From a5d7ebe0361e319eb9b74698cb29571eec0cbdb41a179145a6a638a63144f136 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.com>
Date: Mon, 19 Mar 2018 17:24:00 +0000
Subject: [PATCH] Accepting request 588647 from
 home:jmoellers:branches:devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/588647
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zziplib?expand=0&rev=35
---
 CVE-2018-7725.patch     | 32 ++++++++++++++++++++
 CVE-2018-7726.patch     | 67 +++++++++++++++++++++++++++++++++++++++++
 zziplib-largefile.patch |  2 +-
 zziplib.changes         | 13 ++++++++
 zziplib.spec            |  9 ++++--
 5 files changed, 120 insertions(+), 3 deletions(-)
 create mode 100644 CVE-2018-7725.patch
 create mode 100644 CVE-2018-7726.patch

diff --git a/CVE-2018-7725.patch b/CVE-2018-7725.patch
new file mode 100644
index 0000000..c86a3e9
--- /dev/null
+++ b/CVE-2018-7725.patch
@@ -0,0 +1,32 @@
+Index: zziplib-0.13.69/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.69.orig/zzip/memdisk.c
++++ zziplib-0.13.69/zzip/memdisk.c
+@@ -222,6 +222,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+     item->zz_filetype = zzip_disk_entry_get_filetype(entry);
+ 
+     /*
++     * If zz_data+zz_csize exceeds the size of the file, bail out
++     */
++    if ((item->zz_data + item->zz_csize) < disk->buffer ||
++        (item->zz_data + item->zz_csize) >= disk->endbuf)
++    {
++        goto error;
++    }
++    /*
+      * If the file is uncompressed, zz_csize and zz_usize should be the same
+      * If they are not, we cannot guarantee that either is correct, so ...
+      */
+Index: zziplib-0.13.69/zzip/zip.c
+===================================================================
+--- zziplib-0.13.69.orig/zzip/zip.c
++++ zziplib-0.13.69/zzip/zip.c
+@@ -408,7 +408,7 @@ __zzip_parse_root_directory(int fd,
+                             struct _disk_trailer *trailer,
+                             struct zzip_dir_hdr **hdr_return,
+                             zzip_plugin_io_t io,
+-			    zzip_off_t filesize);
++			    zzip_off_t filesize)
+ {
+     auto struct zzip_disk_entry dirent;
+     struct zzip_dir_hdr *hdr;
diff --git a/CVE-2018-7726.patch b/CVE-2018-7726.patch
new file mode 100644
index 0000000..c01dfcc
--- /dev/null
+++ b/CVE-2018-7726.patch
@@ -0,0 +1,67 @@
+Index: zziplib-0.13.69/docs/zziplib.html
+===================================================================
+--- zziplib-0.13.69.orig/docs/zziplib.html
++++ zziplib-0.13.69/docs/zziplib.html
+@@ -415,7 +415,8 @@ generated 2003-12-12
+  <code>(<nobr>int fd</nobr>,
+ <nobr>struct zzip_disk_trailer * trailer</nobr>,
+ <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
+-<nobr>zzip_plugin_io_t io</nobr>)</code>
++<nobr>zzip_plugin_io_t io</nobr>,
++<nobr>zzip_off_t filesize</nobr>)</code>
+ 
+ </td></tr><tr valign="top">
+ <td valign="top"><code>ZZIP_DIR*
+@@ -1091,7 +1092,8 @@ generated 2003-12-12
+  <code>(<nobr>int fd</nobr>,
+ <nobr>struct zzip_disk_trailer * trailer</nobr>,
+ <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
+-<nobr>zzip_plugin_io_t io</nobr>)</code>
++<nobr>zzip_plugin_io_t io</nobr>,
++<nobr>zzip_off_t filesize</nobr>)</code>
+ 
+ </code></code><dt>
+ <dd><p> &nbsp;(../zzip/zip.c)
+Index: zziplib-0.13.69/zzip/zip.c
+===================================================================
+--- zziplib-0.13.69.orig/zzip/zip.c
++++ zziplib-0.13.69/zzip/zip.c
+@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz
+ int __zzip_parse_root_directory(int fd,
+                                 struct _disk_trailer *trailer,
+                                 struct zzip_dir_hdr **hdr_return,
+-                                zzip_plugin_io_t io);
++                                zzip_plugin_io_t io,
++				zzip_off_t filesize);
+ 
+ _zzip_inline static char *__zzip_aligned4(char *p);
+ 
+@@ -406,7 +407,8 @@ int
+ __zzip_parse_root_directory(int fd,
+                             struct _disk_trailer *trailer,
+                             struct zzip_dir_hdr **hdr_return,
+-                            zzip_plugin_io_t io)
++                            zzip_plugin_io_t io,
++			    zzip_off_t filesize);
+ {
+     auto struct zzip_disk_entry dirent;
+     struct zzip_dir_hdr *hdr;
+@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd,
+     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+ 
++    if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize)
++    	return ZZIP_CORRUPTED;
++
+     if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
+         return ZZIP_CORRUPTED;
+ 
+@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
+           (long) _disk_trailer_rootseek(&trailer));
+ 
+     if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
+-                                          dir->io)) != 0)
++                                          dir->io, filesize)) != 0)
+         { goto error; }
+   error:
+     return rv;
diff --git a/zziplib-largefile.patch b/zziplib-largefile.patch
index 30648c8..69ddae9 100644
--- a/zziplib-largefile.patch
+++ b/zziplib-largefile.patch
@@ -2,7 +2,7 @@ Index: configure.ac
 ===================================================================
 --- configure.ac.orig
 +++ configure.ac
-@@ -125,7 +125,7 @@ if test ".$ac_cv_sys_largefile_sensitive
+@@ -129,7 +129,7 @@ if test ".$ac_cv_sys_largefile_sensitive
  elif test ".$with_largefile" != ".no" ; then
    AC_MSG_RESULT(compiles library as 64bit off_t variant dnl
  - and renaming some function names)
diff --git a/zziplib.changes b/zziplib.changes
index 9e3e56a..5e107cb 100644
--- a/zziplib.changes
+++ b/zziplib.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Mar 19 13:57:10 UTC 2018 - josef.moellers@suse.com
+
+- Check if data from End of central directory record makes sense.
+  Especially the Offset of start of central directory must not
+  a) be negative or
+  b) point behind the end-of-file.
+- Check if compressed size in Central directory file header
+  makes sense, i.e. the file's data does not extend beyond the
+  end of the file.
+  [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch,
+   bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch]
+
 -------------------------------------------------------------------
 Sat Mar 17 18:53:19 UTC 2018 - avindra@opensuse.org
 
diff --git a/zziplib.spec b/zziplib.spec
index a214303..376b3d4 100644
--- a/zziplib.spec
+++ b/zziplib.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package zziplib
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,14 +21,17 @@ Name:           zziplib
 Version:        0.13.69
 Release:        0
 Summary:        ZIP Compression Library
-License:        LGPL-2.1-or-later
+License:        LGPL-2.1+
 Group:          Development/Libraries/C and C++
+# License:        LGPL-2.1-or-later
 Url:            http://zziplib.sourceforge.net
 Source0:        https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         zziplib-0.13.62.patch
 Patch1:         zziplib-0.13.62-wronglinking.patch
 Patch2:         zziplib-largefile.patch
+Patch3:         CVE-2018-7726.patch
+Patch4:         CVE-2018-7725.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -65,6 +68,8 @@ ZZipLib.
 %patch0
 %patch1
 %patch2
+%patch3 -p1
+%patch4 -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am