Accepting request 1152441 from home:vlefebvre:branches:devel:libraries:c_c++

Fix CVE-2020-18770 assert full zzip_file_header. [bsc#1214577]

OBS-URL: https://build.opensuse.org/request/show/1152441
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zziplib?expand=0&rev=58

CVE-2020-18770.patch

@@ -0,0 +1,26 @@
+From 803f49aaae16b7f2899e4769afdfc673a21fa9e8 Mon Sep 17 00:00:00 2001
+From: Guido Draheim <guidod@gmx.de>
+Date: Mon, 26 Feb 2024 23:17:12 +0100
+Subject: [PATCH] #69 assert full zzip_file_header
+
+---
+ zzip/mmapped.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/zzip/mmapped.c b/zzip/mmapped.c
+index 2071882..306ba51 100644
+--- a/zzip/mmapped.c
++++ b/zzip/mmapped.c
+@@ -276,7 +276,8 @@ struct zzip_file_header *
+ zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry)
+ {
+     zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry);
+-    if (disk->buffer > ptr || ptr >= disk->endbuf)
++    zzip_byte_t *const end = ptr + sizeof(struct zzip_file_header);
++    if (disk->buffer > ptr || end >= disk->endbuf || end <= NULL)
+     {
+         debug2("file header: offset out of bounds (0x%llx)", (long long unsigned)(disk->buffer));
+         errno = EBADMSG;
+-- 
+2.35.3
+

zziplib-0.13.62.patch

@@ -1,7 +1,7 @@
-Index: m4/ax_cflags_no_writable_strings.m4
+Index: zziplib/m4/ax_cflags_no_writable_strings.m4
 ===================================================================
---- m4/ax_cflags_no_writable_strings.m4.orig
-+++ m4/ax_cflags_no_writable_strings.m4
+--- zziplib/m4/ax_cflags_no_writable_strings.m4
++++ zziplib-new/m4/ax_cflags_no_writable_strings.m4
 @@ -40,6 +40,7 @@ VAR,[VAR="no, unknown"
  for ac_arg dnl
  in "-pedantic % -fno-writable-strings -Wwrite-strings" dnl   GCC

zziplib.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Feb 27 15:50:19 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
+
+- assert full zzip_file_header.                                                 
+  [bsc#1214577, CVE-2020-18770, CVE-2020-18770.patch]
+- Use autosetup
+
 -------------------------------------------------------------------
 Tue Feb 20 12:11:54 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 

zziplib.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package zziplib
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,8 @@ URL:            http://zziplib.sourceforge.net
 Source0:        https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         zziplib-0.13.62.patch
-Patch8:         bsc1154002-prevent-unnecessary-perror.patch
+Patch1:         bsc1154002-prevent-unnecessary-perror.patch
+Patch2:         CVE-2020-18770.patch
 BuildRequires:  cmake
 BuildRequires:  pkgconfig
 BuildRequires:  xmlto
@@ -59,9 +60,7 @@ That are the header files needed for developing applications using
 ZZipLib.
 
 %prep
-%setup -q
-%patch -P 0
-%patch -P 8 -p1
+%autosetup -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am