-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:099 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libzip Date : May 24, 2011 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been identified and fixed in libzip: The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (application crash) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation (CVE-2011-0421). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: b2707764066551f6ce98927199313658 2009.0/i586/libzip-0.9-1.1mdv2009.0.i586.rpm 0545e88dc46b5029b6d286d77929b0d6 2009.0/i586/libzip1-0.9-1.1mdv2009.0.i586.rpm 59368b5e8945d41186ef43d50bc32fef 2009.0/i586/libzip1-devel-0.9-1.1mdv2009.0.i586.rpm b674d890f391decb25160c3cbb61b67f 2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: f79f16015ec07a2d3ab5defe7f3a9c61 2009.0/x86_64/lib64zip1-0.9-1.1mdv2009.0.x86_64.rpm 80caa5445d860ce81aa1dca417084315 2009.0/x86_64/lib64zip1-devel-0.9-1.1mdv2009.0.x86_64.rpm 8aabb4c7001455bdb6281d6940d7f260 2009.0/x86_64/libzip-0.9-1.1mdv2009.0.x86_64.rpm b674d890f391decb25160c3cbb61b67f 2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm Mandriva Linux 2010.1: 2c951ced9a7c5babdf9602a914de26fc 2010.1/i586/libzip-0.9.3-2.1mdv2010.2.i586.rpm cab6b7db4308674902991ea4f772bac0 2010.1/i586/libzip1-0.9.3-2.1mdv2010.2.i586.rpm 923b7c08dea396ca3e68d5317087abe1 2010.1/i586/libzip-devel-0.9.3-2.1mdv2010.2.i586.rpm c96f039d41e502ab7de18cc88f68195a 2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: b46dca982a4a05c16f41cfaecd75fcbb 2010.1/x86_64/lib64zip1-0.9.3-2.1mdv2010.2.x86_64.rpm 5d53ec5fdafacf8342fb744fc6023cda 2010.1/x86_64/lib64zip-devel-0.9.3-2.1mdv2010.2.x86_64.rpm 05961884a3a4846286a6c32cc3434ae8 2010.1/x86_64/libzip-0.9.3-2.1mdv2010.2.x86_64.rpm c96f039d41e502ab7de18cc88f68195a 2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm Corporate 4.0: 5cab7fa861e9b758e3934b5ce91ee843 corporate/4.0/i586/libzip-0.8-0.2.20060mlcs4.i586.rpm 1414a28bac961b51ee0ee500bb5e305f corporate/4.0/i586/libzip1-0.8-0.2.20060mlcs4.i586.rpm 0870b727bb7818ff6167b0ee7bfe69a0 corporate/4.0/i586/libzip1-devel-0.8-0.2.20060mlcs4.i586.rpm d880b19f9ed7009893526c5be191609b corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 39cad5f8ec0b6a8c453d201088ec1c19 corporate/4.0/x86_64/lib64zip1-0.8-0.2.20060mlcs4.x86_64.rpm 7bbfde955d5be982696ea749d02fda31 corporate/4.0/x86_64/lib64zip1-devel-0.8-0.2.20060mlcs4.x86_64.rpm 31632663a023e78b87f16d6ef3a513e9 corporate/4.0/x86_64/libzip-0.8-0.2.20060mlcs4.x86_64.rpm d880b19f9ed7009893526c5be191609b corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 8927d13cebb528734d923d9c8a5d2cc5 mes5/i586/libzip-0.9-1.1mdvmes5.2.i586.rpm 26895b0d8a3c7678915f63824644e6e0 mes5/i586/libzip1-0.9-1.1mdvmes5.2.i586.rpm e2fb873896d7fdfdddb768cf45ab905c mes5/i586/libzip1-devel-0.9-1.1mdvmes5.2.i586.rpm e675417cd92171246244c061e178c384 mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 40e013ad35ec3fc6d3a76a41a7284832 mes5/x86_64/lib64zip1-0.9-1.1mdvmes5.2.x86_64.rpm 1c14f06832bfcc7130b39f28489aaef8 mes5/x86_64/lib64zip1-devel-0.9-1.1mdvmes5.2.x86_64.rpm e8e051a9bb35bd3c4f1053a95137549c mes5/x86_64/libzip-0.9-1.1mdvmes5.2.x86_64.rpm e675417cd92171246244c061e178c384 mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFN20+QmqjQ0CJFipgRAkNfAJ4rXaVWkphVslNS0q7faBMWKwh1RQCgxVH1 Di9TN3bCfXHOIrvPkP1C/ws= =I8bT -----END PGP SIGNATURE-----