diff --git a/CVE-2018-7725.patch b/CVE-2018-7725.patch new file mode 100644 index 0000000..c86a3e9 --- /dev/null +++ b/CVE-2018-7725.patch @@ -0,0 +1,32 @@ +Index: zziplib-0.13.69/zzip/memdisk.c +=================================================================== +--- zziplib-0.13.69.orig/zzip/memdisk.c ++++ zziplib-0.13.69/zzip/memdisk.c +@@ -222,6 +222,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + item->zz_filetype = zzip_disk_entry_get_filetype(entry); + + /* ++ * If zz_data+zz_csize exceeds the size of the file, bail out ++ */ ++ if ((item->zz_data + item->zz_csize) < disk->buffer || ++ (item->zz_data + item->zz_csize) >= disk->endbuf) ++ { ++ goto error; ++ } ++ /* + * If the file is uncompressed, zz_csize and zz_usize should be the same + * If they are not, we cannot guarantee that either is correct, so ... + */ +Index: zziplib-0.13.69/zzip/zip.c +=================================================================== +--- zziplib-0.13.69.orig/zzip/zip.c ++++ zziplib-0.13.69/zzip/zip.c +@@ -408,7 +408,7 @@ __zzip_parse_root_directory(int fd, + struct _disk_trailer *trailer, + struct zzip_dir_hdr **hdr_return, + zzip_plugin_io_t io, +- zzip_off_t filesize); ++ zzip_off_t filesize) + { + auto struct zzip_disk_entry dirent; + struct zzip_dir_hdr *hdr; diff --git a/CVE-2018-7726.patch b/CVE-2018-7726.patch new file mode 100644 index 0000000..c01dfcc --- /dev/null +++ b/CVE-2018-7726.patch @@ -0,0 +1,67 @@ +Index: zziplib-0.13.69/docs/zziplib.html +=================================================================== +--- zziplib-0.13.69.orig/docs/zziplib.html ++++ zziplib-0.13.69/docs/zziplib.html +@@ -415,7 +415,8 @@ generated 2003-12-12 + (int fd, + struct zzip_disk_trailer * trailer, + struct zzip_dir_hdr ** hdr_return, +-zzip_plugin_io_t io) ++zzip_plugin_io_t io, ++zzip_off_t filesize) + + + ZZIP_DIR* +@@ -1091,7 +1092,8 @@ generated 2003-12-12 + (int fd, + struct zzip_disk_trailer * trailer, + struct zzip_dir_hdr ** hdr_return, +-zzip_plugin_io_t io) ++zzip_plugin_io_t io, ++zzip_off_t filesize) + +
+

 (../zzip/zip.c) +Index: zziplib-0.13.69/zzip/zip.c +=================================================================== +--- zziplib-0.13.69.orig/zzip/zip.c ++++ zziplib-0.13.69/zzip/zip.c +@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz + int __zzip_parse_root_directory(int fd, + struct _disk_trailer *trailer, + struct zzip_dir_hdr **hdr_return, +- zzip_plugin_io_t io); ++ zzip_plugin_io_t io, ++ zzip_off_t filesize); + + _zzip_inline static char *__zzip_aligned4(char *p); + +@@ -406,7 +407,8 @@ int + __zzip_parse_root_directory(int fd, + struct _disk_trailer *trailer, + struct zzip_dir_hdr **hdr_return, +- zzip_plugin_io_t io) ++ zzip_plugin_io_t io, ++ zzip_off_t filesize); + { + auto struct zzip_disk_entry dirent; + struct zzip_dir_hdr *hdr; +@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd, + zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); + __correct_rootseek(zz_rootseek, zz_rootsize, trailer); + ++ if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize) ++ return ZZIP_CORRUPTED; ++ + if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) + return ZZIP_CORRUPTED; + +@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir) + (long) _disk_trailer_rootseek(&trailer)); + + if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0, +- dir->io)) != 0) ++ dir->io, filesize)) != 0) + { goto error; } + error: + return rv; diff --git a/zziplib-0.13.68.tar.gz b/zziplib-0.13.68.tar.gz deleted file mode 100644 index 648c186..0000000 --- a/zziplib-0.13.68.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9460919b46592a225217cff067b1c0eb86002b32c54b4898f9c21401aaa11032 -size 1077386 diff --git a/zziplib-0.13.69.tar.gz b/zziplib-0.13.69.tar.gz new file mode 100644 index 0000000..5d1cfe6 --- /dev/null +++ b/zziplib-0.13.69.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:846246d7cdeee405d8d21e2922c6e97f55f24ecbe3b6dcf5778073a88f120544 +size 1132204 diff --git a/zziplib-largefile.patch b/zziplib-largefile.patch index 30648c8..69ddae9 100644 --- a/zziplib-largefile.patch +++ b/zziplib-largefile.patch @@ -2,7 +2,7 @@ Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac -@@ -125,7 +125,7 @@ if test ".$ac_cv_sys_largefile_sensitive +@@ -129,7 +129,7 @@ if test ".$ac_cv_sys_largefile_sensitive elif test ".$with_largefile" != ".no" ; then AC_MSG_RESULT(compiles library as 64bit off_t variant dnl - and renaming some function names) diff --git a/zziplib.changes b/zziplib.changes index d80e9f4..5e107cb 100644 --- a/zziplib.changes +++ b/zziplib.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Mon Mar 19 13:57:10 UTC 2018 - josef.moellers@suse.com + +- Check if data from End of central directory record makes sense. + Especially the Offset of start of central directory must not + a) be negative or + b) point behind the end-of-file. +- Check if compressed size in Central directory file header + makes sense, i.e. the file's data does not extend beyond the + end of the file. + [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch, + bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch] + +------------------------------------------------------------------- +Sat Mar 17 18:53:19 UTC 2018 - avindra@opensuse.org + +- Update to 0.13.69: + * fix a number of CVEs reported with special *.zip PoC files + * completing some doc strings while checking the new man-pages to + look good + * update refs to point to github instead of sf.net + * man-pages are generated with new dbk2man.py - docbook xmlto is + optional now + * a zip-program is still required for testing, but some errors + are gone when not present +- run spec-cleaner +- don't ship Windows only file, README.MSVC6 + ------------------------------------------------------------------- Mon Feb 19 12:55:26 UTC 2018 - adam.majer@suse.de diff --git a/zziplib.spec b/zziplib.spec index 936c13a..376b3d4 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,17 +18,20 @@ %define lname libzzip-0-13 Name: zziplib -Version: 0.13.68 +Version: 0.13.69 Release: 0 Summary: ZIP Compression Library License: LGPL-2.1+ Group: Development/Libraries/C and C++ +# License: LGPL-2.1-or-later Url: http://zziplib.sourceforge.net Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch0: zziplib-0.13.62.patch Patch1: zziplib-0.13.62-wronglinking.patch Patch2: zziplib-largefile.patch +Patch3: CVE-2018-7726.patch +Patch4: CVE-2018-7725.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -65,6 +68,8 @@ ZZipLib. %patch0 %patch1 %patch2 +%patch3 -p1 +%patch4 -p1 # do not bother with html docs saving us python2 dependency sed -i -e 's:docs ::g' Makefile.am @@ -85,11 +90,11 @@ find %{buildroot} -type f -name "*.la" -delete -print %postun -n %{lname} -p /sbin/ldconfig %files -n %{lname} -%doc COPYING.LIB +%license COPYING.LIB %{_libdir}/libzzip*.so.* %files devel -%doc docs/README* ChangeLog README TODO +%doc docs/README.SDL ChangeLog README TODO %{_bindir}/unzzip* %{_bindir}/zz* %{_bindir}/unzip-mem