 2.1.2.2 (default-linux/ppc/ppc64/2007.0/64bit-userland/desktop/970/pmac, gcc-4.1.1, glibc-2.5-r0, 2.6.19.3 ppc64) ================================================================= System uname: 2.6.19.3 ppc64 PPC970FX, altivec supported Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 21 Mar 2007 07:00:01 +0000 ccache version 2.4 [disabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="ppc64" AUTOCLEAN="yes" CBUILD="powerpc64-unknown-linux-gnu" CFLAGS="-O2 -pipe -mtune=970 -mcpu=970 -mabi=altivec" CHOST="powerpc64-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -mtune=970 -mcpu=970 -mabi=altivec" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig collision-protect cvs distlocks metadata-transfer sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" LANG="en_US.UTF8" LC_ALL="en_US.UTF8" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac aiglx alsa altivec amr apache2 asf avahi bash-completion berkdb bitmap-fonts boost bzip2 cairo ccache cdinstall cdparanoia cdr cgi cli cracklib crypt ctype cups curl cvs daap dbus dedicated djvu dri dts dv dvd dvdr dvdread dvi emboss enca encode escreen exif exo fam ffmpeg firefox flac foomaticdb fortran fping gcj gd gdbm ggi gif gimp gimpprint glib glitz gmp gnokii gnome gnutls gphoto2 gpm graphviz gs gstreamer gtk hal hfs highlight iconv idle ieee1394 imagemagick imap imlib ipod ipv6 isdnlog jpeg kdeenablefinal lame latex ldap libnotify mad matroska mdnsresponder-compat midi mikmod mjpeg motif mozbranding mp3 mp4 mpeg mplayer mtp multiuser musicbrainz mysql ncurses network nls no-old-linux nptl nptlonly nsplugin objc objc++ offensive ogg onaccess openal opengl pam panel-plugin pcre pdf perl php plotutils png ppc64 ppds pppd python qt3 qt4 quicktime rdesktop readline reflection ruby samba savedconfig scanner screen sdl session skins slp smp snmp spell spl ssl startup-notification stream subtitles subversion svg tcltk tcpd teamarena test tetex theora threads thumbnail thunar-vfs tiff trash-panel-plugin trayicon truetype truetype-fonts type1-fonts unicode upnp usb utempter vcd videos vim-pager vorbis wxwindows x264 xcb xcomposite xine xml xorg xpm xscreensaver xulrunner xv xvid xvmc zeroconf zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
sparc: file a new bug and de-KEYWORD yourself for now please alpha: your tree is out of date ppc: dont worry about that, the SDL build isnt actually needed ... but i'll fix it
ppc stable
ppc64 stable
amd64/ia64 done
thanks arches. ready for GLSA.
I removed all the older ebuilds.
GLSA 200704-05 has finally hit g-announces.
