Accepting request 588696 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/588696
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/zziplib?expand=0&rev=30

CVE-2018-7725.patch

@@ -0,0 +1,32 @@
+Index: zziplib-0.13.69/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.69.orig/zzip/memdisk.c
++++ zziplib-0.13.69/zzip/memdisk.c
+@@ -222,6 +222,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+     item->zz_filetype = zzip_disk_entry_get_filetype(entry);
+ 
+     /*
++     * If zz_data+zz_csize exceeds the size of the file, bail out
++     */
++    if ((item->zz_data + item->zz_csize) < disk->buffer ||
++        (item->zz_data + item->zz_csize) >= disk->endbuf)
++    {
++        goto error;
++    }
++    /*
+      * If the file is uncompressed, zz_csize and zz_usize should be the same
+      * If they are not, we cannot guarantee that either is correct, so ...
+      */
+Index: zziplib-0.13.69/zzip/zip.c
+===================================================================
+--- zziplib-0.13.69.orig/zzip/zip.c
++++ zziplib-0.13.69/zzip/zip.c
+@@ -408,7 +408,7 @@ __zzip_parse_root_directory(int fd,
+                             struct _disk_trailer *trailer,
+                             struct zzip_dir_hdr **hdr_return,
+                             zzip_plugin_io_t io,
+-			    zzip_off_t filesize);
++			    zzip_off_t filesize)
+ {
+     auto struct zzip_disk_entry dirent;
+     struct zzip_dir_hdr *hdr;

CVE-2018-7726.patch

@@ -0,0 +1,67 @@
+Index: zziplib-0.13.69/docs/zziplib.html
+===================================================================
+--- zziplib-0.13.69.orig/docs/zziplib.html
++++ zziplib-0.13.69/docs/zziplib.html
+@@ -415,7 +415,8 @@ generated 2003-12-12
+  <code>(<nobr>int fd</nobr>,
+ <nobr>struct zzip_disk_trailer * trailer</nobr>,
+ <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
+-<nobr>zzip_plugin_io_t io</nobr>)</code>
++<nobr>zzip_plugin_io_t io</nobr>,
++<nobr>zzip_off_t filesize</nobr>)</code>
+ 
+ </td></tr><tr valign="top">
+ <td valign="top"><code>ZZIP_DIR*
+@@ -1091,7 +1092,8 @@ generated 2003-12-12
+  <code>(<nobr>int fd</nobr>,
+ <nobr>struct zzip_disk_trailer * trailer</nobr>,
+ <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
+-<nobr>zzip_plugin_io_t io</nobr>)</code>
++<nobr>zzip_plugin_io_t io</nobr>,
++<nobr>zzip_off_t filesize</nobr>)</code>
+ 
+ </code></code><dt>
+ <dd><p> &nbsp;(../zzip/zip.c)
+Index: zziplib-0.13.69/zzip/zip.c
+===================================================================
+--- zziplib-0.13.69.orig/zzip/zip.c
++++ zziplib-0.13.69/zzip/zip.c
+@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz
+ int __zzip_parse_root_directory(int fd,
+                                 struct _disk_trailer *trailer,
+                                 struct zzip_dir_hdr **hdr_return,
+-                                zzip_plugin_io_t io);
++                                zzip_plugin_io_t io,
++				zzip_off_t filesize);
+ 
+ _zzip_inline static char *__zzip_aligned4(char *p);
+ 
+@@ -406,7 +407,8 @@ int
+ __zzip_parse_root_directory(int fd,
+                             struct _disk_trailer *trailer,
+                             struct zzip_dir_hdr **hdr_return,
+-                            zzip_plugin_io_t io)
++                            zzip_plugin_io_t io,
++			    zzip_off_t filesize);
+ {
+     auto struct zzip_disk_entry dirent;
+     struct zzip_dir_hdr *hdr;
+@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd,
+     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+ 
++    if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize)
++    	return ZZIP_CORRUPTED;
++
+     if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
+         return ZZIP_CORRUPTED;
+ 
+@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
+           (long) _disk_trailer_rootseek(&trailer));
+ 
+     if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
+-                                          dir->io)) != 0)
++                                          dir->io, filesize)) != 0)
+         { goto error; }
+   error:
+     return rv;

zziplib-0.13.68.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9460919b46592a225217cff067b1c0eb86002b32c54b4898f9c21401aaa11032
-size 1077386

zziplib-0.13.69.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:846246d7cdeee405d8d21e2922c6e97f55f24ecbe3b6dcf5778073a88f120544
+size 1132204

zziplib-largefile.patch

@@ -2,7 +2,7 @@ Index: configure.ac
 ===================================================================
 --- configure.ac.orig
 +++ configure.ac
-@@ -125,7 +125,7 @@ if test ".$ac_cv_sys_largefile_sensitive
+@@ -129,7 +129,7 @@ if test ".$ac_cv_sys_largefile_sensitive
  elif test ".$with_largefile" != ".no" ; then
    AC_MSG_RESULT(compiles library as 64bit off_t variant dnl
  - and renaming some function names)

zziplib.changes

@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Mon Mar 19 13:57:10 UTC 2018 - josef.moellers@suse.com
+
+- Check if data from End of central directory record makes sense.
+  Especially the Offset of start of central directory must not
+  a) be negative or
+  b) point behind the end-of-file.
+- Check if compressed size in Central directory file header
+  makes sense, i.e. the file's data does not extend beyond the
+  end of the file.
+  [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch,
+   bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch]
+
+-------------------------------------------------------------------
+Sat Mar 17 18:53:19 UTC 2018 - avindra@opensuse.org
+
+- Update to 0.13.69:
+  * fix a number of CVEs reported with special *.zip PoC files
+  * completing some doc strings while checking the new man-pages to
+    look good
+  * update refs to point to github instead of sf.net
+  * man-pages are generated with new dbk2man.py - docbook xmlto is
+    optional now
+  * a zip-program is still required for testing, but some errors
+    are gone when not present
+- run spec-cleaner
+- don't ship Windows only file, README.MSVC6
+
 -------------------------------------------------------------------
 Mon Feb 19 12:55:26 UTC 2018 - adam.majer@suse.de
 

zziplib.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package zziplib
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,17 +18,20 @@
 
 %define lname	libzzip-0-13
 Name:           zziplib
-Version:        0.13.68
+Version:        0.13.69
 Release:        0
 Summary:        ZIP Compression Library
 License:        LGPL-2.1+
 Group:          Development/Libraries/C and C++
+# License:        LGPL-2.1-or-later
 Url:            http://zziplib.sourceforge.net
 Source0:        https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         zziplib-0.13.62.patch
 Patch1:         zziplib-0.13.62-wronglinking.patch
 Patch2:         zziplib-largefile.patch
+Patch3:         CVE-2018-7726.patch
+Patch4:         CVE-2018-7725.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -65,6 +68,8 @@ ZZipLib.
 %patch0
 %patch1
 %patch2
+%patch3 -p1
+%patch4 -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am
 
@@ -85,11 +90,11 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %postun -n %{lname} -p /sbin/ldconfig
 
 %files -n %{lname}
-%doc COPYING.LIB
+%license COPYING.LIB
 %{_libdir}/libzzip*.so.*
 
 %files devel
-%doc docs/README* ChangeLog README TODO
+%doc docs/README.SDL ChangeLog README TODO
 %{_bindir}/unzzip*
 %{_bindir}/zz*
 %{_bindir}/unzip-mem