Security update for zziplib

SUSE Security Update: Security update for zziplib

---

Announcement ID:	SUSE-SU-2019:3341-1
Rating:	moderate
References:	#1084515 #1107424 #1129403
Cross-References:	CVE-2018-16548 CVE-2018-7727
Affected Products:	SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Desktop 12-SP4

---

An update that solves two vulnerabilities and has one errata is now available.

Description:

This update for zziplib fixes the following issues:
Security issues fixed:

• CVE-2018-16548: Avoid a memory leak from __zzip_parse_root_directory() which could lead to denial of service. (bsc#1107424)
• CVE-2018-7727: Fixed a memory leak in unzzip_cat() (bsc#1084515).

Non-security issue fixed:

• Prevented division by zero by first checking if uncompressed size is 0. This may happen with directories which have a compressed and uncompressed size of 0. (bsc#1129403)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 12-SP5:
  zypper in -t patch SUSE-SLE-WE-12-SP5-2019-3341=1
• SUSE Linux Enterprise Workstation Extension 12-SP4:
  zypper in -t patch SUSE-SLE-WE-12-SP4-2019-3341=1
• SUSE Linux Enterprise Software Development Kit 12-SP5:
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3341=1
• SUSE Linux Enterprise Software Development Kit 12-SP4:
  zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3341=1
• SUSE Linux Enterprise Desktop 12-SP4:
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3341=1

Package List:

• SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64):
  • libzzip-0-13-0.13.67-10.25.1
  • libzzip-0-13-debuginfo-0.13.67-10.25.1
  • zziplib-debugsource-0.13.67-10.25.1
• SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64):
  • libzzip-0-13-0.13.67-10.25.1
  • libzzip-0-13-debuginfo-0.13.67-10.25.1
  • zziplib-debugsource-0.13.67-10.25.1
• SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
  • libzzip-0-13-0.13.67-10.25.1
  • libzzip-0-13-debuginfo-0.13.67-10.25.1
  • zziplib-debugsource-0.13.67-10.25.1
  • zziplib-devel-0.13.67-10.25.1
  • zziplib-devel-debuginfo-0.13.67-10.25.1
• SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):
  • libzzip-0-13-0.13.67-10.25.1
  • libzzip-0-13-debuginfo-0.13.67-10.25.1
  • zziplib-debugsource-0.13.67-10.25.1
  • zziplib-devel-0.13.67-10.25.1
  • zziplib-devel-debuginfo-0.13.67-10.25.1
• SUSE Linux Enterprise Desktop 12-SP4 (x86_64):
  • libzzip-0-13-0.13.67-10.25.1
  • libzzip-0-13-debuginfo-0.13.67-10.25.1
  • zziplib-debugsource-0.13.67-10.25.1

References:

• https://www.suse.com/security/cve/CVE-2018-16548.html
• https://www.suse.com/security/cve/CVE-2018-7727.html
• https://bugzilla.suse.com/1084515
• https://bugzilla.suse.com/1107424
• https://bugzilla.suse.com/1129403