Package: libzip1 Version: 0.9.3-1 Severity: important Is Debian-packages affected?
http://seclists.org/oss-sec/2012/q1/710 """ The following two issues in libzip have been handled via distros () vs openwall org Distros and the libzip developers were informed on 2012-03-12. An update of libzip has become available on 2012-03-20, the appointed coordinated release date. The PHP and zipruby developers have been informed before 2012-03-16, but have not released updates yet. libzip (version <= 0.10) has two vulnerabilities that may lead to a heap overflow or an information leak via corrupted zip files. PHP (versions 5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are also affected as they include copies of affected libzip versions. * CVE-2012-1162 libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files. On opening a zip file with zip_open, libzip reads in the number of directory entries in the function _zip_readcdir in zip_open.c: (192) /* number of cdir-entries */ (193) nentry = _zip_read2(&cdp); Subsequently, memory for directory entries is allocated via _zip_cdir_new (in zip_dirent.c) based on the number of directory entries: (104) if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) If the number of directories in the zip file is set to 0, 0 bytes of memory are allocated. _zip_readcdir finishes with reading in the directory entries in a posttest do-while loop: (260) do { (261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) { ... (277) } while (i<cd->nentry && left > 0); If cd->entry points to 0 bytes of allocated memory, _zip_dirent writes beyond the allocated memory. * CVE-2012-1163 libzip (version <= 0.10) has a numeric overflow condition, which, for example, results in improper restrictions of operations within the bounds of a memory buffer (e.g., allowing information leaks). On opening a zip file with zip_open, libzip reads in the size and the offset of the central directory structure in the function _zip_readcdir in zip_open.c: (198) cd->size = _zip_read4(&cdp); (199) cd->offset = _zip_read4(&cdp); libzip performs a consistency check on these values, but does not anticipate an integer overflow: (203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) { On an integer overflow, libzip continues to handle the zip file, which, for example, can result in improper restriction of operations within the bounds of a memory buffer. Cheers, Timo """ -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libzip1 depends on: ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime libzip1 recommends no packages. libzip1 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
