A vulnerability has been discovered in libzip, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference error within the "_zip_name_locate()" function in lib/zip_name_locate.c, which can be exploited to cause a crash by e.g. tricking an application using the "zip_name_locate()" function with the "ZIP_FL_UNCHANGED" flag into processing an empty ZIP file. The vulnerability is confirmed in version 0.9.3. Prior versions may also be affected. Solution Update to version 0.10.
I added you the 0.10 into the main tree. But given that it is 1 year of development worth i would rather see others test it first prior stabilising it.
@arches: please stabilise =dev-libs/libzip-0.10 Thanks
x86 stable, thanks.
Stable for HPPA.
amd64 ok, pass also tests
ppc done
amd64 done. Thanks Agostino
ppc64 stable, last arch done
Thanks, folks. GLSA Vote: No.
Nothing to do for kde here anymore.
Vote: NO, closing noglsa.