From 51d66d1b98b249a6856cf359eb2a2755852a912b7cca4b00e2660ed43fd673c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 10:07:33 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main zziplib revision db0b37dabf4c949802589b47b00f169c --- .gitattributes | 23 ++ CVE-2020-18770.patch | 26 ++ baselibs.conf | 7 + bsc1154002-prevent-unnecessary-perror.patch | 13 + zziplib-0.13.62.patch | 12 + zziplib-0.13.72.tar.gz | 3 + zziplib.changes | 345 ++++++++++++++++++++ zziplib.spec | 95 ++++++ 8 files changed, 524 insertions(+) create mode 100644 .gitattributes create mode 100644 CVE-2020-18770.patch create mode 100644 baselibs.conf create mode 100644 bsc1154002-prevent-unnecessary-perror.patch create mode 100644 zziplib-0.13.62.patch create mode 100644 zziplib-0.13.72.tar.gz create mode 100644 zziplib.changes create mode 100644 zziplib.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2020-18770.patch b/CVE-2020-18770.patch new file mode 100644 index 0000000..91210ac --- /dev/null +++ b/CVE-2020-18770.patch @@ -0,0 +1,26 @@ +From 803f49aaae16b7f2899e4769afdfc673a21fa9e8 Mon Sep 17 00:00:00 2001 +From: Guido Draheim +Date: Mon, 26 Feb 2024 23:17:12 +0100 +Subject: [PATCH] #69 assert full zzip_file_header + +--- + zzip/mmapped.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/zzip/mmapped.c b/zzip/mmapped.c +index 2071882..306ba51 100644 +--- a/zzip/mmapped.c ++++ b/zzip/mmapped.c +@@ -276,7 +276,8 @@ struct zzip_file_header * + zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry) + { + zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry); +- if (disk->buffer > ptr || ptr >= disk->endbuf) ++ zzip_byte_t *const end = ptr + sizeof(struct zzip_file_header); ++ if (disk->buffer > ptr || end >= disk->endbuf || end <= NULL) + { + debug2("file header: offset out of bounds (0x%llx)", (long long unsigned)(disk->buffer)); + errno = EBADMSG; +-- +2.35.3 + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..13a4466 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,7 @@ +# Obsoletes added in 0.13.58; change to "<" starting with 0.13.59 +libzzip-0-13 + obsoletes "zziplib- <= " + provides "zziplib- = " +zziplib-devel + requires -zziplib- + requires "libzzip-0-13- = " diff --git a/bsc1154002-prevent-unnecessary-perror.patch b/bsc1154002-prevent-unnecessary-perror.patch new file mode 100644 index 0000000..5803c9a --- /dev/null +++ b/bsc1154002-prevent-unnecessary-perror.patch @@ -0,0 +1,13 @@ +Index: zziplib-0.13.69/bins/unzip-mem.c +=================================================================== +--- zziplib-0.13.69.orig/bins/unzip-mem.c ++++ zziplib-0.13.69/bins/unzip-mem.c +@@ -92,7 +92,7 @@ static void zzip_mem_entry_make(ZZIP_MEM + ZZIP_MEM_ENTRY* entry) + { + FILE* file = fopen (entry->zz_name, "wb"); +- if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); } ++ if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); return; } + perror (entry->zz_name); + if (status < EXIT_WARNINGS) status = EXIT_WARNINGS; + } diff --git a/zziplib-0.13.62.patch b/zziplib-0.13.62.patch new file mode 100644 index 0000000..7ce7618 --- /dev/null +++ b/zziplib-0.13.62.patch @@ -0,0 +1,12 @@ +Index: zziplib/m4/ax_cflags_no_writable_strings.m4 +=================================================================== +--- zziplib/m4/ax_cflags_no_writable_strings.m4 ++++ zziplib-new/m4/ax_cflags_no_writable_strings.m4 +@@ -40,6 +40,7 @@ VAR,[VAR="no, unknown" + for ac_arg dnl + in "-pedantic % -fno-writable-strings -Wwrite-strings" dnl GCC + "-pedantic % -fconst-strings -Wwrite-strings" dnl newer GCC ++ "-Wall % -Wwrite-strings" dnl GCC4.1+ + "-v -Xc % -xstrconst" dnl Solaris C - strings go into readonly segment + "+w1 -Aa % +ESlit" dnl HP-UX C - strings go into readonly segment + "-w0 -std1 % -readonly_strings" dnl Digital Unix - again readonly segment diff --git a/zziplib-0.13.72.tar.gz b/zziplib-0.13.72.tar.gz new file mode 100644 index 0000000..a88f573 --- /dev/null +++ b/zziplib-0.13.72.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93ef44bf1f1ea24fc66080426a469df82fa631d13ca3b2e4abaeab89538518dc +size 1162175 diff --git a/zziplib.changes b/zziplib.changes new file mode 100644 index 0000000..42143a7 --- /dev/null +++ b/zziplib.changes @@ -0,0 +1,345 @@ +------------------------------------------------------------------- +Tue Feb 27 16:51:12 UTC 2024 - Valentin Lefebvre + +- assert full zzip_file_header. + [bsc#1214577, CVE-2020-18770, CVE-2020-18770.patch] +- Use autosetup + +------------------------------------------------------------------- +Sun Feb 7 23:10:28 UTC 2021 - Dirk Müller + +- update to 0.13.72: + * The testbuilds were fixed to make cmake install and automake install the same + * The cmake install did need patches for man3 installation on Unix + * The cmake install did need patches for dll installation on Windows + * The cmake install did need patches for dylib installation on MacOS + * The cmake install did need patches for pkgconfig generation + * Bump testbuilds to modern distro versions (ubuntu 20.04 centos 7.9 / 8.3) + * Takeover docker_mirror.py for air-gap testings (for testbuilds.py) + * handle UNZZIP-NOTFOUND in cmake and mark Ubuntu 'unzip' to be broken + * merge patches for zzip_pread feature from Max Kellermann + * merge patches for some bugs being found and reported via GitHub issues + * run azure-pipelines with -DZZIP_TESTCVE=OFF to skip CVE *.zip downloads + * use zziptests.py --downloadonly to get the CVE zip files for local storage + * switch to cmake build system +- remove zziplib-0.13.62-wronglinking.patch zziplib-largefile.patch: + obsolete with switch to cmake + +------------------------------------------------------------------- +Tue Apr 28 06:21:51 UTC 2020 - Paolo Stivanin + +- Update to 0.13.71: + * testbuilds fixes + * fixes to bring base, sdl, manpages and site docs to same level + +------------------------------------------------------------------- +Tue Apr 14 08:28:53 UTC 2020 - Josef Möllers + +- Update to 1.13.70: + * there have been tons of bugfixes over the last two years ... + * Thanks go to Patrick Steinhardt (then at Aservo) for python3 updates + * Thanks go to Josef Moellers (working at SUSE Labs) for many CVE fixes + * and of course all the other patches that came in via github issues. + * I have cleaned up sources to only uses Python3 (as needed by 2020). + * !!! The old automake/autconf/libtool system will be dumped soon!!! + * The build system was ported to 'cmake' .. (last tested cmake 3.10.2) + Obsoletes patches + - CVE-2018-7726.patch + - CVE-2018-7725.patch + - CVE-2018-16548.patch + - CVE-2018-17828.patch + - bsc1129403-prevent-division-by-zero.patch + [zziplib-0.13.70.tar.gz, CVE-2018-7726.patch, CVE-2018-7725.patch, + CVE-2018-16548.patch, CVE-2018-17828.patch, + bsc1129403-prevent-division-by-zero.patch] + +------------------------------------------------------------------- +Mon Feb 24 15:08:13 UTC 2020 - Josef Möllers + +- Corrected control flow in zzip_mem_entry_make() to + gain correct exit status. + [bsc#1154002, bsc1154002-prevent-unnecessary-perror.patch] + +------------------------------------------------------------------- +Fri Dec 13 12:28:30 UTC 2019 - Josef Möllers + +- Make an unconditional error message conditional by checking + the return value of a function call. + Also removed an unwanted debug output. + [bsc#154002, bsc1154002-prevent-unnecessary-perror.patch, + CVE-2018-7725.patch] + +------------------------------------------------------------------- +Thu Oct 17 09:30:20 UTC 2019 - Josef Möllers + +- Fixed another instance where division by 0 may occur. + [bsc#1129403, bsc1129403-prevent-division-by-zero.patch] + +------------------------------------------------------------------- +Thu Jun 13 06:39:36 UTC 2019 - josef.moellers@suse.com + +- Prevent division by zero by first checking if uncompressed size + is 0. This may happen with directories which have a compressed + and uncompressed size of 0. + [bsc#1129403, bsc1129403-prevent-division-by-zero.patch] + +------------------------------------------------------------------- +Thu Oct 4 08:14:00 UTC 2018 - josef.moellers@suse.com + +- Remove any "../" components from pathnames of extracted files. + [bsc#1110687, CVE-2018-17828, CVE-2018-17828.patch] + +------------------------------------------------------------------- +Fri Sep 7 11:51:45 UTC 2018 - josef.moellers@suse.com + +- Avoid memory leak from __zzip_parse_root_directory(). + Free allocated structure if its address is not passed back. + [bsc#1107424, CVE-2018-16548, CVE-2018-16548.patch] + +------------------------------------------------------------------- +Mon Mar 19 13:57:10 UTC 2018 - josef.moellers@suse.com + +- Check if data from End of central directory record makes sense. + Especially the Offset of start of central directory must not + a) be negative or + b) point behind the end-of-file. +- Check if compressed size in Central directory file header + makes sense, i.e. the file's data does not extend beyond the + end of the file. + [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch, + bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch] + +------------------------------------------------------------------- +Sat Mar 17 18:53:19 UTC 2018 - avindra@opensuse.org + +- Update to 0.13.69: + * fix a number of CVEs reported with special *.zip PoC files + * completing some doc strings while checking the new man-pages to + look good + * update refs to point to github instead of sf.net + * man-pages are generated with new dbk2man.py - docbook xmlto is + optional now + * a zip-program is still required for testing, but some errors + are gone when not present +- run spec-cleaner +- don't ship Windows only file, README.MSVC6 + +------------------------------------------------------------------- +Mon Feb 19 12:55:26 UTC 2018 - adam.majer@suse.de + +- Drop BR: fdupes since it does nothing. + +------------------------------------------------------------------- +Mon Feb 19 11:30:47 UTC 2018 - jengelh@inai.de + +- Fix RPM groups. Remove ineffective --with-pic. + Trim redundancies from description. + Do not let fdupes run across partitions. + +------------------------------------------------------------------- +Sun Feb 18 03:25:53 UTC 2018 - avindra@opensuse.org + +- Update to 0.13.68: + * fix a number of CVEs reported with special *.zip files + * minor doc updates referencing GitHub instead of sf.net +- drop CVE-2018-6381.patch + * merged in a803559fa9194be895422ba3684cf6309b6bb598 +- drop CVE-2018-6484.patch + * merged in 0c0c9256b0903f664bca25dd8d924211f81e01d3 +- drop CVE-2018-6540.patch + * merged in 15b8c969df962a444dfa07b3d5bd4b27dc0dbba7 +- drop CVE-2018-6542.patch + * merged in 938011cd60f5a8a2a16a49e5f317aca640cf4110 + +------------------------------------------------------------------- +Wed Feb 14 13:36:43 UTC 2018 - josef.moellers@suse.com + +- Changed %license to %doc in SPEC file. + +------------------------------------------------------------------- +Mon Feb 12 16:14:31 UTC 2018 - josef.moellers@suse.com + +- If the size of the central directory is too big, reject + the file. + Then, if loading the ZIP file fails, display an error message. + [CVE-2018-6542.patch, CVE-2018-6542, bsc#1079094] + +------------------------------------------------------------------- +Tue Feb 6 14:55:03 UTC 2018 - josef.moellers@suse.com + +- If an extension block is too small to hold an extension, + do not use the information therein. +- If the End of central directory record (EOCD) contains an + Offset of start of central directory which is beyond the end of + the file, reject the file. + [CVE-2018-6540, bsc#1079096, CVE-2018-6540.patch] + +------------------------------------------------------------------- +Fri Feb 2 09:31:49 UTC 2018 - josef.moellers@suse.com + +- Reject the ZIP file and report it as corrupt if the size of the + central directory and/or the offset of start of central directory + point beyond the end of the ZIP file. + [CVE-2018-6484, boo#1078701, CVE-2018-6484.patch] + +------------------------------------------------------------------- +Thu Feb 1 10:49:56 UTC 2018 - josef.moellers@suse.com + +- If a file is uncompressed, compressed and uncompressed sizes + should be identical. + [CVE-2018-6381, bsc#1078497, CVE-2018-6381.patch] + +------------------------------------------------------------------- +Tue Jan 23 20:18:19 UTC 2018 - tchvatal@suse.com + +- Drop tests as they fail completely anyway, not finding lib needing + zip command, this should allow us to kill python dependency +- Also drop docs subdir avoiding python dependency for it + * The generated xmls were used for mans too but we shipped those + only in devel pkg and as such we will live without them + +------------------------------------------------------------------- +Tue Jan 23 20:03:01 UTC 2018 - tchvatal@suse.com + +- Version update to 0.13.67: + * Various fixes found by fuzzing + * Merged bellow patches +- Remove merged patches: + * zziplib-CVE-2017-5974.patch + * zziplib-CVE-2017-5975.patch + * zziplib-CVE-2017-5976.patch + * zziplib-CVE-2017-5978.patch + * zziplib-CVE-2017-5979.patch + * zziplib-CVE-2017-5981.patch +- Switch to github tarball as upstream seem no longer pull it to + sourceforge +- Remove no longer applying patch zziplib-unzipcat-NULL-name.patch + * The sourcecode was quite changed for this to work this way + anymore, lets hope this is fixed too + +------------------------------------------------------------------- +Wed Nov 1 12:37:02 UTC 2017 - mpluskal@suse.com + +- Packaking changes: + * Depend on python2 explicitly + * Cleanup with spec-cleaner + +------------------------------------------------------------------- +Thu Mar 23 13:32:03 UTC 2017 - josef.moellers@suse.com + +- Several bugs fixed: + * heap-based buffer overflows + (bsc#1024517, CVE-2017-5974, zziplib-CVE-2017-5974.patch) + * check if "relative offset of local header" in "central + directory header" really points to a local header + (ZZIP_FILE_HEADER_MAGIC) + (bsc#1024528, CVE-2017-5975, zziplib-CVE-2017-5975.patch) + * protect against bad formatted data in extra blocks + (bsc#1024531, CVE-2017-5976, zziplib-CVE-2017-5976.patch) + * NULL pointer dereference in main (unzzipcat-mem.c) + (bsc#1024532, bsc#1024536, CVE-2017-5975, + zziplib-CVE-2017-5975.patch) + * protect against huge values of "extra field length" + in local file header and central file header + (bsc#1024533, CVE-2017-5978, zziplib-CVE-2017-5978.patch) + * clear ZZIP_ENTRY record before use. + (bsc#1024534, bsc#1024535, CVE-2017-5979, CVE-2017-5977, + zziplib-CVE-2017-5979.patch) + * prevent unzzipcat.c from trying to print a NULL name + (bsc#1024537, zziplib-unzipcat-NULL-name.patch) + * Replace assert() by going to error exit. + (bsc#1034539, CVE-2017-5981, zziplib-CVE-2017-5981.patch) + +------------------------------------------------------------------- +Sat Mar 16 21:37:21 UTC 2013 - schwab@linux-m68k.org + +- zziplib-largefile.patch: Enable largefile support +- Enable debug information + +------------------------------------------------------------------- +Sat Dec 15 18:36:24 UTC 2012 - p.drouand@gmail.com + +- Update to 0.13.62 version: + * configure.ac: fallback to libtool -export-dynamic unless being sure to + use gnu-ld --export-dynamic. The darwin case is a bit special here + as the c-compiler and linker might be from different worlds. + * Makefile.am: allow nonstaic build + * wrap fd.open like in the Fedora patch +- Remove the package name on summary +- Add dos2unix as build dependencie to fix a wrong file encoding + +------------------------------------------------------------------- +Sat Nov 19 15:38:23 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Fri Sep 16 16:02:33 UTC 2011 - jengelh@medozas.de + +- Implement shlib policy/packaging for package, add baselibs.conf + and resolve redundant constructs + +------------------------------------------------------------------- +Sat Apr 30 15:22:39 UTC 2011 - crrodriguez@opensuse.org + +- Fix build with gcc 4.6 + +------------------------------------------------------------------- +Mon Feb 15 16:43:03 CET 2010 - dimstar@opensuse.org + +- Update to version 0.13.58: + + Some bugs fixed, see ChangeLog + +------------------------------------------------------------------- +Mon Jul 27 16:24:06 CEST 2009 - coolo@novell.com + +- update to version 0.13.56 - fixes many smaller issues + (see Changelog) + +------------------------------------------------------------------- +Wed Jun 17 10:05:23 CEST 2009 - coolo@novell.com + +- fix build with automake 1.11 + +------------------------------------------------------------------- +Mon Jan 26 20:39:14 CET 2009 - crrodriguez@suse.de + +- remove "la" files + +------------------------------------------------------------------- +Fri Oct 24 12:32:13 CEST 2008 - wgottwalt@suse.de + +- removed ./msvc7/pkzip.exe and ./msvc8/zip.exe to avoid license + problems + +------------------------------------------------------------------- +Wed Aug 15 05:35:45 CEST 2007 - crrodriguez@suse.de + +- update to version 0.13.49 fixes #260734 buffer overflow + due to wrong usage of strcpy() + +------------------------------------------------------------------- +Thu Mar 29 20:59:38 CEST 2007 - dmueller@suse.de + +- adjust buildrequires + +------------------------------------------------------------------- +Mon Dec 4 15:10:35 CET 2006 - dmueller@suse.de + +- don't build as root + +------------------------------------------------------------------- +Tue Oct 3 11:24:24 CEST 2006 - aj@suse.de + +- Fix build. + +------------------------------------------------------------------- +Fri Aug 18 08:15:46 CEST 2006 - aj@suse.de + +- Fix build. + +------------------------------------------------------------------- +Mon May 22 13:53:45 CEST 2006 - wgottwalt@suse.de + +- initial release +- still problems with the "make check" build option diff --git a/zziplib.spec b/zziplib.spec new file mode 100644 index 0000000..cd98668 --- /dev/null +++ b/zziplib.spec @@ -0,0 +1,95 @@ +# +# spec file for package zziplib +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define lname libzzip-0-13 +Name: zziplib +Version: 0.13.72 +Release: 0 +Summary: ZIP Compression Library +License: LGPL-2.1-or-later +Group: Development/Libraries/C and C++ +URL: http://zziplib.sourceforge.net +Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source2: baselibs.conf +Patch0: zziplib-0.13.62.patch +Patch1: bsc1154002-prevent-unnecessary-perror.patch +Patch2: CVE-2020-18770.patch +BuildRequires: cmake +BuildRequires: pkgconfig +BuildRequires: xmlto +BuildRequires: zip +BuildRequires: pkgconfig(zlib) + +%description +ZZipLib is a library for dealing with ZIP and ZIP-like archives by +using algorithms of zlib. + +%package -n %{lname} +Summary: ZIP compression library +Group: System/Libraries +Obsoletes: zziplib < %{version}-%{release} +Provides: zziplib = %{version}-%{release} + +%description -n %{lname} +ZZipLib is a library for dealing with ZIP and ZIP-like archives by +using algorithms of zlib. + +%package devel +Summary: Development files for zziplib, a ZIP compression library +Group: Development/Libraries/C and C++ +Requires: %{lname} = %{version} +Requires: pkgconfig(zlib) + +%description devel +That are the header files needed for developing applications using +ZZipLib. + +%prep +%autosetup -p1 +# do not bother with html docs saving us python2 dependency +sed -i -e 's:docs ::g' Makefile.am + +%build +%cmake -DZZIP_TESTCVE=OFF +%cmake_build + +%install +%cmake_install +rm -f docs/Make* docs/zziplib-manpages.ar +find %{buildroot} -type f -name "*.la" -delete -print + +%post -n %{lname} -p /sbin/ldconfig +%postun -n %{lname} -p /sbin/ldconfig + +%files -n %{lname} +%license COPYING.LIB +%{_libdir}/libzzip*.so.* + +%files devel +%doc docs/README.SDL ChangeLog README TODO +%{_bindir}/unzzip* +%{_bindir}/zz* +%{_bindir}/unzip-mem +%{_libdir}/libzzip*.so +%{_includedir}/* +%{_libdir}/pkgconfig/*.pc +%{_datadir}/aclocal/*.m4 +%{_mandir}/man3/__zzip_*.3%{?ext_man} +%{_mandir}/man3/zzip_*.3%{?ext_man} + +%changelog