openSUSE-SU-2018:0561-1: moderate: Security update for zziplib

openSUSE Security Update: Security update for zziplib ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0561-1 Rating: moderate References: #1024532 #1024536 #1034539 #1078497 #1078701 #1079096 Cross-References: CVE-2018-6381 CVE-2018-6484 CVE-2018-6540 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for zziplib to 0.13.67 contains multiple bug and security fixes: - If an extension block is too small to hold an extension, do not use the information therein. - CVE-2018-6540: If the End of central directory record (EOCD) contains an Offset of start of central directory which is beyond the end of the file, reject the file. (bsc#1079096) - CVE-2018-6484: Reject the ZIP file and report it as corrupt if the size of the central directory and/or the offset of start of central directory point beyond the end of the ZIP file. (bsc#1078701) - CVE-2018-6381: If a file is uncompressed, compressed and uncompressed sizes should be identical. (bsc#1078497) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-215=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): libzzip-0-13-0.13.67-13.3.1 libzzip-0-13-debuginfo-0.13.67-13.3.1 zziplib-debugsource-0.13.67-13.3.1 zziplib-devel-0.13.67-13.3.1 zziplib-devel-debuginfo-0.13.67-13.3.1 - openSUSE Leap 42.3 (x86_64): libzzip-0-13-32bit-0.13.67-13.3.1 libzzip-0-13-debuginfo-32bit-0.13.67-13.3.1 zziplib-devel-32bit-0.13.67-13.3.1 zziplib-devel-debuginfo-32bit-0.13.67-13.3.1 References: https://www.suse.com/security/cve/CVE-2018-6381.html https://www.suse.com/security/cve/CVE-2018-6484.html https://www.suse.com/security/cve/CVE-2018-6540.html https://bugzilla.suse.com/1024532 https://bugzilla.suse.com/1024536 https://bugzilla.suse.com/1034539 https://bugzilla.suse.com/1078497 https://bugzilla.suse.com/1078701 https://bugzilla.suse.com/1079096