ESB-2020.1507

Operating System:
[RedHat]
Published:
29 April 2020
Protect yourself against future threats.
//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.
Resources > Security Bulletins > ESB-2020.1507
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1507
                          zziplib security update
                               29 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           zziplib
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Modify Arbitrary Files -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-17828  

Reference:         ESB-2020.1141
                   ESB-2018.3270
                   ESB-2018.3189

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:1653

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: zziplib security update
Advisory ID:       RHSA-2020:1653-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1653
Issue date:        2020-04-28
CVE Names:         CVE-2018-17828 
=====================================================================

1. Summary:

An update for zziplib is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The zziplib is a lightweight library to easily extract data from zip files.

Security Fix(es):

* zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c
(CVE-2018-17828)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1635888 - CVE-2018-17828 zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
zziplib-0.13.68-8.el8.src.rpm

aarch64:
zziplib-0.13.68-8.el8.aarch64.rpm
zziplib-debuginfo-0.13.68-8.el8.aarch64.rpm
zziplib-debugsource-0.13.68-8.el8.aarch64.rpm
zziplib-utils-0.13.68-8.el8.aarch64.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.aarch64.rpm

ppc64le:
zziplib-0.13.68-8.el8.ppc64le.rpm
zziplib-debuginfo-0.13.68-8.el8.ppc64le.rpm
zziplib-debugsource-0.13.68-8.el8.ppc64le.rpm
zziplib-utils-0.13.68-8.el8.ppc64le.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.ppc64le.rpm

s390x:
zziplib-0.13.68-8.el8.s390x.rpm
zziplib-debuginfo-0.13.68-8.el8.s390x.rpm
zziplib-debugsource-0.13.68-8.el8.s390x.rpm
zziplib-utils-0.13.68-8.el8.s390x.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.s390x.rpm

x86_64:
zziplib-0.13.68-8.el8.i686.rpm
zziplib-0.13.68-8.el8.x86_64.rpm
zziplib-debuginfo-0.13.68-8.el8.i686.rpm
zziplib-debuginfo-0.13.68-8.el8.x86_64.rpm
zziplib-debugsource-0.13.68-8.el8.i686.rpm
zziplib-debugsource-0.13.68-8.el8.x86_64.rpm
zziplib-utils-0.13.68-8.el8.x86_64.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.i686.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:
zziplib-debuginfo-0.13.68-8.el8.aarch64.rpm
zziplib-debugsource-0.13.68-8.el8.aarch64.rpm
zziplib-devel-0.13.68-8.el8.aarch64.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.aarch64.rpm

ppc64le:
zziplib-debuginfo-0.13.68-8.el8.ppc64le.rpm
zziplib-debugsource-0.13.68-8.el8.ppc64le.rpm
zziplib-devel-0.13.68-8.el8.ppc64le.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.ppc64le.rpm

s390x:
zziplib-debuginfo-0.13.68-8.el8.s390x.rpm
zziplib-debugsource-0.13.68-8.el8.s390x.rpm
zziplib-devel-0.13.68-8.el8.s390x.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.s390x.rpm

x86_64:
zziplib-debuginfo-0.13.68-8.el8.i686.rpm
zziplib-debuginfo-0.13.68-8.el8.x86_64.rpm
zziplib-debugsource-0.13.68-8.el8.i686.rpm
zziplib-debugsource-0.13.68-8.el8.x86_64.rpm
zziplib-devel-0.13.68-8.el8.i686.rpm
zziplib-devel-0.13.68-8.el8.x86_64.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.i686.rpm
zziplib-utils-debuginfo-0.13.68-8.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-17828
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXqhWC9zjgjWX9erEAQhcbg//UCzKcCtD2pOgfVM+NUZbw5NmDwZ2zsVj
HdTyLIjWaPUVdzkQiRV1QZkswZqeK9ZtQw2TbXT8l7mLwIrl1k92FsRRn+SedAq/
h0tAp1ZEsNhVO7GSdy7b7WeVrdSkIDndV8Tll2Qdd4I91t/D5z51fla7Uy0L5xxd
GYzKOT0VCi13se0BuktO3Ba1n9Lg8R4dSljMlz3U/K5U8RxMxjfjkBsvlf6ac4sK
C+SYCSxBZD5tpI4rN4xuN3ngYfAn3VnBtYSBJBZlauZfT+977VpDL+g+lSzBW8Kn
Decz9CpUzGH1onaAu5EL85HFzFq3APtj4PNBl0ImGxiJCb+5E5Jl0r7PWrVyeEuk
jXH4w6dkwwGsq735n4i5VJV/XMr6Yu7EG4StYLObDALd/1CNlaPfD3Io4a0Gj7ex
KsYuKJaf955nWTJHZwNcMmk//q3iildkKSvYsLxjJ8Mg0usyyDKviBBTkXV28Jvv
kuTsExvGnXp2+Z2x5d9CGtfP71k4H4xMUd3r0NKCM6ZT/CO99VLCpUKzij1X03wa
ypr4IaRjp0e0s8kkE7977Ppm1Fu3FNTAxqR147hvh4THQ/BRLSUsEzbBgOB4414+
UIUfoRkkPwj2R7lavVLu+NkWjUmvBKuyxIcoGzYoeQ3CvPoE83J3n6FxPEhEob5m
qodBPAMmd9s=
=q72D
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXqkbomaOgq3Tt24GAQiSrA//WZDFqEoupz/Np8puq5oX3xpYL7xovMfB
K9vFve8gASXc1meKS41HbKE1HmErMr7PLrsNHGO2WywnGgkikl9F4N5Gn06JPhyF
f04RWNhT2MF2OB5eOP/tZMNah+LdWXbf4dNwuGhT35Foic+rFJaU4VrrDlynlm3J
aVgrw3ZZzQTXmakWkiZsh5T6bgTjgmMDEah4iixBxLtFbBq/45JHW7NPFjGBmTL4
Eu+A/vuBGOQSm5ZEt5+XTlFVx0MH1n0bolCo/yKdCyLjgtNj1TvXBejtrCRQBqkQ
qzyrWXJ6a3xjfqk6bulE/4yz5cT0sBrD7SF1HfCQWvnyOWe0NKIEBOuRa6rPovRV
/qZfjN3TB5Sv0vwEO7qUsH3/DmTvjTdkFg7zylSH0GYyAdXjJyZnGnebj1YvERGs
wy0JwoLAfFJ7HMXup5v1rn9jcCv7WBPJnzD0YlJQjLoBMyq5WwzjzoOnpgPNAILA
sB0WbFx/l4qCNHsXiuiUAiqI/oU0NoRMMw2pCe8dzfW/Fs8aG6H4P+FlKbIYHC8K
QmG3dQW15qk7Ss+WUYINDmQVciUNUyZvm2q56kNly4+gHPJaRsLEQu/R38yy1R/O
mjspFrfmcmF+b6n6BC8MbqkYmXF12e6iKBCdLVnIeBIH5RQhhMevvipyP+InPrPT
FCSpTDvnP9o=
=sLYZ
-----END PGP SIGNATURE-----