libzip-devel-1.1.3-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10113-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libzip-devel-1.1.3-1.4 on GA media These are all security issues fixed in the libzip-devel-1.1.3-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10113 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-0421/ SUSE CVE CVE-2011-0421 page https://www.suse.com/security/cve/CVE-2012-1162/ SUSE CVE CVE-2012-1162 page https://www.suse.com/security/cve/CVE-2012-1163/ SUSE CVE CVE-2012-1163 page https://www.suse.com/security/cve/CVE-2015-2331/ SUSE CVE CVE-2015-2331 page openSUSE Tumbleweed libzip-devel-1.1.3-1.4 libzip-tools-1.1.3-1.4 libzip4-1.1.3-1.4 libzip4-32bit-1.1.3-1.4 libzip-devel-1.1.3-1.4 as a component of openSUSE Tumbleweed libzip-tools-1.1.3-1.4 as a component of openSUSE Tumbleweed libzip4-1.1.3-1.4 as a component of openSUSE Tumbleweed libzip4-32bit-1.1.3-1.4 as a component of openSUSE Tumbleweed The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation. CVE-2011-0421 openSUSE Tumbleweed:libzip-devel-1.1.3-1.4 openSUSE Tumbleweed:libzip-tools-1.1.3-1.4 openSUSE Tumbleweed:libzip4-1.1.3-1.4 openSUSE Tumbleweed:libzip4-32bit-1.1.3-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-0421.html CVE-2011-0421 https://bugzilla.suse.com/681193 SUSE Bug 681193 Heap-based buffer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a zip archive with the number of directories set to 0, related to an "incorrect loop construct." CVE-2012-1162 openSUSE Tumbleweed:libzip-devel-1.1.3-1.4 openSUSE Tumbleweed:libzip-tools-1.1.3-1.4 openSUSE Tumbleweed:libzip4-1.1.3-1.4 openSUSE Tumbleweed:libzip4-32bit-1.1.3-1.4 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-1162.html CVE-2012-1162 https://bugzilla.suse.com/751829 SUSE Bug 751829 https://bugzilla.suse.com/751830 SUSE Bug 751830 Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak. CVE-2012-1163 openSUSE Tumbleweed:libzip-devel-1.1.3-1.4 openSUSE Tumbleweed:libzip-tools-1.1.3-1.4 openSUSE Tumbleweed:libzip4-1.1.3-1.4 openSUSE Tumbleweed:libzip4-32bit-1.1.3-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-1163.html CVE-2012-1163 https://bugzilla.suse.com/751829 SUSE Bug 751829 https://bugzilla.suse.com/751830 SUSE Bug 751830 Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. CVE-2015-2331 openSUSE Tumbleweed:libzip-devel-1.1.3-1.4 openSUSE Tumbleweed:libzip-tools-1.1.3-1.4 openSUSE Tumbleweed:libzip4-1.1.3-1.4 openSUSE Tumbleweed:libzip4-32bit-1.1.3-1.4 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-2331.html CVE-2015-2331 https://bugzilla.suse.com/922894 SUSE Bug 922894 https://bugzilla.suse.com/923240 SUSE Bug 923240