Hello community, here is the log from the commit of package libzip1 for openSUSE:11.4 checked in at Tue Mar 22 00:05:32 CET 2011. -------- --- old-versions/11.4/all/libzip1/libzip1.changes 2008-07-27 06:26:56.000000000 +0200 +++ 11.4/libzip1/libzip1.changes 2011-03-21 10:46:17.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Mar 21 09:46:06 UTC 2011 - mvyskocil@suse.cz + +- fix bnc#681193 - VUL-0: libzip NULL deref (CVE-2011-0421) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libzip1 Destination is old-versions/11.4/UPDATES/all/libzip1 calling whatdependson for 11.4-i586 New: ---- libzip-0.9-CVE-2011-0421.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzip1.spec ++++++ --- /var/tmp/diff_new_pack.bR5fwg/_old 2011-03-22 00:05:18.000000000 +0100 +++ /var/tmp/diff_new_pack.bR5fwg/_new 2011-03-22 00:05:18.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package libzip1 (Version 0.9) +# spec file for package libzip1 # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,14 +22,15 @@ Name: libzip1 Version: 0.9 -Release: 22 -License: BSD 3-Clause +Release: 30.<RELEASE31> +License: BSD3c Group: Development/Libraries/C and C++ Source0: http://www.nih.at/libzip/%{pkg_name}-%{version}.tar.bz2 Url: http://www.nih.at/libzip BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build Patch0: libzip-0.8.hg20080403-visibility.patch +Patch1: libzip-0.9-CVE-2011-0421.patch %description libzip is a C library for reading, creating, and modifying zip @@ -46,7 +47,7 @@ Thomas Klausner <tk@giga.or.at> %package -n libzip-util -License: BSD 3-Clause +License: BSD3c Summary: C library for reading, creating, and modifying zip archives Group: Development/Libraries/C and C++ @@ -65,7 +66,7 @@ Thomas Klausner <tk@giga.or.at> %package -n libzip-devel -License: BSD 3-Clause +License: BSD3c Summary: C library for reading, creating, and modifying zip archives Group: Development/Libraries/C and C++ Requires: libzip1 = %{version} glibc-devel @@ -87,6 +88,7 @@ %prep %setup -q -n %{pkg_name}-%{version} %patch0 -p1 +%patch1 -p1 %build autoreconf -fiv ++++++ libzip-0.9-CVE-2011-0421.patch ++++++ Index: libzip-0.9/lib/zip_name_locate.c =================================================================== --- libzip-0.9/lib/zip_name_locate.c 2007-11-07 14:33:45.000000000 +0100 +++ libzip-0.9/lib/zip_name_locate.c 2011-03-21 10:36:21.149985060 +0100 @@ -59,6 +59,10 @@ _zip_error_set(error, ZIP_ER_INVAL, 0); return -1; } + + if((flags & ZIP_FL_UNCHANGED) && !za->cdir) { + return -1; + } cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org