php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75319 Libzip 1.1.2 Security Vulnerability
Submitted: 2017-10-05 13:48 UTC Modified: 2017-10-27 12:26 UTC
From: scott dot a dot andrews at gmail dot com Assigned: ab (profile)
Status: Closed Package: Zip Related
PHP Version: 7.1.10 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: scott dot a dot andrews at gmail dot com
New email:
PHP Version: OS:

 

 [2017-10-05 13:48 UTC] scott dot a dot andrews at gmail dot com
Description:
------------
The version of Libzip included in 7.1.10 has been identified as a HIGH vulnerability.

Libzip: zip_dirent.c Double Free Vulnerability 

Double free vulnerability in the _zip_dirent_read function in zip_dirent.c in libzip allows attackers to have unspecified impact via unknown vectors.

This vulnerability was identified because (1) the detected version of Libzip, 1.1.2, is less than or equal to 1.2.11

In your next release, please upgrade Libzip to at least 1.2.11


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-06 07:01 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-10-06 07:01 UTC] ab@php.net
Thanks for the report. Please provide a link to the corresponding CVE.

Thanks.
 [2017-10-17 16:31 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2017-10-17 16:31 UTC] cmb@php.net
<http://www.cvedetails.com/cve/CVE-2017-12858/> has been fixed as of libzip
1.3.0[1].

[1] <https://nih.at/libzip/NEWS.html>
 [2017-10-27 10:51 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-10-27 10:51 UTC] ab@php.net
Thanks for the link, Christoph. But CVE-2017-12858 is not applicable to versions < 1.2.0, as the log mentions AES was introduced there.

On the other hand, CVE-2017-14107 seems to be applicable, but that doesn't sound like what reporters said. Anyway, gonna check that and see. @scott dot a dot andrews at gmail dot com, please extend the ticket with the required information.

Thanks.
 [2017-10-27 12:26 UTC] ab@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: ab
 [2017-10-27 12:26 UTC] ab@php.net
I've applied patch for CVE-2017-14107. There seem to be no any other applicable items, looking at the changelog. Thus, closing this one.

Thanks.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jan 21 09:03:35 2022 UTC