Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550922 (CVE-2015-2331) - <dev-libs/libzip-1.0.1: Denial of service (CVE-2015-2331)
Summary: <dev-libs/libzip-1.0.1: Denial of service (CVE-2015-2331)
Status: RESOLVED FIXED
Alias: CVE-2015-2331
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.nih.at/libzip/NEWS.html
Whiteboard: B3 [cve/noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-01 07:23 UTC by Cato Auestad
Modified: 2015-07-17 23:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
New libzip ebuild (libzip-1.0.1.ebuild,759 bytes, text/plain)
2015-06-01 07:23 UTC, Cato Auestad
no flags Details
Diff between libzip-0.11.2 and libzip-1.0.1 (libzip-1.0.1-version-bump.diff,299 bytes, patch)
2015-06-01 07:26 UTC, Cato Auestad
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cato Auestad 2015-06-01 07:23:48 UTC
Created attachment 404404 [details]
New libzip ebuild

Hi,

There is a new version of dev-libs/libzip - 1.0.1. The current version of dev-libs/libzip is 0.11.2. See the attached new ebuild and diff between the ebuild of 0.11.2 and 1.0.1.

Best regards,
Cato Auestad
Comment 1 Cato Auestad 2015-06-01 07:26:55 UTC
Created attachment 404406 [details, diff]
Diff between libzip-0.11.2 and libzip-1.0.1

The patch for pkg-config in 0.11.2 is no longer required in version 1.0.1.
Comment 2 Cato Auestad 2015-06-01 07:28:45 UTC
(In reply to Cato Auestad from comment #1)
> Created attachment 404406 [details, diff] [details, diff]
> Diff between libzip-0.11.2 and libzip-1.0.1
> 
> The patch for pkg-config in 0.11.2 is no longer required in version 1.0.1.

The patch breaks the build of 1.0.1 because the fix is implemented upstream.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2015-06-04 01:37:56 UTC
Version 1.0.0 fixed a CVE, so I'm going to turn this into a security bug. 

CVE-2015-2331: "Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow."

I will bump this as soon as my test environment un-borks itself.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2015-06-04 02:12:48 UTC
Bumped. Arches, please test and mark stable:
=dev-libs/libzip-1.0.1
Target arches:  amd64 hppa ia64 ppc ppc64 x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-04 04:44:26 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-04 09:05:23 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-04 09:05:37 UTC
x86 stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 21:18:39 UTC
CVE-2015-2331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2331):
  Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip
  0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x
  before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a ZIP archive that contains many entries, leading
  to a heap-based buffer overflow.
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-24 08:00:07 UTC
ppc stable
Comment 10 Johannes Huber gentoo-dev 2015-07-15 18:33:04 UTC
ia64 dead arch team?
Comment 11 Manuel Rüger (RETIRED) gentoo-dev 2015-07-15 18:38:48 UTC
We could drop stable keywords here:
dev-libs/libzip
media-gfx/pstoedit
media-gfx/autotrace
and use stable mask media-gfx/imagemagick[autotrace] for ia64.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 13:38:08 UTC
ia64 stable

Cleanup, please!

GLSA vote: no.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-17 13:41:56 UTC
GLSA Vote: No
Comment 14 Johannes Huber gentoo-dev 2015-07-17 19:58:10 UTC
Thanks all. Cleanup done. Removing maintainers then.

+
+  17 Jul 2015; Johannes Huber <johu@gentoo.org>
+  -files/libzip-0.11-fix_pkgconfig.patch, -libzip-0.11.2.ebuild:
+  Remove vulnerable version, bug #550922.
+