openSUSE Security Update: Security update for zziplib ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1210-1 Rating: moderate References: #1024517 #1024528 #1024531 #1024532 #1024533 #1024534 #1024535 #1024536 #1024537 #1024539 Cross-References: CVE-2017-5974 CVE-2017-5975 CVE-2017-5976 CVE-2017-5977 CVE-2017-5978 CVE-2017-5979 CVE-2017-5980 CVE-2017-5981 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has two fixes is now available. Description: This update for zziplib fixes the following issues: Secuirty issues fixed: - CVE-2017-5974: heap-based buffer overflow in __zzip_get32 (fetch.c) (bsc#1024517) - CVE-2017-5975: heap-based buffer overflow in __zzip_get64 (fetch.c) (bsc#1024528) - CVE-2017-5976: heap-based buffer overflow in zzip_mem_entry_extra_block (memdisk.c) (bsc#1024531) - CVE-2017-5977: invalid memory read in zzip_mem_entry_extra_block (memdisk.c) (bsc#1024534) - CVE-2017-5978: out of bounds read in zzip_mem_entry_new (memdisk.c) (bsc#1024533) - CVE-2017-5979: NULL pointer dereference in prescan_entry (fseeko.c) (bsc#1024535) - CVE-2017-5980: NULL pointer dereference in zzip_mem_entry_new (memdisk.c) (bsc#1024536) - CVE-2017-5981: assertion failure in seeko.c (bsc#1024539) - NULL pointer dereference in main (unzzipcat-mem.c) (bsc#1024532) - NULL pointer dereference in main (unzzipcat.c) (bsc#1024537) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-554=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-554=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): libzzip-0-13-0.13.62-10.3.1 libzzip-0-13-debuginfo-0.13.62-10.3.1 zziplib-debugsource-0.13.62-10.3.1 zziplib-devel-0.13.62-10.3.1 zziplib-devel-debuginfo-0.13.62-10.3.1 - openSUSE Leap 42.2 (x86_64): libzzip-0-13-32bit-0.13.62-10.3.1 libzzip-0-13-debuginfo-32bit-0.13.62-10.3.1 zziplib-devel-32bit-0.13.62-10.3.1 zziplib-devel-debuginfo-32bit-0.13.62-10.3.1 - openSUSE Leap 42.1 (i586 x86_64): libzzip-0-13-0.13.62-10.1 libzzip-0-13-debuginfo-0.13.62-10.1 zziplib-debugsource-0.13.62-10.1 zziplib-devel-0.13.62-10.1 zziplib-devel-debuginfo-0.13.62-10.1 - openSUSE Leap 42.1 (x86_64): libzzip-0-13-32bit-0.13.62-10.1 libzzip-0-13-debuginfo-32bit-0.13.62-10.1 zziplib-devel-32bit-0.13.62-10.1 zziplib-devel-debuginfo-32bit-0.13.62-10.1 References: https://www.suse.com/security/cve/CVE-2017-5974.html https://www.suse.com/security/cve/CVE-2017-5975.html https://www.suse.com/security/cve/CVE-2017-5976.html https://www.suse.com/security/cve/CVE-2017-5977.html https://www.suse.com/security/cve/CVE-2017-5978.html https://www.suse.com/security/cve/CVE-2017-5979.html https://www.suse.com/security/cve/CVE-2017-5980.html https://www.suse.com/security/cve/CVE-2017-5981.html https://bugzilla.suse.com/1024517 https://bugzilla.suse.com/1024528 https://bugzilla.suse.com/1024531 https://bugzilla.suse.com/1024532 https://bugzilla.suse.com/1024533 https://bugzilla.suse.com/1024534 https://bugzilla.suse.com/1024535 https://bugzilla.suse.com/1024536 https://bugzilla.suse.com/1024537 https://bugzilla.suse.com/1024539