php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75319 Libzip 1.1.2 Security Vulnerability
Submitted: 2017-10-05 13:48 UTC Modified: 2017-10-27 12:26 UTC
From: scott dot a dot andrews at gmail dot com Assigned: ab (profile)
Status: Closed Package: Zip Related
PHP Version: 7.1.10 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2017-10-05 13:48 UTC] scott dot a dot andrews at gmail dot com 
Description:
------------
The version of Libzip included in 7.1.10 has been identified as a HIGH vulnerability.

Libzip: zip_dirent.c Double Free Vulnerability 

Double free vulnerability in the _zip_dirent_read function in zip_dirent.c in libzip allows attackers to have unspecified impact via unknown vectors.

This vulnerability was identified because (1) the detected version of Libzip, 1.1.2, is less than or equal to 1.2.11

In your next release, please upgrade Libzip to at least 1.2.11

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-06 07:01 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-10-06 07:01 UTC] ab@php.net 
Thanks for the report. Please provide a link to the corresponding CVE.

Thanks.
 [2017-10-17 16:31 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2017-10-17 16:31 UTC] cmb@php.net 
<http://www.cvedetails.com/cve/CVE-2017-12858/> has been fixed as of libzip
1.3.0[1].

[1] <https://nih.at/libzip/NEWS.html>
 [2017-10-27 10:51 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-10-27 10:51 UTC] ab@php.net 
Thanks for the link, Christoph. But CVE-2017-12858 is not applicable to versions < 1.2.0, as the log mentions AES was introduced there.

On the other hand, CVE-2017-14107 seems to be applicable, but that doesn't sound like what reporters said. Anyway, gonna check that and see. @scott dot a dot andrews at gmail dot com, please extend the ticket with the required information.

Thanks.
 [2017-10-27 12:26 UTC] ab@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: ab
 [2017-10-27 12:26 UTC] ab@php.net 
I've applied patch for CVE-2017-14107. There seem to be no any other applicable items, looking at the changelog. Thus, closing this one.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 20:01:29 2024 UTC