A heap overflow vulnerability was reported in libzip <= 0.10 when processing certain corrupt zip files. When libzip opens a zip file, it allocates memory based on the number of directory entries, however ue to an incorrect loop construct in lib/zip_open.c, if the number of directories in the file is set to 0, no memory would be allocated, which could cause libzip to write beyond the allocated memory. This has already been corrected upstream [1]. [1] http://hg.nih.at/libzip/?cs=906bcce2bc13 Acknowledgements: Red Hat would like to thank Timo Warns for reporting this issue.
While this flaw has been fixed in the upstream repository, no release has been made that includes it, and the extent of the flaw was not discovered until now.
This is now public: http://nih.at/listarchive/libzip-discuss/msg00252.html
Created php tracking bugs for this issue Affects: fedora-all [bug 805104]
Created libzip tracking bugs for this issue Affects: fedora-all [bug 805102]
The vulnerability was introduced by patch http://hg.nih.at/libzip/?cs=de747816d94c in version 0.10. Statement: Not vulnerable. This issue did not affect the versions of libzip and php as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of php53 as shipped with Red Hat Enterprise Linux 5.
libzip-0.10.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Vulnerability was introduced in a version later than shipped with F15 and F16. F17 now ships version 0.10.1, which fixes the issue.
References: http://nih.at/listarchive/libzip-discuss/msg00252.html http://www.openwall.com/lists/oss-security/2012/03/21/2 http://www.openwall.com/lists/oss-security/2012/03/29/11 http://www.nih.at/libzip/NEWS.html http://www.gentoo.org/security/en/glsa/glsa-201203-23.xml http://www.mandriva.com/security/advisories?name=MDVSA-2012:034