Accepting request 577974 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/577974
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/zziplib?expand=0&rev=28

CVE-2018-6381.patch

@@ -1,19 +0,0 @@
-Index: zziplib-0.13.67/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.67.orig/zzip/memdisk.c
-+++ zziplib-0.13.67/zzip/memdisk.c
-@@ -209,6 +209,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-     item->zz_diskstart = zzip_disk_entry_get_diskstart(entry);
-     item->zz_filetype = zzip_disk_entry_get_filetype(entry);
- 
-+    /*
-+     * If the file is uncompressed, zz_csize and zz_usize should be the same
-+     * If they are not, we cannot guarantee that either is correct, so ...
-+     */
-+    if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize)
-+    {
-+        goto error;
-+    }
-     /* zz_comment and zz_name are empty strings if not present on disk */
-     if (! item->zz_comment || ! item->zz_name)
-     {

CVE-2018-6484.patch

@@ -1,43 +0,0 @@
-Index: zziplib-0.13.67/zzip/zip.c
-===================================================================
---- zziplib-0.13.67.orig/zzip/zip.c
-+++ zziplib-0.13.67/zzip/zip.c
-@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
- #                  endif
- 
-                     __fixup_rootseek(offset + tail - mapped, trailer);
-+		    /*
-+		     * "extract data from files archived in a single zip file."
-+		     * So the file offsets must be within the current ZIP archive!
-+		     */
-+		    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
-+		        return(ZZIP_CORRUPTED);
-                     { return(0); }
-                 } else if ((*tail == 'P') &&
-                            end - tail >=
-@@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
-                         zzip_disk64_trailer_finalentries(orig);
-                     trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
-                     trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
-+		    /*
-+		     * "extract data from files archived in a single zip file."
-+		     * So the file offsets must be within the current ZIP archive!
-+		     */
-+		    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
-+		        return(ZZIP_CORRUPTED);
-                     { return(0); }
- #                  endif
-                 }
-Index: zziplib-0.13.67/bins/unzzipcat-zip.c
-===================================================================
---- zziplib-0.13.67.orig/bins/unzzipcat-zip.c
-+++ zziplib-0.13.67/bins/unzzipcat-zip.c
-@@ -78,7 +78,7 @@ static int unzzip_cat (int argc, char **
-     
-     disk = zzip_dir_open (argv[1], &error);
-     if (! disk) {
--	perror(argv[1]);
-+	fprintf(stderr, "%s: %s\n", argv[1], zzip_strerror(error));
- 	return -1;
-     }
- 

CVE-2018-6540.patch

@@ -1,37 +0,0 @@
-Index: zziplib-0.13.67/zzip/mmapped.c
-===================================================================
---- zziplib-0.13.67.orig/zzip/mmapped.c
-+++ zziplib-0.13.67/zzip/mmapped.c
-@@ -457,6 +457,12 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
-             errno = EBADMSG;
-             return 0;
-         }
-+	if (root >= disk->endbuf)
-+	{
-+	    DBG1("root behind endbuf should be impossible");
-+	    errno = EBADMSG;
-+	    return 0;
-+	}
-         if (zzip_disk_entry_check_magic(root))
-         {
-             DBG1("found the disk root");
-Index: zziplib-0.13.67/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.67.orig/zzip/memdisk.c
-+++ zziplib-0.13.67/zzip/memdisk.c
-@@ -305,7 +305,14 @@ zzip_mem_entry_find_extra_block(ZZIP_MEM
-         char* ext_end = ext + entry->zz_extlen[i];
-         if (ext)
-         {
--            while (ext + zzip_extra_block_headerlength <= ext_end)
-+	    /*
-+	     * Make sure that
-+	     * 1) the extra block header
-+	     * AND
-+	     * 2) the block we're looking for
-+	     * fit into the extra block!
-+	     */
-+            while (ext + zzip_extra_block_headerlength + blocksize <= ext_end)
-             {
-                 if (datatype == zzip_extra_block_get_datatype(ext))
-                 {

CVE-2018-6542.patch

@@ -1,54 +0,0 @@
-Index: zziplib-0.13.67/zzip/mmapped.c
-===================================================================
---- zziplib-0.13.67.orig/zzip/mmapped.c
-+++ zziplib-0.13.67/zzip/mmapped.c
-@@ -413,16 +413,19 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
-     for (; p >= disk->buffer; p--)
-     {
-         zzip_byte_t *root;      /* (struct zzip_disk_entry*) */
-+	zzip_size_t rootsize;	/* Size of root central directory */
-+
-         if (zzip_disk_trailer_check_magic(p))
-         {
-             struct zzip_disk_trailer *trailer = (struct zzip_disk_trailer *) p;
-             zzip_size_t rootseek = zzip_disk_trailer_get_rootseek(trailer);
-+	    rootsize = zzip_disk_trailer_get_rootsize(trailer);
-+
-             root = disk->buffer + rootseek;
-             DBG2("disk rootseek at %lli", (long long)rootseek);
-             if (root > p)
-             {
-                 /* the first disk_entry is after the disk_trailer? can't be! */
--                zzip_size_t rootsize = zzip_disk_trailer_get_rootsize(trailer);
-                 DBG2("have rootsize at %lli", (long long)rootsize);
-                 if (disk->buffer + rootsize > p)
-                     continue;
-@@ -441,6 +444,7 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
-                 return 0;
-             }
-             zzip_size_t rootseek = zzip_disk64_trailer_get_rootseek(trailer);
-+	    rootsize = zzip_disk64_trailer_get_rootsize(trailer);
-             DBG2("disk64 rootseek at %lli", (long long)rootseek);
-             root = disk->buffer + rootseek;
-             if (root > p)
-@@ -457,7 +461,7 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
-             errno = EBADMSG;
-             return 0;
-         }
--	if (root >= disk->endbuf)
-+	if (root >= disk->endbuf || (root + rootsize) >= disk->endbuf)
- 	{
- 	    DBG1("root behind endbuf should be impossible");
- 	    errno = EBADMSG;
-Index: zziplib-0.13.67/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.67.orig/zzip/memdisk.c
-+++ zziplib-0.13.67/zzip/memdisk.c
-@@ -143,6 +143,7 @@ zzip_mem_disk_load(ZZIP_MEM_DISK * dir,
-         zzip_mem_disk_unload(dir);
-     ___ long count = 0;
-     ___ struct zzip_disk_entry *entry = zzip_disk_findfirst(disk);
-+    if (!entry) goto error;
-     for (; entry; entry = zzip_disk_findnext(disk, entry))
-     {
-         ZZIP_MEM_ENTRY *item = zzip_mem_entry_new(disk, entry);

v0.13.67.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1278178bdabac832da6bbf161033d890d335a2e38493c5af553ff5ce7b9b0220
-size 1072276

zziplib-0.13.68.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9460919b46592a225217cff067b1c0eb86002b32c54b4898f9c21401aaa11032
+size 1077386

zziplib.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Sun Feb 18 03:25:53 UTC 2018 - avindra@opensuse.org
+
+- Update to 0.13.68:
+  * fix a number of CVEs reported with special *.zip files
+  * minor doc updates referencing GitHub instead of sf.net
+- drop CVE-2018-6381.patch
+  * merged in a803559fa9194be895422ba3684cf6309b6bb598
+- drop CVE-2018-6484.patch
+  * merged in 0c0c9256b0903f664bca25dd8d924211f81e01d3
+- drop CVE-2018-6540.patch
+  * merged in 15b8c969df962a444dfa07b3d5bd4b27dc0dbba7
+- drop CVE-2018-6542.patch
+  * merged in 938011cd60f5a8a2a16a49e5f317aca640cf4110
+
 -------------------------------------------------------------------
 Wed Feb 14 13:36:43 UTC 2018 - josef.moellers@suse.com
 

zziplib.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package zziplib
 #
-# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,21 +18,17 @@
 
 %define lname	libzzip-0-13
 Name:           zziplib
-Version:        0.13.67
+Version:        0.13.68
 Release:        0
 Summary:        Free Zip Compression Library with an Easy-to-Use API
 License:        LGPL-2.1+
 Group:          System/Libraries
 Url:            http://zziplib.sourceforge.net
-Source0:        https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz
+Source0:        https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         zziplib-0.13.62.patch
 Patch1:         zziplib-0.13.62-wronglinking.patch
 Patch2:         zziplib-largefile.patch
-Patch3:         CVE-2018-6381.patch
-Patch4:         CVE-2018-6484.patch
-Patch5:         CVE-2018-6540.patch
-Patch6:         CVE-2018-6542.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -70,10 +66,6 @@ ZZipLib.
 %patch0
 %patch1
 %patch2
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am