Ubuntu
libzip package

main inclusion report for libzip

Bug #238883 reported by Jonathan Riddell on 2008-06-10

8

Affects		Status	Importance	Assigned to	Milestone
	libzip (Ubuntu)	Fix Released	Undecided	Jamie Strandboge	Ubuntu ubuntu-8.10-beta
	Intrepid	Fix Released	Undecided	Jamie Strandboge	Ubuntu ubuntu-8.10-beta

Bug Description

https://wiki.kubuntu.org/MainInclusionReportLibzip

Revision history for this message

Martin Pitt (pitti) wrote on 2008-06-13:

#1

Since we had quite a few attacks with malicious ZIP files in the past, .zip files are ubiquitous, and we already have zlib1g and libarchive in main now, I'd like our security gurus to inspect the code first. Packaging etc. is fine.

Changed in libzip:
assignee:	nobody → ubuntu-security
status:	New → Incomplete

Revision history for this message

Jonathan Riddell (jr) wrote on 2008-08-22:

#2

This has been blocking for long enough. Moved to main and set to beta milestone.

Changed in libzip:
milestone:	none → ubuntu-8.10-beta

Revision history for this message

Samuel J Sarette (lunarcloud) wrote on 2008-09-05:

#3

without libzip, Ark will not open zip files.

http://bugs.kde.org/show_bug.cgi?id=166986

"Having a look at the output quickly showed the problem; libarchive is used, and not libzip, for opening the zip files. Libarchive is said to support zip files, but from what I read it's hackish and just readonly. Next, examining "dpkg -L ark-kde4" output reveals why this is so; kubuntu does not include the zip plugin it seems. /usr/lib/kde4/share/kde4/services /usr/lib/kde4/share/kde4/services/kerfuffle_bk.desktop /usr/lib/kde4/share/kde4/services/kerfuffle_rar.desktop /usr/lib/kde4/share/kde4/services/kerfuffle_libarchive.desktop I did not try ark on kde 4.1.0, but I'm guessing that if they didn't compile with libzip back then they might have been reluctant to change this for 4.1.1 and therefore excluded the zip plugin. Just a guess though.

Either way it's a problem with the distro. "

Revision history for this message

Martin Pitt (pitti) wrote on 2008-09-05:

#4

Security team, can you please give this some shallow review? I still don't like this thing at all, TBH.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-17:

#5

Sorry for the delay on this. I'll be looking at it now and comment within the next couple days.

Changed in libzip:
assignee:	ubuntu-security → jdstrand

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-24:

#6

Summary: I'm comfortable recommending libzip for main

Discussion: While not an exhaustive review, I looked into:

no format string issues or warnings

There is use of strcpy(), but its use is verified as ok

It has some interesting use of umask(), but seems ok

There is what appears to be a potentially dodgy mkstemp implementation, but libzip doesn't compile it in on Ubuntu

I spent a bit of time in one function checking out if a static buffer could be overflowed and verified the signed math is safe, and all appears ok.

The above spot checks along with the good security history and the new compiler hardening options on by default leads me to believe libzip won't be too much trouble.

Changed in libzip:
status:	Incomplete → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

kde-bugs #166986
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.