pool/zziplib
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 795502 from devel:libraries:c_c++

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/795502
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/zziplib?expand=0&rev=37
This commit is contained in:
Dominique Leuenberger 2020-04-25 18:06:49 +00:00 committed by Git OBS Bridge
commit 136b02aa3a
9 changed files with 27 additions and 561 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
CVE-2018-16548.patch
View File

@ -1,41 +0,0 @@
Index: zziplib-0.13.69/zzip/zip.c
===================================================================
--- zziplib-0.13.69.orig/zzip/zip.c
+++ zziplib-0.13.69/zzip/zip.c
@@ -477,9 +477,15 @@ __zzip_parse_root_directory(int fd,
} else
{
if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+ {
+ free(hdr0);
return ZZIP_DIR_SEEK;
+ }
if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+ {
+ free(hdr0);
return ZZIP_DIR_READ;
+ }
d = &dirent;
}
@@ -579,11 +585,18 @@ __zzip_parse_root_directory(int fd,
if (hdr_return)
*hdr_return = hdr0;
+ else
+ {
+ /* If it is not assigned to *hdr_return, it will never be free()'d */
+ free(hdr0);
+ }
} /* else zero (sane) entries */
+ else
+ free(hdr0);
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
- return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
# else
- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
# endif
}

328
CVE-2018-17828.patch
View File

@ -1,328 +0,0 @@
Index: zziplib-0.13.69/bins/unzzipcat-mem.c
===================================================================
--- zziplib-0.13.69.orig/bins/unzzipcat-mem.c
+++ zziplib-0.13.69/bins/unzzipcat-mem.c
@@ -58,6 +58,48 @@ static void unzzip_mem_disk_cat_file(ZZI
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -75,6 +117,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -84,7 +136,10 @@ static FILE* create_fopen(char* name, ch
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
static int unzzip_cat (int argc, char ** argv, int extract)
Index: zziplib-0.13.69/bins/unzzipcat-big.c
===================================================================
--- zziplib-0.13.69.orig/bins/unzzipcat-big.c
+++ zziplib-0.13.69/bins/unzzipcat-big.c
@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk,
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -70,6 +112,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, ch
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
Index: zziplib-0.13.69/bins/unzzipcat-mix.c
===================================================================
--- zziplib-0.13.69.orig/bins/unzzipcat-mix.c
+++ zziplib-0.13.69/bins/unzzipcat-mix.c
@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* di
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -86,6 +128,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, ch
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
static int unzzip_cat (int argc, char ** argv, int extract)
Index: zziplib-0.13.69/bins/unzzipcat-zip.c
===================================================================
--- zziplib-0.13.69.orig/bins/unzzipcat-zip.c
+++ zziplib-0.13.69/bins/unzzipcat-zip.c
@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* di
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -86,6 +128,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, ch
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
static int unzzip_cat (int argc, char ** argv, int extract)

40
CVE-2018-7725.patch
View File

@ -1,40 +0,0 @@
Index: zziplib-0.13.69/zzip/memdisk.c
===================================================================
--- zziplib-0.13.69.orig/zzip/memdisk.c
+++ zziplib-0.13.69/zzip/memdisk.c
@@ -222,6 +222,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
item->zz_filetype = zzip_disk_entry_get_filetype(entry);
/*
+ * If zz_data+zz_csize exceeds the size of the file, bail out
+ */
+ if ((item->zz_data + item->zz_csize) < disk->buffer ||
+ (item->zz_data + item->zz_csize) >= disk->endbuf)
+ {
+ goto error;
+ }
+ /*
* If the file is uncompressed, zz_csize and zz_usize should be the same
* If they are not, we cannot guarantee that either is correct, so ...
*/
@@ -521,7 +529,6 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir
file->zlib.avail_in = zzip_mem_entry_csize(entry);
file->zlib.next_in = zzip_mem_entry_to_data(entry);
- debug2("compressed size %i", (int) file->zlib.avail_in);
if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
goto error;
if (file->zlib.next_in < file->buffer)
Index: zziplib-0.13.69/zzip/zip.c
===================================================================
--- zziplib-0.13.69.orig/zzip/zip.c
+++ zziplib-0.13.69/zzip/zip.c
@@ -408,7 +408,7 @@ __zzip_parse_root_directory(int fd,
struct _disk_trailer *trailer,
struct zzip_dir_hdr **hdr_return,
zzip_plugin_io_t io,
- zzip_off_t filesize);
+ zzip_off_t filesize)
{
auto struct zzip_disk_entry dirent;
struct zzip_dir_hdr *hdr;

67
CVE-2018-7726.patch
View File

@ -1,67 +0,0 @@
Index: zziplib-0.13.69/docs/zziplib.html
===================================================================
--- zziplib-0.13.69.orig/docs/zziplib.html
+++ zziplib-0.13.69/docs/zziplib.html
@@ -415,7 +415,8 @@ generated 2003-12-12
<code>(<nobr>int fd</nobr>,
<nobr>struct zzip_disk_trailer * trailer</nobr>,
<nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
-<nobr>zzip_plugin_io_t io</nobr>)</code>
+<nobr>zzip_plugin_io_t io</nobr>,
+<nobr>zzip_off_t filesize</nobr>)</code>
</td></tr><tr valign="top">
<td valign="top"><code>ZZIP_DIR*
@@ -1091,7 +1092,8 @@ generated 2003-12-12
<code>(<nobr>int fd</nobr>,
<nobr>struct zzip_disk_trailer * trailer</nobr>,
<nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
-<nobr>zzip_plugin_io_t io</nobr>)</code>
+<nobr>zzip_plugin_io_t io</nobr>,
+<nobr>zzip_off_t filesize</nobr>)</code>
</code></code><dt>
<dd><p> &nbsp;(../zzip/zip.c)
Index: zziplib-0.13.69/zzip/zip.c
===================================================================
--- zziplib-0.13.69.orig/zzip/zip.c
+++ zziplib-0.13.69/zzip/zip.c
@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz
int __zzip_parse_root_directory(int fd,
struct _disk_trailer *trailer,
struct zzip_dir_hdr **hdr_return,
- zzip_plugin_io_t io);
+ zzip_plugin_io_t io,
+ zzip_off_t filesize);
_zzip_inline static char *__zzip_aligned4(char *p);
@@ -406,7 +407,8 @@ int
__zzip_parse_root_directory(int fd,
struct _disk_trailer *trailer,
struct zzip_dir_hdr **hdr_return,
- zzip_plugin_io_t io)
+ zzip_plugin_io_t io,
+ zzip_off_t filesize);
{
auto struct zzip_disk_entry dirent;
struct zzip_dir_hdr *hdr;
@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd,
zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
__correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+ if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize)
+ return ZZIP_CORRUPTED;
+
if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
return ZZIP_CORRUPTED;
@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
(long) _disk_trailer_rootseek(&trailer));
if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
- dir->io)) != 0)
+ dir->io, filesize)) != 0)
{ goto error; }
error:
return rv;

69
bsc1129403-prevent-division-by-zero.patch
View File

@ -1,69 +0,0 @@
Index: zziplib-0.13.69/bins/unzip-mem.c
===================================================================
--- zziplib-0.13.69.orig/bins/unzip-mem.c
+++ zziplib-0.13.69/bins/unzip-mem.c
@@ -186,6 +186,7 @@ static void zzip_mem_entry_direntry_star
static void zzip_mem_entry_direntry_done (void)
{
char exp = ' ';
+ long percentage;
if (sum_usize / 1024 > 1024*1024*1024) { exp = 'G';
sum_usize /= 1024*1024*1024; sum_usize /= 1024*1024*1024; }
if (sum_usize > 1024*1024*1024) { exp = 'M';
@@ -199,9 +200,10 @@ static void zzip_mem_entry_direntry_done
return;
verbose:
printf("-------- ------ ------- ----- ----\n");
+ percentage = sum_usize ? (L (100 - (sum_csize*100/sum_usize))) : 0; /* 0% if file size is 0 */
printf("%8li%c %8li%c %3li%% %8li %s\n",
L sum_usize, exp, L sum_csize, exp,
- L (100 - (sum_csize*100/sum_usize)), L sum_files,
+ percentage, L sum_files,
sum_files == 1 ? "file" : "files");
}
@@ -231,9 +233,12 @@ static void zzip_mem_entry_direntry(ZZIP
if (*name == '\n') name++;
if (option_verbose) {
+ long percentage;
+
+ percentage = usize ? (L (100 - (csize*100/usize))) : 0; /* 0% if file size is 0 */
printf("%8li%c %s %8li%c%3li%% %s %8lx %s %s\n",
L usize, exp, comprlevel[compr], L csize, exp,
- L (100 - (csize*100/usize)),
+ percentage,
_zzip_ctime(&mtime), crc32, name, comment);
} else {
printf(" %8li%c %s %s %s\n",
Index: zziplib-0.13.69/test/zziptests.py
===================================================================
--- zziplib-0.13.69.orig/test/zziptests.py
+++ zziplib-0.13.69/test/zziptests.py
@@ -3429,6 +3429,26 @@ class ZZipTest(unittest.TestCase):
txt = open(txtfile).read()
self.assertEqual(txt.split("\n"), run.output.split("\n"))
+ def test_65485_list_verbose_compressed_with_directory(self):
+ """ verbously list a zipfile containing directories """
+ tmpdir = self.testdir()
+ workdir = tmpdir + "/d"
+ zipname = "ZIPfile"
+ os.makedirs(workdir)
+ f= open(tmpdir + "/d/file","w+")
+ for i in range(10):
+ f.write("This is line %d\r\n" % (i+1))
+ f.close()
+ # create the ZIPfile
+ exe=self.bins("zzip")
+ run = shell("chdir {tmpdir} && ../{exe} -9 {zipname}.zip d".format(**locals()))
+ self.assertFalse(run.returncode)
+ # list the ZIPfile
+ exe=self.bins("unzip-mem");
+ run = shell("chdir {tmpdir} && ../{exe} -v {zipname}.zip".format(**locals()))
+ self.assertFalse(run.returncode)
+ self.rm_testdir()
+
def test_99000_make_test1w_zip(self):
""" create a test1w.zip using zzip/write functions. """
exe=self.bins("zzip")

3
zziplib-0.13.69.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:846246d7cdeee405d8d21e2922c6e97f55f24ecbe3b6dcf5778073a88f120544
size 1132204

3
zziplib-0.13.70.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1457262d7a237dc50ce1f98ca57242bc714055ff81146f419ee53cdea1bf029
size 1151766

21
zziplib.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Tue Apr 14 08:28:53 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
- Update to 1.13.70:
* there have been tons of bugfixes over the last two years ...
* Thanks go to Patrick Steinhardt (then at Aservo) for python3 updates
* Thanks go to Josef Moellers (working at SUSE Labs) for many CVE fixes
* and of course all the other patches that came in via github issues.
* I have cleaned up sources to only uses Python3 (as needed by 2020).
* !!! The old automake/autconf/libtool system will be dumped soon!!!
* The build system was ported to 'cmake' .. (last tested cmake 3.10.2)
Obsoletes patches
- CVE-2018-7726.patch
- CVE-2018-7725.patch
- CVE-2018-16548.patch
- CVE-2018-17828.patch
- bsc1129403-prevent-division-by-zero.patch
[zziplib-0.13.70.tar.gz, CVE-2018-7726.patch, CVE-2018-7725.patch,
CVE-2018-16548.patch, CVE-2018-17828.patch,
bsc1129403-prevent-division-by-zero.patch]
-------------------------------------------------------------------
Mon Feb 24 15:08:13 UTC 2020 - Josef Möllers <josef.moellers@suse.com>

16
zziplib.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package zziplib
#
# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -18,22 +18,17 @@
%define lname libzzip-0-13
Name: zziplib
Version: 0.13.69
Version: 0.13.70
Release: 0
Summary: ZIP Compression Library
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Url: http://zziplib.sourceforge.net
URL: http://zziplib.sourceforge.net
Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source2: baselibs.conf
Patch0: zziplib-0.13.62.patch
Patch1: zziplib-0.13.62-wronglinking.patch
Patch2: zziplib-largefile.patch
Patch3: CVE-2018-7726.patch
Patch4: CVE-2018-7725.patch
Patch5: CVE-2018-16548.patch
Patch6: CVE-2018-17828.patch
Patch7: bsc1129403-prevent-division-by-zero.patch
Patch8: bsc1154002-prevent-unnecessary-perror.patch
BuildRequires: autoconf
BuildRequires: automake
@ -71,11 +66,6 @@ ZZipLib.
%patch0
%patch1
%patch2
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
# do not bother with html docs saving us python2 dependency
sed -i -e 's:docs ::g' Makefile.am