From 0a72e7672bf4b3cfb272e15276384d3cdc626b9f4aa8cebbaf63e89809c29865 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Mon, 19 Feb 2018 09:26:53 +0000 Subject: [PATCH] Accepting request 577665 from home:avindra - Update to 0.13.68: * fix a number of CVEs reported with special *.zip files * minor doc updates referencing GitHub instead of sf.net - drop CVE-2018-6381.patch * merged in a803559fa9194be895422ba3684cf6309b6bb598 - drop CVE-2018-6484.patch * merged in 0c0c9256b0903f664bca25dd8d924211f81e01d3 - drop CVE-2018-6540.patch * merged in 15b8c969df962a444dfa07b3d5bd4b27dc0dbba7 - drop CVE-2018-6542.patch * merged in 938011cd60f5a8a2a16a49e5f317aca640cf4110 OBS-URL: https://build.opensuse.org/request/show/577665 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zziplib?expand=0&rev=29 --- CVE-2018-6381.patch | 19 --------------- CVE-2018-6484.patch | 43 --------------------------------- CVE-2018-6540.patch | 37 ----------------------------- CVE-2018-6542.patch | 54 ------------------------------------------ v0.13.67.tar.gz | 3 --- zziplib-0.13.68.tar.gz | 3 +++ zziplib.changes | 15 ++++++++++++ zziplib.spec | 14 +++-------- 8 files changed, 21 insertions(+), 167 deletions(-) delete mode 100644 CVE-2018-6381.patch delete mode 100644 CVE-2018-6484.patch delete mode 100644 CVE-2018-6540.patch delete mode 100644 CVE-2018-6542.patch delete mode 100644 v0.13.67.tar.gz create mode 100644 zziplib-0.13.68.tar.gz diff --git a/CVE-2018-6381.patch b/CVE-2018-6381.patch deleted file mode 100644 index a6beff9..0000000 --- a/CVE-2018-6381.patch +++ /dev/null @@ -1,19 +0,0 @@ -Index: zziplib-0.13.67/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.67.orig/zzip/memdisk.c -+++ zziplib-0.13.67/zzip/memdisk.c -@@ -209,6 +209,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - item->zz_diskstart = zzip_disk_entry_get_diskstart(entry); - item->zz_filetype = zzip_disk_entry_get_filetype(entry); - -+ /* -+ * If the file is uncompressed, zz_csize and zz_usize should be the same -+ * If they are not, we cannot guarantee that either is correct, so ... -+ */ -+ if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize) -+ { -+ goto error; -+ } - /* zz_comment and zz_name are empty strings if not present on disk */ - if (! item->zz_comment || ! item->zz_name) - { diff --git a/CVE-2018-6484.patch b/CVE-2018-6484.patch deleted file mode 100644 index 04ab98b..0000000 --- a/CVE-2018-6484.patch +++ /dev/null @@ -1,43 +0,0 @@ -Index: zziplib-0.13.67/zzip/zip.c -=================================================================== ---- zziplib-0.13.67.orig/zzip/zip.c -+++ zziplib-0.13.67/zzip/zip.c -@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o - # endif - - __fixup_rootseek(offset + tail - mapped, trailer); -+ /* -+ * "extract data from files archived in a single zip file." -+ * So the file offsets must be within the current ZIP archive! -+ */ -+ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) -+ return(ZZIP_CORRUPTED); - { return(0); } - } else if ((*tail == 'P') && - end - tail >= -@@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o - zzip_disk64_trailer_finalentries(orig); - trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig); - trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig); -+ /* -+ * "extract data from files archived in a single zip file." -+ * So the file offsets must be within the current ZIP archive! -+ */ -+ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) -+ return(ZZIP_CORRUPTED); - { return(0); } - # endif - } -Index: zziplib-0.13.67/bins/unzzipcat-zip.c -=================================================================== ---- zziplib-0.13.67.orig/bins/unzzipcat-zip.c -+++ zziplib-0.13.67/bins/unzzipcat-zip.c -@@ -78,7 +78,7 @@ static int unzzip_cat (int argc, char ** - - disk = zzip_dir_open (argv[1], &error); - if (! disk) { -- perror(argv[1]); -+ fprintf(stderr, "%s: %s\n", argv[1], zzip_strerror(error)); - return -1; - } - diff --git a/CVE-2018-6540.patch b/CVE-2018-6540.patch deleted file mode 100644 index 2ba9797..0000000 --- a/CVE-2018-6540.patch +++ /dev/null @@ -1,37 +0,0 @@ -Index: zziplib-0.13.67/zzip/mmapped.c -=================================================================== ---- zziplib-0.13.67.orig/zzip/mmapped.c -+++ zziplib-0.13.67/zzip/mmapped.c -@@ -457,6 +457,12 @@ zzip_disk_findfirst(ZZIP_DISK * disk) - errno = EBADMSG; - return 0; - } -+ if (root >= disk->endbuf) -+ { -+ DBG1("root behind endbuf should be impossible"); -+ errno = EBADMSG; -+ return 0; -+ } - if (zzip_disk_entry_check_magic(root)) - { - DBG1("found the disk root"); -Index: zziplib-0.13.67/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.67.orig/zzip/memdisk.c -+++ zziplib-0.13.67/zzip/memdisk.c -@@ -305,7 +305,14 @@ zzip_mem_entry_find_extra_block(ZZIP_MEM - char* ext_end = ext + entry->zz_extlen[i]; - if (ext) - { -- while (ext + zzip_extra_block_headerlength <= ext_end) -+ /* -+ * Make sure that -+ * 1) the extra block header -+ * AND -+ * 2) the block we're looking for -+ * fit into the extra block! -+ */ -+ while (ext + zzip_extra_block_headerlength + blocksize <= ext_end) - { - if (datatype == zzip_extra_block_get_datatype(ext)) - { diff --git a/CVE-2018-6542.patch b/CVE-2018-6542.patch deleted file mode 100644 index 77bdc7a..0000000 --- a/CVE-2018-6542.patch +++ /dev/null @@ -1,54 +0,0 @@ -Index: zziplib-0.13.67/zzip/mmapped.c -=================================================================== ---- zziplib-0.13.67.orig/zzip/mmapped.c -+++ zziplib-0.13.67/zzip/mmapped.c -@@ -413,16 +413,19 @@ zzip_disk_findfirst(ZZIP_DISK * disk) - for (; p >= disk->buffer; p--) - { - zzip_byte_t *root; /* (struct zzip_disk_entry*) */ -+ zzip_size_t rootsize; /* Size of root central directory */ -+ - if (zzip_disk_trailer_check_magic(p)) - { - struct zzip_disk_trailer *trailer = (struct zzip_disk_trailer *) p; - zzip_size_t rootseek = zzip_disk_trailer_get_rootseek(trailer); -+ rootsize = zzip_disk_trailer_get_rootsize(trailer); -+ - root = disk->buffer + rootseek; - DBG2("disk rootseek at %lli", (long long)rootseek); - if (root > p) - { - /* the first disk_entry is after the disk_trailer? can't be! */ -- zzip_size_t rootsize = zzip_disk_trailer_get_rootsize(trailer); - DBG2("have rootsize at %lli", (long long)rootsize); - if (disk->buffer + rootsize > p) - continue; -@@ -441,6 +444,7 @@ zzip_disk_findfirst(ZZIP_DISK * disk) - return 0; - } - zzip_size_t rootseek = zzip_disk64_trailer_get_rootseek(trailer); -+ rootsize = zzip_disk64_trailer_get_rootsize(trailer); - DBG2("disk64 rootseek at %lli", (long long)rootseek); - root = disk->buffer + rootseek; - if (root > p) -@@ -457,7 +461,7 @@ zzip_disk_findfirst(ZZIP_DISK * disk) - errno = EBADMSG; - return 0; - } -- if (root >= disk->endbuf) -+ if (root >= disk->endbuf || (root + rootsize) >= disk->endbuf) - { - DBG1("root behind endbuf should be impossible"); - errno = EBADMSG; -Index: zziplib-0.13.67/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.67.orig/zzip/memdisk.c -+++ zziplib-0.13.67/zzip/memdisk.c -@@ -143,6 +143,7 @@ zzip_mem_disk_load(ZZIP_MEM_DISK * dir, - zzip_mem_disk_unload(dir); - ___ long count = 0; - ___ struct zzip_disk_entry *entry = zzip_disk_findfirst(disk); -+ if (!entry) goto error; - for (; entry; entry = zzip_disk_findnext(disk, entry)) - { - ZZIP_MEM_ENTRY *item = zzip_mem_entry_new(disk, entry); diff --git a/v0.13.67.tar.gz b/v0.13.67.tar.gz deleted file mode 100644 index 5e905af..0000000 --- a/v0.13.67.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1278178bdabac832da6bbf161033d890d335a2e38493c5af553ff5ce7b9b0220 -size 1072276 diff --git a/zziplib-0.13.68.tar.gz b/zziplib-0.13.68.tar.gz new file mode 100644 index 0000000..648c186 --- /dev/null +++ b/zziplib-0.13.68.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9460919b46592a225217cff067b1c0eb86002b32c54b4898f9c21401aaa11032 +size 1077386 diff --git a/zziplib.changes b/zziplib.changes index 22a1f4a..a2fd499 100644 --- a/zziplib.changes +++ b/zziplib.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Sun Feb 18 03:25:53 UTC 2018 - avindra@opensuse.org + +- Update to 0.13.68: + * fix a number of CVEs reported with special *.zip files + * minor doc updates referencing GitHub instead of sf.net +- drop CVE-2018-6381.patch + * merged in a803559fa9194be895422ba3684cf6309b6bb598 +- drop CVE-2018-6484.patch + * merged in 0c0c9256b0903f664bca25dd8d924211f81e01d3 +- drop CVE-2018-6540.patch + * merged in 15b8c969df962a444dfa07b3d5bd4b27dc0dbba7 +- drop CVE-2018-6542.patch + * merged in 938011cd60f5a8a2a16a49e5f317aca640cf4110 + ------------------------------------------------------------------- Wed Feb 14 13:36:43 UTC 2018 - josef.moellers@suse.com diff --git a/zziplib.spec b/zziplib.spec index 219b79c..658530d 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,21 +18,17 @@ %define lname libzzip-0-13 Name: zziplib -Version: 0.13.67 +Version: 0.13.68 Release: 0 Summary: Free Zip Compression Library with an Easy-to-Use API License: LGPL-2.1+ Group: System/Libraries Url: http://zziplib.sourceforge.net -Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz +Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch0: zziplib-0.13.62.patch Patch1: zziplib-0.13.62-wronglinking.patch Patch2: zziplib-largefile.patch -Patch3: CVE-2018-6381.patch -Patch4: CVE-2018-6484.patch -Patch5: CVE-2018-6540.patch -Patch6: CVE-2018-6542.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes @@ -70,10 +66,6 @@ ZZipLib. %patch0 %patch1 %patch2 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 # do not bother with html docs saving us python2 dependency sed -i -e 's:docs ::g' Makefile.am