pool/gzip
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 968010 from Base:System

Browse Source 
- update to 1.12 (CVE-2022-1271,bsc#1198062):
  * 'gzip -l' no longer misreports file lengths 4 GiB and larger.
    Previously, 'gzip -l' output the 32-bit value stored in the gzip
    header even though that is the uncompressed length modulo 2**32.
    Now, 'gzip -l' calculates the uncompressed length by decompressing
    the data and counting the resulting bytes.  Although this can take
    much more time, nowadays the correctness pros seem to outweigh the
    performance cons.
  * 'zless' is no longer installed on platforms lacking 'less'.
  * zgrep applied to a crafted file name with two or more newlines
    can no longer overwrite an arbitrary, attacker-selected file.
    [bug introduced in gzip-1.3.10]
  * zgrep now names input file on error instead of mislabeling it as
    "(standard input)", if grep supports the GNU -H and --label options.
  * 'zdiff -C 5' no longer misbehaves by treating '5' as a file name.
  * Configure-time options like --program-prefix now work.
- refresh zdiff.diff, zgrep.diff, zmore.diff

OBS-URL: https://build.opensuse.org/request/show/968010
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gzip?expand=0&rev=60
This commit is contained in:
Dominique Leuenberger 2022-04-11 21:46:33 +00:00 committed by Git OBS Bridge
commit ed92f488b6
12 changed files with 75 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gzip-1.11.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907
size 804096

16
gzip-1.11.tar.xz.sig
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFV0/xQDINEhtHupnf9n8ywAL7u4FAmEyM4wACgkQf9n8ywAL
7u7YRA//czLU142hi0ayvQ0ms7HlzENvjtKZar2Yegd3Lssn23opBKyU8crSabBS
gj+OrTNIQsYW08fsHwWcUNZo+vkEIZTeBqjmZYXEsEL5xLxHb00kMHQ4KSBRuUTQ
lgGZmzYULGsxXHX+qJo24o0/MW66Owr6oGmD/mU7FZWRN8qLBKCSBXiki9SlxSSa
dOSSR/JJLadxlYRucvyN1dgPTi7DSMxaosLvLykLpV7nvM8/JLbUcsieHWZzz4Mn
f1JIW40vjDjtMNhZx+PB8aQ6IOtFs+aRnD9luJSmv1Nko6fQtHzyDwuRL5ZCGffy
WDFW/CEyuV84TkQ+kYU03F4502AvPCyMU9Sixx7yEsJNAVkVBBJiL/9bdxQ5Gyej
Jvqrt0Ppw83+Pu+EH5mQxGjGZ+ECqOMaLTTcN4Lx8ocFyl0WOOin+HLbcfiq18Tr
5DmHWOgaLLQfAOFgjLnnhHptyUM/2vIta5kha2oBbysAhUHTRPP1IRGQyVwoVEk6
094NIcIvJLNiA/FrWLdEseylvVkhW9bO6QcwuIuwhc4TdbuDVByWyS3ktgqH1QbG
NVCiptm651yvY+sN2rLX8cxAEdtpnFcBahSGj9K9iLaqf5r9tk+45HCZoqXoR9fd
HzV3FhP+3hDaGIauOIlAJgkIa3tGMF3YoTXc6Tg32aNwyfka6ck=
=JDS7
-----END PGP SIGNATURE-----

3
gzip-1.12.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956
size 825548

16
gzip-1.12.tar.xz.sig Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFV0/xQDINEhtHupnf9n8ywAL7u4FAmJPGIoACgkQf9n8ywAL
7u4MXRAAkFzzM5lJ2dKwmeXf78J326KAgYp5FkBUKfABeIbVpEUd/iRL2zExuZPz
ETdGgNvIvJiMAoMMFbsBf+V8WlDbVFqUKnp3IVO+cmbOzcvvfI5uc4nOJzeaPucp
bu32gvbQxJ4aGwdaRFsVFu+3yY9/84CUaszImobY5aQHkXF5UJq8uJA3Az5nJQBJ
QiiHoXowb9PnkjVE9JbwswkO8ENoDiSZT1y/T/Ez96m7x7Q/Ai5RaKTihkB9pSpT
5s6b0Sp8AMmpdQb3FTGA7j1sWoFc5U170eD4+wsq1AhxBOaTn4uE+E6MDWyhchR3
MyluKzQ9HPQq47wnxjs4rlRgNSuR0PfC/divseL5glUteusSCLteNPynWQc3RFyz
0Xc9whQ+ReNYb8Hl3Kp5NW7D9Ib4zlu8hvjl9A6Q6Xz0POTEqgRAXnO6JRRV73G1
aCOt9X86uqDZVLyojSZVdUAnn/c1tdihTADDEjMZyoJVdb91/c8rzX3I1DDvlt5p
r50eOaSo+/0U+FhZRTBZqUpRUxnQnc/2EvdW+ILe4eV7MN/AsWaveAgO7FmIVuGK
KA8LOpzZYVuk914TOV/h8fqujmJfHde+r64LLx3Trt3/7tTsfVO2wOarHF9HkC2W
AaxtE59deYs1eM9bO1ihV+PIeLqmy0hF87kI0UMD9JT6lA219io=
=+aUu
-----END PGP SIGNATURE-----

21
gzip.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Sat Apr 9 11:45:49 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 1.12 (CVE-2022-1271,bsc#1198062):
* 'gzip -l' no longer misreports file lengths 4 GiB and larger.
Previously, 'gzip -l' output the 32-bit value stored in the gzip
header even though that is the uncompressed length modulo 2**32.
Now, 'gzip -l' calculates the uncompressed length by decompressing
the data and counting the resulting bytes. Although this can take
much more time, nowadays the correctness pros seem to outweigh the
performance cons.
* 'zless' is no longer installed on platforms lacking 'less'.
* zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.
[bug introduced in gzip-1.3.10]
* zgrep now names input file on error instead of mislabeling it as
"(standard input)", if grep supports the GNU -H and --label options.
* 'zdiff -C 5' no longer misbehaves by treating '5' as a file name.
* Configure-time options like --program-prefix now work.
- refresh zdiff.diff, zgrep.diff, zmore.diff
-------------------------------------------------------------------
Sun Jan 30 23:02:42 UTC 2022 - Dirk Müller <dmueller@suse.com>

2
gzip.spec
View File

@ -18,7 +18,7 @@
%define _buildshell /bin/bash
Name: gzip
Version: 1.11
Version: 1.12
Release: 0
Summary: GNU Zip Compression Utilities
License: GPL-3.0-or-later

8
manpage-no-date.patch
View File

@ -1,7 +1,7 @@
Index: gzip-1.9/doc/gzip.texi
Index: gzip-1.12/doc/gzip.texi
===================================================================
--- gzip-1.9.orig/doc/gzip.texi
+++ gzip-1.9/doc/gzip.texi
--- gzip-1.12.orig/doc/gzip.texi
+++ gzip-1.12/doc/gzip.texi
@@ -9,7 +9,7 @@
@c %**end of header
@copying
@ -10,7 +10,7 @@ Index: gzip-1.9/doc/gzip.texi
+(version @value{VERSION}),
and documents commands for compressing and decompressing data.
Copyright @copyright{} 1998--1999, 2001--2002, 2006--2007, 2009--2021 Free
Copyright @copyright{} 1998--1999, 2001--2002, 2006--2007, 2009--2022 Free
@@ -47,7 +47,6 @@ Free Documentation License''.
@title GNU gzip
@subtitle The data compression program

2
non-exec-stack.diff
View File

@ -2,7 +2,7 @@ Index: lib/match.c
===================================================================
--- lib/match.c.orig
+++ lib/match.c
@@ -770,3 +770,4 @@ match_init:
@@ -772,3 +772,4 @@ match_init:
# endif /* __ia64__ */
#endif /* mc68000 || mc68020 */
#endif /* i386 || _I386 */

16
xz_lzma.patch
View File

@ -1,8 +1,8 @@
Index: gzip-1.5/zgrep.1
Index: gzip-1.12/zgrep.1
===================================================================
--- gzip-1.5.orig/zgrep.1
+++ gzip-1.5/zgrep.1
@@ -10,7 +10,7 @@ zgrep \- search possibly compressed file
--- gzip-1.12.orig/zgrep.1
+++ gzip-1.12/zgrep.1
@@ -11,7 +11,7 @@ The
.B zgrep
command invokes
.B grep
@ -11,11 +11,11 @@ Index: gzip-1.5/zgrep.1
All options specified are passed directly to
.BR grep .
If no file is specified, then the standard input is decompressed
Index: gzip-1.5/zgrep.in
Index: gzip-1.12/zgrep.in
===================================================================
--- gzip-1.5.orig/zgrep.in
+++ gzip-1.5/zgrep.in
@@ -178,6 +178,12 @@ do
--- gzip-1.12.orig/zgrep.in
+++ gzip-1.12/zgrep.in
@@ -215,6 +215,12 @@ do
*.bz2)
uncompress=bzip2
;;

18
zdiff.diff
View File

@ -1,17 +1,17 @@
Index: zdiff.in
===================================================================
--- zdiff.in.orig 2012-01-01 09:53:58.000000000 +0100
+++ zdiff.in 2012-10-16 13:40:46.854905141 +0200
@@ -105,9 +105,9 @@ elif test $# -eq 2; then
--- zdiff.in.orig
+++ zdiff.in
@@ -133,9 +133,9 @@ case $file2 in
5<&0
then
gzip_status=$(
- exec 4>&1
- (gzip -cdfq -- "$1" 4>&-; echo $? >&4) 3>&- |
- ( (gzip -cdfq -- "$2" 4>&-; echo $? >&4) 3>&- 5<&- </dev/null |
+ exec 4>&1 6<&0
+ (gzip -cdfq -- "$1" 4>&-; echo $? >&4) 3>&- 6<&- |
+ ( (gzip -cdfq -- "$2" 4>&- 0<&6 6<&-; echo $? >&4) 3>&- 5<&- </dev/null |
- ('gzip' -cdfq -- "$file1" 4>&-; echo $? >&4) 3>&- |
- (('gzip' -cdfq -- "$file2" 4>&-
+ exec 4>&1 6<&0
+ ('gzip' -cdfq -- "$file1" 4>&-; echo $? >&4) 3>&- 6<&- |
+ (('gzip' -cdfq -- "$file2" 4>&- 0<&6 6<&-
echo $? >&4) 3>&- 5<&- </dev/null |
eval "$cmp" /dev/fd/5 - >&3) 5<&0
)
cmp_status=$?

12
zgrep.diff
View File

@ -1,12 +1,12 @@
Index: zgrep.in
===================================================================
--- zgrep.in.orig 2012-01-01 09:53:58.000000000 +0100
+++ zgrep.in 2012-10-16 13:22:26.304769138 +0200
@@ -174,10 +174,18 @@ res=0
--- zgrep.in.orig
+++ zgrep.in
@@ -211,10 +211,18 @@ res=1
for i
do
+ case $i in
+ case "$i" in
+ *.bz2)
+ uncompress=bzip2
+ ;;
@ -17,8 +17,8 @@ Index: zgrep.in
# Fail if gzip or grep (or sed) fails.
gzip_status=$(
exec 5>&1
- (gzip -cdfq -- "$i" 5>&-; echo $? >&5) 3>&- |
- ('gzip' -cdfq -- "$i" 5>&-; echo $? >&5) 3>&- |
+ ($uncompress -cdfq -- "$i" 5>&-; echo $? >&5) 3>&- |
if test $files_with_matches -eq 1; then
eval "$grep" >/dev/null && { printf '%s\n' "$i" || exit 2; }
eval "$grep$args" >/dev/null && { printf '%s\n' "$i" || exit 2; }
elif test $files_without_matches -eq 1; then

12
zmore.diff
View File

@ -2,11 +2,11 @@
zmore.in | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
Index: gzip-1.6/zmore.in
Index: gzip-1.12/zmore.in
===================================================================
--- gzip-1.6.orig/zmore.in
+++ gzip-1.6/zmore.in
@@ -44,6 +44,29 @@ case $1 in
--- gzip-1.12.orig/zmore.in
+++ gzip-1.12/zmore.in
@@ -38,6 +38,29 @@ case $1 in
exit 1;;
esac
@ -36,9 +36,9 @@ Index: gzip-1.6/zmore.in
if test $# = 0; then
if test -t 0; then
printf >&2 '%s\n' "$0: missing operands; try '$0 --help' for help"
@@ -57,4 +80,4 @@ do
@@ -51,4 +74,4 @@ do
test $# -lt 2 ||
printf '::::::::::::::\n%s\n::::::::::::::\n' "$FILE" || break
gzip -cdfq -- "$FILE"
'gzip' -cdfq -- "$FILE"
-done 2>&1 | eval ${PAGER-more}
+done 2>&1 | pager