UbuntuUpdates.org

Package "libzzip-0-13"

Name: libzzip-0-13

Description:

library providing read access on ZIP-archives - library

Latest version: 0.13.62-3ubuntu0.16.04.2
Release: xenial (16.04)
Level: updates
Repository: main
Head package: zziplib
Homepage: http://zziplib.sourceforge.net

Links


Download "libzzip-0-13"


Other versions of "libzzip-0-13" in Xenial

Repository Area Version
base main 0.13.62-3
security main 0.13.62-3ubuntu0.16.04.2

Changelog

Version: 0.13.62-3ubuntu0.16.04.2 2018-07-03 14:07:29 UTC

  zziplib (0.13.62-3ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: invalid mem access in zzip_disk_fread
    - debian/patches/CVE-2018-6381.patch: check sizes in zzip/memdisk.c.
    - CVE-2018-6381
  * SECURITY UPDATE: alignment and bus errors in __zzip_fetch_disk_trailer
    - debian/patches/CVE-2018-6484.patch: check sizes in zzip/zip.c.
    - CVE-2018-6484
    - CVE-2018-6541
    - CVE-2018-6869
  * SECURITY UPDATE: bus error in zzip_disk_findfirst
    - debian/patches/CVE-2018-6540.patch: check endbuf in zzip/mmapped.c.
    - CVE-2018-6540
  * SECURITY UPDATE: invalid memory dereference
    - debian/patches/CVE-2018-7725.patch: check zlib space in
      zzip/memdisk.c, zzip/mmapped.c.
    - CVE-2018-7725
  * SECURITY UPDATE: bus error in __zzip_parse_root_directory
    - debian/patches/CVE-2018-7726-1.patch: check rootseek and rootsize in
      zzip/zip.c.
    - debian/patches/CVE-2018-7726-2.patch: check rootseek in zzip/zip.c.
    - debian/patches/CVE-2018-7726-3.patch: check zz_rootsize in
      zzip/zip.c.
    - CVE-2018-7726

 -- Marc Deslauriers <email address hidden> Fri, 29 Jun 2018 12:27:57 -0400

Source diff to previous version
CVE-2018-6381 In ZZIPlib 0.13.67, there is a segmentation fault caused by invalid memory access in the zzip_disk_fread function (zzip/mmapped.c) because the size v
CVE-2018-6484 In ZZIPlib 0.13.67, there is a memory alignment error and bus error in the __zzip_fetch_disk_trailer function of zzip/zip.c. Remote attackers could l
CVE-2018-6541 In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address (when handling disk64_trailer local entries) in __zzip_fetch_disk_
CVE-2018-6869 In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attacker
CVE-2018-6540 In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c. Remote atta
CVE-2018-7725 An issue was discovered in ZZIPlib 0.13.68. An invalid memory address dereference was discovered in zzip_disk_fread in mmapped.c. The vulnerability c
CVE-2018-7726 An issue was discovered in ZZIPlib 0.13.68. There is a bus error caused by the __zzip_parse_root_directory function of zip.c. Attackers could leverag

Version: 0.13.62-3ubuntu0.16.04.1 2017-06-15 16:06:55 UTC

  zziplib (0.13.62-3ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: multiple security issues
    - debian/patches/*: synchronize security fixes with Debian's
      0.13.62-3.1 release. Thanks to Josef Moellers of SuSE and
      Moritz Muehlenhoff of Debian!
    - CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978,
      CVE-2017-5979, CVE-2017-5980, CVE-2017-5981

 -- Marc Deslauriers <email address hidden> Tue, 13 Jun 2017 09:40:14 -0400

CVE-2017-5974 Heap-based buffer overflow in the __zzip_get32 function in fetch.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (crash) vi
CVE-2017-5975 Heap-based buffer overflow in the __zzip_get64 function in fetch.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (crash) vi
CVE-2017-5976 Heap-based buffer overflow in the zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of se
CVE-2017-5978 The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (out-of-bounds read and crash) v
CVE-2017-5979 The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) v
CVE-2017-5980 The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (NULL pointer dereference and cr
CVE-2017-5981 seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (assertion failure and crash) via a crafted ZIP file.



About   -   Send Feedback to @ubuntu_updates