CVE-2011-0421
published 2011-03-20CVE-2011-0421: The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which…
PriorityP427medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
13.51%
96.0th percentile
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
Affected
102 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libzip | < libzip 0.10-1 (bookworm) | libzip 0.10-1 (bookworm) |
| libzip | libzip | >= 0 < 0.10-1 | 0.10-1 |
| libzip | libzip | >= 0 < 0.10-1 | 0.10-1 |
| libzip | libzip | >= 0 < 0.10-1 | 0.10-1 |
| libzip | libzip | >= 0 < 0.10-1 | 0.10-1 |
| php | php | <= 5.3.5 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_redhat5.7MEDIUM
vendor_ubuntu5.0MEDIUM
vendor_debian4.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h3v6-hj58-cx74: The _zip_name_locate function in zip_name_locate
ghsa_unreviewed·2022-05-14
CVE-2011-0421 [MEDIUM] GHSA-h3v6-hj58-cx74: The _zip_name_locate function in zip_name_locate
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
OSV
CVE-2011-0421: The _zip_name_locate function in zip_name_locate
osv·2011-03-20·CVSS 4.3
CVE-2011-0421 [MEDIUM] CVE-2011-0421: The _zip_name_locate function in zip_name_locate
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
Red Hat
libpng: regression of CVE-2004-0421 in 1.2.23+
vendor_redhat·2011-06-07·CVSS 5.0
CVE-2011-2501 [MEDIUM] libpng: regression of CVE-2004-0421 in 1.2.23+
libpng: regression of CVE-2004-0421 in 1.2.23+
The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.
Ubuntu
PHP Regressions
vendor_ubuntu·2011-05-05·CVSS 5.0
CVE-2010-4697 [MEDIUM] PHP Regressions
Title: PHP Regressions
Summary: USN 1126-1 introduced two regressions in PHP.
USN 1126-1 fixed several vulnerabilities in PHP. The fix for
CVE-2010-4697 introduced an incorrect reference counting regression
in the Zend engine that caused the PHP interpreter to segfault. This
regression affects Ubuntu 6.06 LTS and Ubuntu 8.04 LTS.
The fixes for CVE-2011-1072 and CVE-2011-1144 introduced a regression
in the PEAR installer that prevented it from creating its cache
directory and reporting errors correctly.
We apologize for the inconvenience.
Original advisory details:
Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)
Raphael Geisert and Dan R
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2011-04-29·CVSS 5.0
CVE-2011-0421 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Multiple vulnerabilities in PHP.
Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)
Raphael Geisert and Dan Rosenberg discovered that the PEAR installer
allows local users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
CVE-2011-1144)
Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)
Martin Barbella disco
Red Hat
kernel: gro: reset dev and skb_iff on skb reuse
vendor_redhat·2011-02-02·CVSS 5.7
CVE-2011-1478 [MEDIUM] kernel: gro: reset dev and skb_iff on skb reuse
kernel: gro: reset dev and skb_iff on skb reuse
The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not support Generic Receive Offload (GRO). It has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0429.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Package: kernel-rt (Red Hat Enterprise
Red Hat
php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
vendor_redhat·2011-01-30·CVSS 4.3
CVE-2011-0421 [MEDIUM] php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
Package: php53 (Red Hat Enterprise Linux 5) - Affected
Package: libzip (Red Hat Enterprise Linux 6) - Affected
Package: php (Red Hat Enterprise Linux 6) - Affected
Debian
CVE-2011-0421: libzip - The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP b...
vendor_debian·2011·CVSS 4.3
CVE-2011-0421 [MEDIUM] CVE-2011-0421: libzip - The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP b...
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
Scope: local
bookworm: resolved (fixed in 0.10-1)
bullseye: resolved (fixed in 0.10-1)
forky: resolved (fixed in 0.10-1)
sid: resolved (fixed in 0.10-1)
trixie: resolved (fixed in 0.10-1)
Red Hat
kernel: panic in ib_cm:cm_work_handler
vendor_redhat·2010-11-15·CVSS 5.7
CVE-2011-0695 [MEDIUM] kernel: panic in ib_cm:cm_work_handler
kernel: panic in ib_cm:cm_work_handler
Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.
Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currentl
No detection rules found.
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-6]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-6]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-6]
epel-6 tracking bug for libpng10: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
mingw32-libpng-1.2.37-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-3.el6
---
libpng10-1.0.54-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/libpng10-1.0.54-3.el6
---
Package mingw32-libpng-1.2.37-3.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=717084
Please note: this issue affects multiple
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-5]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-5]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-5]
epel-5 tracking bug for mingw32-libpng: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
mingw32-libpng-1.2.37-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-2.el5
---
mingw32-libpng-1.2.37-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-3.el6
---
Package mingw32-libpng-1.2.37-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirro
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=717084
Please note: this issue affects multiple
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
bugzilla·2011-06-27·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
It was reported [1] that the fix for CVE-2004-0421 in libpng was inadvertently reverted during the 1.2.23 development cycle. The original flaw could be used to cause a denial of service via a carefully-crafted PNG image.
This would affect all versions of libpng >=1.2.23, including 1.4.x and 1.5.x.
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
Discussion:
Upstream fix is here:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
---
This has been assigned CVE-2011-2501:
http://www.openwall.com/lists/oss-security/2011/06/28/16
---
Created libpng tracking bugs
Bugzilla
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
bugzilla·2011-03-18·CVSS 4.3
CVE-2011-0421 [MEDIUM] CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=688735
Please note
Bugzilla
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
bugzilla·2011-03-18·CVSS 4.3
CVE-2011-0421 [MEDIUM] CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=688735
Please note
Bugzilla
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
bugzilla·2011-03-18·CVSS 4.3
CVE-2011-0421 [MEDIUM] CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=688735
Please note
Bugzilla
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
bugzilla·2011-03-17·CVSS 4.3
CVE-2011-0421 [MEDIUM] CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
It was reported that ZipArchive() would segfault when opening an empty archive with the FL_UNCHANGED flag set [1]. This is corrected in upstream PHP 5.3.6 [2],[3].
[1] http://bugs.php.net/bug.php?id=53885
[2] http://www.php.net/ChangeLog-5.php#5.3.6
[3] http://svn.php.net/viewvc/?view=revision&revision=307867
Discussion:
I don't believe this is something that would be exploitable under normal circumstances.
For one, the only reference I can find to this FL_UNCHANGED flag is in ZipArchve::getNameIndex():
http://php.net/manual/en/function.ziparchive-getnameindex.php
The reproducers noted in the bug use ZipArchive::locateName(), and FL_UNCHANGED is not a documented flag there:
http://php.net/man
Bugzilla
CVE-2011-0521 kernel: av7110 negative array offset
bugzilla·2011-01-25·CVSS 7.2
CVE-2011-0521 [HIGH] CVE-2011-0521 kernel: av7110 negative array offset
CVE-2011-0521 kernel: av7110 negative array offset
info->num comes from the user. It's type int. If the user passes in a negative value that would cause memory corruption.
Upstream commit:
http://git.kernel.org/linus/cb26a24ee9706473f31d34cc259f4dcf45cd0644
Introduced in bd403b67 (v2.6.2-rc1).
Discussion:
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Via RHSA-2011:0263 https://rhn.redhat.com/errata/RHSA-2011-0263.html
---
This issue has been addressed in following products:
MRG for RHEL-5
Via RHSA-2011:0330 https://rhn.redhat.com/errata/RHSA-2011-0330.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html
---
This issue has been addressed
http://bugs.php.net/bug.php?id=53885http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.htmlhttp://marc.info/?l=bugtraq&m=133469208622507&w=2http://secunia.com/advisories/43621http://securityreason.com/achievement_securityalert/96http://securityreason.com/securityalert/8146http://support.apple.com/kb/HT5002http://svn.php.net/viewvc/?view=revision&revision=307867http://www.debian.org/security/2011/dsa-2266http://www.exploit-db.com/exploits/17004http://www.mandriva.com/security/advisories?name=MDVSA-2011:052http://www.mandriva.com/security/advisories?name=MDVSA-2011:053http://www.mandriva.com/security/advisories?name=MDVSA-2011:099http://www.php.net/ChangeLog-5.phphttp://www.php.net/archive/2011.phphttp://www.php.net/releases/5_3_6.phphttp://www.securityfocus.com/archive/1/517065/100/0/threadedhttp://www.securityfocus.com/bid/46354http://www.vupen.com/english/advisories/2011/0744http://www.vupen.com/english/advisories/2011/0764http://www.vupen.com/english/advisories/2011/0890https://bugzilla.redhat.com/show_bug.cgi?id=688735https://exchange.xforce.ibmcloud.com/vulnerabilities/66173http://bugs.php.net/bug.php?id=53885http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.htmlhttp://marc.info/?l=bugtraq&m=133469208622507&w=2http://secunia.com/advisories/43621http://securityreason.com/achievement_securityalert/96http://securityreason.com/securityalert/8146http://support.apple.com/kb/HT5002http://svn.php.net/viewvc/?view=revision&revision=307867http://www.debian.org/security/2011/dsa-2266http://www.exploit-db.com/exploits/17004http://www.mandriva.com/security/advisories?name=MDVSA-2011:052http://www.mandriva.com/security/advisories?name=MDVSA-2011:053http://www.mandriva.com/security/advisories?name=MDVSA-2011:099http://www.php.net/ChangeLog-5.phphttp://www.php.net/archive/2011.phphttp://www.php.net/releases/5_3_6.phphttp://www.securityfocus.com/archive/1/517065/100/0/threadedhttp://www.securityfocus.com/bid/46354http://www.vupen.com/english/advisories/2011/0744http://www.vupen.com/english/advisories/2011/0764http://www.vupen.com/english/advisories/2011/0890https://bugzilla.redhat.com/show_bug.cgi?id=688735https://exchange.xforce.ibmcloud.com/vulnerabilities/66173
2011-03-20
Published