MDVSA-2012:034

Package name

libzip

Date

2012-03-23

Advisory ID

MDVSA-2012:034

Affected versions

MES5 i586 , 2010.1 i586 , 2011 x86_64 , 2011 i586 , MES5 x86_64 , 2010.1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in libzip:

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163).

The updated packages have been upgraded to the 0.10.1 version to
correct these issues.

Updated packages

MES5 i586

 308e1fa160a2ca9481414747e2dd20b2  mes5/i586/libzip-0.10.1-0.1mdvmes5.2.i586.rpm
 e2dd07b70dc91b0825621fc3a941bd1a  mes5/i586/libzip2-0.10.1-0.1mdvmes5.2.i586.rpm
 e7ac7b2842a671c7a7d41914ac03d04a  mes5/i586/libzip-devel-0.10.1-0.1mdvmes5.2.i586.rpm 
 1c4565ac18006fbd550dff062f53656f  mes5/SRPMS/libzip-0.10.1-0.1mdvmes5.2.src.rpm

2010.1 i586

 be16da865220076e7c88b7a379c54edd  2010.1/i586/libzip-0.10.1-0.1mdv2010.2.i586.rpm
 021ffd87bf6de1f526f5c140ea40b979  2010.1/i586/libzip2-0.10.1-0.1mdv2010.2.i586.rpm
 b603afe757588ea8fda990e74e779385  2010.1/i586/libzip-devel-0.10.1-0.1mdv2010.2.i586.rpm 
 9bc6b02ac54bc55a794abdbbc3002755  2010.1/SRPMS/libzip-0.10.1-0.1mdv2010.2.src.rpm

2011 x86_64

 d2077b51bd70f4e564d5feeb15c3f3a5  2011/x86_64/lib64zip2-0.10.1-0.1-mdv2011.0.x86_64.rpm
 266c6cf6f7f02dfb2bb47b74277d0eb4  2011/x86_64/lib64zip-devel-0.10.1-0.1-mdv2011.0.x86_64.rpm
 65b5167aa03243df263bde0775b8a39d  2011/x86_64/libzip-0.10.1-0.1-mdv2011.0.x86_64.rpm 
 8572a1994fe2c71a31d27ec4b0670cce  2011/SRPMS/libzip-0.10.1-0.1.src.rpm

2011 i586

 0585aa00560a3e74707015f75f56a2f0  2011/i586/libzip-0.10.1-0.1-mdv2011.0.i586.rpm
 d63c8a5ab141eeef97a8f767f750e226  2011/i586/libzip2-0.10.1-0.1-mdv2011.0.i586.rpm
 6d3d3f6cd6cb6573d24d5f13bc05c094  2011/i586/libzip-devel-0.10.1-0.1-mdv2011.0.i586.rpm 
 8572a1994fe2c71a31d27ec4b0670cce  2011/SRPMS/libzip-0.10.1-0.1.src.rpm

MES5 x86_64

 cac5c12f63ee1ea4ca553d5bc72be04c  mes5/x86_64/lib64zip2-0.10.1-0.1mdvmes5.2.x86_64.rpm
 dcad624a787127931e287bbbb674bf8a  mes5/x86_64/lib64zip-devel-0.10.1-0.1mdvmes5.2.x86_64.rpm
 8f251b7367a366688f32182d5cd282f5  mes5/x86_64/libzip-0.10.1-0.1mdvmes5.2.x86_64.rpm 
 1c4565ac18006fbd550dff062f53656f  mes5/SRPMS/libzip-0.10.1-0.1mdvmes5.2.src.rpm

2010.1 x86_64

 e9f5623d9780cbf55170c0a817762d85  2010.1/x86_64/lib64zip2-0.10.1-0.1mdv2010.2.x86_64.rpm
 068cc46453a50db130ff32390d19b99f  2010.1/x86_64/lib64zip-devel-0.10.1-0.1mdv2010.2.x86_64.rpm
 3d1720daeca5917958cd3b8aa19681db  2010.1/x86_64/libzip-0.10.1-0.1mdv2010.2.x86_64.rpm 
 9bc6b02ac54bc55a794abdbbc3002755  2010.1/SRPMS/libzip-0.10.1-0.1mdv2010.2.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1163
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1162