Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 359899 (CVE-2011-0421)

Summary: <dev-libs/libzip-0.10: "_zip_name_locate()" NULL Pointer Dereference Vulnerability (CVE-2011-0421)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/43621/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-22 09:37:30 UTC 
A vulnerability has been discovered in libzip, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error within the "_zip_name_locate()" function in lib/zip_name_locate.c, which can be exploited to cause a crash by e.g. tricking an application using the "zip_name_locate()" function with the "ZIP_FL_UNCHANGED" flag into processing an empty ZIP file.

The vulnerability is confirmed in version 0.9.3. Prior versions may also be affected.

Solution
Update to version 0.10.
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2011-03-22 14:15:00 UTC 
I added you the 0.10 into the main tree.
But given that it is 1 year of development worth i would rather see others test it first prior stabilising it.
Comment 2 Tomáš Chvátal (RETIRED) gentoo-dev 2011-04-19 20:20:12 UTC 
@arches:
please stabilise =dev-libs/libzip-0.10

Thanks
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2011-04-20 14:22:40 UTC 
x86 stable, thanks.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-20 15:33:37 UTC 
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2011-04-21 13:04:05 UTC 
amd64 ok, pass also tests
Comment 6 Brent Baude (RETIRED) gentoo-dev 2011-04-22 16:51:45 UTC 
ppc done
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-04-25 09:12:01 UTC 
amd64 done. Thanks Agostino
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-26 10:53:41 UTC 
ppc64 stable, last arch done
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 13:57:57 UTC 
Thanks, folks. GLSA Vote: No.
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2011-05-14 14:03:03 UTC 
Nothing to do for kde here anymore.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-21 11:20:51 UTC 
Vote: NO, closing noglsa.