Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359899 (CVE-2011-0421) - <dev-libs/libzip-0.10: "_zip_name_locate()" NULL Pointer Dereference Vulnerability (CVE-2011-0421)
Summary: <dev-libs/libzip-0.10: "_zip_name_locate()" NULL Pointer Dereference Vulnerab...
Status: RESOLVED FIXED
Alias: CVE-2011-0421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/43621/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-22 09:37 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-05-21 11:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-22 09:37:30 UTC
A vulnerability has been discovered in libzip, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error within the "_zip_name_locate()" function in lib/zip_name_locate.c, which can be exploited to cause a crash by e.g. tricking an application using the "zip_name_locate()" function with the "ZIP_FL_UNCHANGED" flag into processing an empty ZIP file.

The vulnerability is confirmed in version 0.9.3. Prior versions may also be affected.

Solution
Update to version 0.10.
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2011-03-22 14:15:00 UTC
I added you the 0.10 into the main tree.
But given that it is 1 year of development worth i would rather see others test it first prior stabilising it.
Comment 2 Tomáš Chvátal (RETIRED) gentoo-dev 2011-04-19 20:20:12 UTC
@arches:
please stabilise =dev-libs/libzip-0.10

Thanks
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2011-04-20 14:22:40 UTC
x86 stable, thanks.
Comment 4 Jeroen Roovers gentoo-dev 2011-04-20 15:33:37 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2011-04-21 13:04:05 UTC
amd64 ok, pass also tests
Comment 6 Brent Baude (RETIRED) gentoo-dev 2011-04-22 16:51:45 UTC
ppc done
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-04-25 09:12:01 UTC
amd64 done. Thanks Agostino
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-26 10:53:41 UTC
ppc64 stable, last arch done
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 13:57:57 UTC
Thanks, folks. GLSA Vote: No.
Comment 10 Andreas K. Hüttel gentoo-dev 2011-05-14 14:03:03 UTC
Nothing to do for kde here anymore.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-21 11:20:51 UTC
Vote: NO, closing noglsa.