lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QOoHR-00078c-9m@titan.mandriva.com>
Date: Tue, 24 May 2011 11:52:01 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:099 ] libzip

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:099
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libzip
 Date    : May 24, 2011
 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been identified and fixed in libzip:
 
 The _zip_name_locate function in zip_name_locate.c in the Zip extension
 in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
 argument, which might allow context-dependent attackers to cause
 a denial of service (application crash) via an empty ZIP archive
 that is processed with a (1) locateName or (2) statName operation
 (CVE-2011-0421).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 b2707764066551f6ce98927199313658  2009.0/i586/libzip-0.9-1.1mdv2009.0.i586.rpm
 0545e88dc46b5029b6d286d77929b0d6  2009.0/i586/libzip1-0.9-1.1mdv2009.0.i586.rpm
 59368b5e8945d41186ef43d50bc32fef  2009.0/i586/libzip1-devel-0.9-1.1mdv2009.0.i586.rpm 
 b674d890f391decb25160c3cbb61b67f  2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 f79f16015ec07a2d3ab5defe7f3a9c61  2009.0/x86_64/lib64zip1-0.9-1.1mdv2009.0.x86_64.rpm
 80caa5445d860ce81aa1dca417084315  2009.0/x86_64/lib64zip1-devel-0.9-1.1mdv2009.0.x86_64.rpm
 8aabb4c7001455bdb6281d6940d7f260  2009.0/x86_64/libzip-0.9-1.1mdv2009.0.x86_64.rpm 
 b674d890f391decb25160c3cbb61b67f  2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 2c951ced9a7c5babdf9602a914de26fc  2010.1/i586/libzip-0.9.3-2.1mdv2010.2.i586.rpm
 cab6b7db4308674902991ea4f772bac0  2010.1/i586/libzip1-0.9.3-2.1mdv2010.2.i586.rpm
 923b7c08dea396ca3e68d5317087abe1  2010.1/i586/libzip-devel-0.9.3-2.1mdv2010.2.i586.rpm 
 c96f039d41e502ab7de18cc88f68195a  2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 b46dca982a4a05c16f41cfaecd75fcbb  2010.1/x86_64/lib64zip1-0.9.3-2.1mdv2010.2.x86_64.rpm
 5d53ec5fdafacf8342fb744fc6023cda  2010.1/x86_64/lib64zip-devel-0.9.3-2.1mdv2010.2.x86_64.rpm
 05961884a3a4846286a6c32cc3434ae8  2010.1/x86_64/libzip-0.9.3-2.1mdv2010.2.x86_64.rpm 
 c96f039d41e502ab7de18cc88f68195a  2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm

 Corporate 4.0:
 5cab7fa861e9b758e3934b5ce91ee843  corporate/4.0/i586/libzip-0.8-0.2.20060mlcs4.i586.rpm
 1414a28bac961b51ee0ee500bb5e305f  corporate/4.0/i586/libzip1-0.8-0.2.20060mlcs4.i586.rpm
 0870b727bb7818ff6167b0ee7bfe69a0  corporate/4.0/i586/libzip1-devel-0.8-0.2.20060mlcs4.i586.rpm 
 d880b19f9ed7009893526c5be191609b  corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 39cad5f8ec0b6a8c453d201088ec1c19  corporate/4.0/x86_64/lib64zip1-0.8-0.2.20060mlcs4.x86_64.rpm
 7bbfde955d5be982696ea749d02fda31  corporate/4.0/x86_64/lib64zip1-devel-0.8-0.2.20060mlcs4.x86_64.rpm
 31632663a023e78b87f16d6ef3a513e9  corporate/4.0/x86_64/libzip-0.8-0.2.20060mlcs4.x86_64.rpm 
 d880b19f9ed7009893526c5be191609b  corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 8927d13cebb528734d923d9c8a5d2cc5  mes5/i586/libzip-0.9-1.1mdvmes5.2.i586.rpm
 26895b0d8a3c7678915f63824644e6e0  mes5/i586/libzip1-0.9-1.1mdvmes5.2.i586.rpm
 e2fb873896d7fdfdddb768cf45ab905c  mes5/i586/libzip1-devel-0.9-1.1mdvmes5.2.i586.rpm 
 e675417cd92171246244c061e178c384  mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 40e013ad35ec3fc6d3a76a41a7284832  mes5/x86_64/lib64zip1-0.9-1.1mdvmes5.2.x86_64.rpm
 1c14f06832bfcc7130b39f28489aaef8  mes5/x86_64/lib64zip1-devel-0.9-1.1mdvmes5.2.x86_64.rpm
 e8e051a9bb35bd3c4f1053a95137549c  mes5/x86_64/libzip-0.9-1.1mdvmes5.2.x86_64.rpm 
 e675417cd92171246244c061e178c384  mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFN20+QmqjQ0CJFipgRAkNfAJ4rXaVWkphVslNS0q7faBMWKwh1RQCgxVH1
Di9TN3bCfXHOIrvPkP1C/ws=
=I8bT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ