Summary: | <dev-libs/libzip-1.0.1: Denial of service (CVE-2015-2331) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Cato Auestad <cato> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | ||||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://www.nih.at/libzip/NEWS.html | ||||||||
Whiteboard: | B3 [cve/noglsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Created attachment 404406 [details, diff]
Diff between libzip-0.11.2 and libzip-1.0.1
The patch for pkg-config in 0.11.2 is no longer required in version 1.0.1.
(In reply to Cato Auestad from comment #1) > Created attachment 404406 [details, diff] [details, diff] > Diff between libzip-0.11.2 and libzip-1.0.1 > > The patch for pkg-config in 0.11.2 is no longer required in version 1.0.1. The patch breaks the build of 1.0.1 because the fix is implemented upstream. Version 1.0.0 fixed a CVE, so I'm going to turn this into a security bug. CVE-2015-2331: "Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow." I will bump this as soon as my test environment un-borks itself. Bumped. Arches, please test and mark stable: =dev-libs/libzip-1.0.1 Target arches: amd64 hppa ia64 ppc ppc64 x86 Stable for HPPA PPC64. amd64 stable x86 stable CVE-2015-2331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2331): Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. ppc stable ia64 dead arch team? We could drop stable keywords here: dev-libs/libzip media-gfx/pstoedit media-gfx/autotrace and use stable mask media-gfx/imagemagick[autotrace] for ia64. ia64 stable Cleanup, please! GLSA vote: no. GLSA Vote: No Thanks all. Cleanup done. Removing maintainers then. + + 17 Jul 2015; Johannes Huber <johu@gentoo.org> + -files/libzip-0.11-fix_pkgconfig.patch, -libzip-0.11.2.ebuild: + Remove vulnerable version, bug #550922. + |
Created attachment 404404 [details] New libzip ebuild Hi, There is a new version of dev-libs/libzip - 1.0.1. The current version of dev-libs/libzip is 0.11.2. See the attached new ebuild and diff between the ebuild of 0.11.2 and 1.0.1. Best regards, Cato Auestad