Izdana je sigurnosna zakrpa koja rješava propust uočen kod programskog pakete libzip. Spomenuti je nedostatak napadač mogao iskoristiti za izvođenje napada uskraćivanja usluge (eng. Denial of Service).
Paket:
libzip 0.x
Operacijski sustavi:
Mandriva Linux 2009.0, Mandriva Linux 2010.1, Mandriva Linux Corporate 4.0, Mandriva Linux Enterprise Server 5.0
Kritičnost:
2.9
Problem:
pogreška u programskoj funkciji
Iskorištavanje:
udaljeno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-0421
Izvorni ID preporuke:
MDVSA-2011:099
Izvor:
Mandriva
Problem:
Do propusta dolazi zbog pogreške u funkciji "_zip_name_locate" u datoteci "zip_name_locate.c".
Posljedica:
Neodstatak omogućuje izvođenje DoS napada, a uspješna zlouporaba podrazumijeva podmetanje prazne ZIP arhive.
Rješenje:
Svi se korisnici upućuju na primjenu odgovarajuće nadogradnje.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:099
http://www.mandriva.com/security/
_______________________________________________________________________
Package : libzip
Date : May 24, 2011
Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been identified and fixed in libzip:
The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
b2707764066551f6ce98927199313658
2009.0/i586/libzip-0.9-1.1mdv2009.0.i586.rpm
0545e88dc46b5029b6d286d77929b0d6
2009.0/i586/libzip1-0.9-1.1mdv2009.0.i586.rpm
59368b5e8945d41186ef43d50bc32fef
2009.0/i586/libzip1-devel-0.9-1.1mdv2009.0.i586.rpm
b674d890f391decb25160c3cbb61b67f
2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
f79f16015ec07a2d3ab5defe7f3a9c61
2009.0/x86_64/lib64zip1-0.9-1.1mdv2009.0.x86_64.rpm
80caa5445d860ce81aa1dca417084315
2009.0/x86_64/lib64zip1-devel-0.9-1.1mdv2009.0.x86_64.rpm
8aabb4c7001455bdb6281d6940d7f260
2009.0/x86_64/libzip-0.9-1.1mdv2009.0.x86_64.rpm
b674d890f391decb25160c3cbb61b67f
2009.0/SRPMS/libzip-0.9-1.1mdv2009.0.src.rpm
Mandriva Linux 2010.1:
2c951ced9a7c5babdf9602a914de26fc
2010.1/i586/libzip-0.9.3-2.1mdv2010.2.i586.rpm
cab6b7db4308674902991ea4f772bac0
2010.1/i586/libzip1-0.9.3-2.1mdv2010.2.i586.rpm
923b7c08dea396ca3e68d5317087abe1
2010.1/i586/libzip-devel-0.9.3-2.1mdv2010.2.i586.rpm
c96f039d41e502ab7de18cc88f68195a
2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
b46dca982a4a05c16f41cfaecd75fcbb
2010.1/x86_64/lib64zip1-0.9.3-2.1mdv2010.2.x86_64.rpm
5d53ec5fdafacf8342fb744fc6023cda
2010.1/x86_64/lib64zip-devel-0.9.3-2.1mdv2010.2.x86_64.rpm
05961884a3a4846286a6c32cc3434ae8
2010.1/x86_64/libzip-0.9.3-2.1mdv2010.2.x86_64.rpm
c96f039d41e502ab7de18cc88f68195a
2010.1/SRPMS/libzip-0.9.3-2.1mdv2010.2.src.rpm
Corporate 4.0:
5cab7fa861e9b758e3934b5ce91ee843
corporate/4.0/i586/libzip-0.8-0.2.20060mlcs4.i586.rpm
1414a28bac961b51ee0ee500bb5e305f
corporate/4.0/i586/libzip1-0.8-0.2.20060mlcs4.i586.rpm
0870b727bb7818ff6167b0ee7bfe69a0
corporate/4.0/i586/libzip1-devel-0.8-0.2.20060mlcs4.i586.rpm
d880b19f9ed7009893526c5be191609b
corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
39cad5f8ec0b6a8c453d201088ec1c19
corporate/4.0/x86_64/lib64zip1-0.8-0.2.20060mlcs4.x86_64.rpm
7bbfde955d5be982696ea749d02fda31
corporate/4.0/x86_64/lib64zip1-devel-0.8-0.2.20060mlcs4.x86_64.rpm
31632663a023e78b87f16d6ef3a513e9
corporate/4.0/x86_64/libzip-0.8-0.2.20060mlcs4.x86_64.rpm
d880b19f9ed7009893526c5be191609b
corporate/4.0/SRPMS/libzip-0.8-0.2.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
8927d13cebb528734d923d9c8a5d2cc5 mes5/i586/libzip-0.9-1.1mdvmes5.2.i586.rpm
26895b0d8a3c7678915f63824644e6e0 mes5/i586/libzip1-0.9-1.1mdvmes5.2.i586.rpm
e2fb873896d7fdfdddb768cf45ab905c
mes5/i586/libzip1-devel-0.9-1.1mdvmes5.2.i586.rpm
e675417cd92171246244c061e178c384 mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
40e013ad35ec3fc6d3a76a41a7284832
mes5/x86_64/lib64zip1-0.9-1.1mdvmes5.2.x86_64.rpm
1c14f06832bfcc7130b39f28489aaef8
mes5/x86_64/lib64zip1-devel-0.9-1.1mdvmes5.2.x86_64.rpm
e8e051a9bb35bd3c4f1053a95137549c
mes5/x86_64/libzip-0.9-1.1mdvmes5.2.x86_64.rpm
e675417cd92171246244c061e178c384 mes5/SRPMS/libzip-0.9-1.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN20+QmqjQ0CJFipgRAkNfAJ4rXaVWkphVslNS0q7faBMWKwh1RQCgxVH1
Di9TN3bCfXHOIrvPkP1C/ws=
=I8bT
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke