[ MDVSA-2011:099 ] libzip



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:099
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libzip
Date : May 24, 2011
Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A vulnerability has been identified and fixed in libzip:

The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
b2707764066551f6ce98927199313658 2009.0/i586/libzip-0.9-1.1mdv2009.0.i586.rpm
0545e88dc46b5029b6d286d77929b0d6 2009.0/i586/libzip1-0.9-1.1mdv2009.0.i586.rpm
59368b5e8945d41186ef43d50bc32fef 2009.0/i586/libzip1-devel-0.9-1.1mdv2009.0.i586.rpm
b674d890f391decb25160c3cbb61b67f 2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
f79f16015ec07a2d3ab5defe7f3a9c61 2009.0/x86_64/lib64zip1-0.9-1.1mdv2009.0.x86_64.rpm
80caa5445d860ce81aa1dca417084315 2009.0/x86_64/lib64zip1-devel-0.9-1.1mdv2009.0.x86_64.rpm
8aabb4c7001455bdb6281d6940d7f260 2009.0/x86_64/libzip-0.9-1.1mdv2009.0.x86_64.rpm
b674d890f391decb25160c3cbb61b67f 2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm

Mandriva Linux 2010.1:
2c951ced9a7c5babdf9602a914de26fc 2010.1/i586/libzip-0.9.3-2.1mdv2010.2.i586.rpm
cab6b7db4308674902991ea4f772bac0 2010.1/i586/libzip1-0.9.3-2.1mdv2010.2.i586.rpm
923b7c08dea396ca3e68d5317087abe1 2010.1/i586/libzip-devel-0.9.3-2.1mdv2010.2.i586.rpm
c96f039d41e502ab7de18cc88f68195a 2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
b46dca982a4a05c16f41cfaecd75fcbb 2010.1/x86_64/lib64zip1-0.9.3-2.1mdv2010.2.x86_64.rpm
5d53ec5fdafacf8342fb744fc6023cda 2010.1/x86_64/lib64zip-devel-0.9.3-2.1mdv2010.2.x86_64.rpm
05961884a3a4846286a6c32cc3434ae8 2010.1/x86_64/libzip-0.9.3-2.1mdv2010.2.x86_64.rpm
c96f039d41e502ab7de18cc88f68195a 2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm

Corporate 4.0:
5cab7fa861e9b758e3934b5ce91ee843 corporate/4.0/i586/libzip-0.8-0.2.20060mlcs4.i586.rpm
1414a28bac961b51ee0ee500bb5e305f corporate/4.0/i586/libzip1-0.8-0.2.20060mlcs4.i586.rpm
0870b727bb7818ff6167b0ee7bfe69a0 corporate/4.0/i586/libzip1-devel-0.8-0.2.20060mlcs4.i586.rpm
d880b19f9ed7009893526c5be191609b corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
39cad5f8ec0b6a8c453d201088ec1c19 corporate/4.0/x86_64/lib64zip1-0.8-0.2.20060mlcs4.x86_64.rpm
7bbfde955d5be982696ea749d02fda31 corporate/4.0/x86_64/lib64zip1-devel-0.8-0.2.20060mlcs4.x86_64.rpm
31632663a023e78b87f16d6ef3a513e9 corporate/4.0/x86_64/libzip-0.8-0.2.20060mlcs4.x86_64.rpm
d880b19f9ed7009893526c5be191609b corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
8927d13cebb528734d923d9c8a5d2cc5 mes5/i586/libzip-0.9-1.1mdvmes5.2.i586.rpm
26895b0d8a3c7678915f63824644e6e0 mes5/i586/libzip1-0.9-1.1mdvmes5.2.i586.rpm
e2fb873896d7fdfdddb768cf45ab905c mes5/i586/libzip1-devel-0.9-1.1mdvmes5.2.i586.rpm
e675417cd92171246244c061e178c384 mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
40e013ad35ec3fc6d3a76a41a7284832 mes5/x86_64/lib64zip1-0.9-1.1mdvmes5.2.x86_64.rpm
1c14f06832bfcc7130b39f28489aaef8 mes5/x86_64/lib64zip1-devel-0.9-1.1mdvmes5.2.x86_64.rpm
e8e051a9bb35bd3c4f1053a95137549c mes5/x86_64/libzip-0.9-1.1mdvmes5.2.x86_64.rpm
e675417cd92171246244c061e178c384 mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFN20+QmqjQ0CJFipgRAkNfAJ4rXaVWkphVslNS0q7faBMWKwh1RQCgxVH1
Di9TN3bCfXHOIrvPkP1C/ws=
=I8bT
-----END PGP SIGNATURE-----