diff --git a/CVE-2020-18770.patch b/CVE-2020-18770.patch new file mode 100644 index 0000000..91210ac --- /dev/null +++ b/CVE-2020-18770.patch @@ -0,0 +1,26 @@ +From 803f49aaae16b7f2899e4769afdfc673a21fa9e8 Mon Sep 17 00:00:00 2001 +From: Guido Draheim +Date: Mon, 26 Feb 2024 23:17:12 +0100 +Subject: [PATCH] #69 assert full zzip_file_header + +--- + zzip/mmapped.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/zzip/mmapped.c b/zzip/mmapped.c +index 2071882..306ba51 100644 +--- a/zzip/mmapped.c ++++ b/zzip/mmapped.c +@@ -276,7 +276,8 @@ struct zzip_file_header * + zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry) + { + zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry); +- if (disk->buffer > ptr || ptr >= disk->endbuf) ++ zzip_byte_t *const end = ptr + sizeof(struct zzip_file_header); ++ if (disk->buffer > ptr || end >= disk->endbuf || end <= NULL) + { + debug2("file header: offset out of bounds (0x%llx)", (long long unsigned)(disk->buffer)); + errno = EBADMSG; +-- +2.35.3 + diff --git a/zziplib-0.13.62.patch b/zziplib-0.13.62.patch index d8936ff..7ce7618 100644 --- a/zziplib-0.13.62.patch +++ b/zziplib-0.13.62.patch @@ -1,7 +1,7 @@ -Index: m4/ax_cflags_no_writable_strings.m4 +Index: zziplib/m4/ax_cflags_no_writable_strings.m4 =================================================================== ---- m4/ax_cflags_no_writable_strings.m4.orig -+++ m4/ax_cflags_no_writable_strings.m4 +--- zziplib/m4/ax_cflags_no_writable_strings.m4 ++++ zziplib-new/m4/ax_cflags_no_writable_strings.m4 @@ -40,6 +40,7 @@ VAR,[VAR="no, unknown" for ac_arg dnl in "-pedantic % -fno-writable-strings -Wwrite-strings" dnl GCC diff --git a/zziplib.changes b/zziplib.changes index a2f443f..9a27b75 100644 --- a/zziplib.changes +++ b/zziplib.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 27 15:50:19 UTC 2024 - Valentin Lefebvre + +- assert full zzip_file_header. + [bsc#1214577, CVE-2020-18770, CVE-2020-18770.patch] +- Use autosetup + ------------------------------------------------------------------- Tue Feb 20 12:11:54 UTC 2024 - Dominique Leuenberger diff --git a/zziplib.spec b/zziplib.spec index 04e0ce7..cd98668 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,8 @@ URL: http://zziplib.sourceforge.net Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch0: zziplib-0.13.62.patch -Patch8: bsc1154002-prevent-unnecessary-perror.patch +Patch1: bsc1154002-prevent-unnecessary-perror.patch +Patch2: CVE-2020-18770.patch BuildRequires: cmake BuildRequires: pkgconfig BuildRequires: xmlto @@ -59,9 +60,7 @@ That are the header files needed for developing applications using ZZipLib. %prep -%setup -q -%patch -P 0 -%patch -P 8 -p1 +%autosetup -p1 # do not bother with html docs saving us python2 dependency sed -i -e 's:docs ::g' Makefile.am