diff --git a/v0.13.67.tar.gz b/v0.13.67.tar.gz new file mode 100644 index 0000000..5e905af --- /dev/null +++ b/v0.13.67.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1278178bdabac832da6bbf161033d890d335a2e38493c5af553ff5ce7b9b0220 +size 1072276 diff --git a/zziplib-0.13.62.tar.bz2 b/zziplib-0.13.62.tar.bz2 deleted file mode 100644 index e51916b..0000000 --- a/zziplib-0.13.62.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a1b8033f1a1fd6385f4820b01ee32d8eca818409235d22caf5119e0078c7525b -size 685770 diff --git a/zziplib-CVE-2017-5974.patch b/zziplib-CVE-2017-5974.patch deleted file mode 100644 index 3bc82aa..0000000 --- a/zziplib-CVE-2017-5974.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - /* override sizes/offsets with zip64 values for largefile support */ - zzip_extra_zip64 *block = (zzip_extra_zip64 *) - zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64); -- if (block) -+ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4)) - { -- item->zz_usize = __zzip_get64(block->z_usize); -- item->zz_csize = __zzip_get64(block->z_csize); -- item->zz_offset = __zzip_get64(block->z_offset); -- item->zz_diskstart = __zzip_get32(block->z_diskstart); -+ item->zz_usize = ZZIP_GET64(block->z_usize); -+ item->zz_csize = ZZIP_GET64(block->z_csize); -+ item->zz_offset = ZZIP_GET64(block->z_offset); -+ item->zz_diskstart = ZZIP_GET32(block->z_diskstart); - } - } - /* NOTE: diff --git a/zziplib-CVE-2017-5975.patch b/zziplib-CVE-2017-5975.patch deleted file mode 100644 index 18a0bb1..0000000 --- a/zziplib-CVE-2017-5975.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - return 0; /* errno=ENOMEM; */ - ___ struct zzip_file_header *header = - zzip_disk_entry_to_file_header(disk, entry); -+ if (!header) -+ { free(item); return 0; } - /* there is a number of duplicated information in the file header - * or the disk entry block. Theoretically some part may be missing - * that exists in the other, ... but we will prefer the disk entry. -Index: zziplib-0.13.62/zzip/mmapped.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/mmapped.c -+++ zziplib-0.13.62/zzip/mmapped.c -@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK - (disk->buffer + zzip_disk_entry_fileoffset(entry)); - if (disk->buffer > file_header || file_header >= disk->endbuf) - return 0; -+ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC) -+ return 0; - return (struct zzip_file_header *) file_header; - } - diff --git a/zziplib-CVE-2017-5976.patch b/zziplib-CVE-2017-5976.patch deleted file mode 100644 index d3fe5cf..0000000 --- a/zziplib-CVE-2017-5976.patch +++ /dev/null @@ -1,55 +0,0 @@ -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - { - void *mem = malloc(ext1 + 2); - item->zz_ext[1] = mem; -+ item->zz_extlen[1] = ext1 + 2; - memcpy(mem, ptr1, ext1); - ((char *) (mem))[ext1 + 0] = 0; - ((char *) (mem))[ext1 + 1] = 0; -@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - { - void *mem = malloc(ext2 + 2); - item->zz_ext[2] = mem; -+ item->zz_extlen[2] = ext2 + 2; - memcpy(mem, ptr2, ext2); - ((char *) (mem))[ext2 + 0] = 0; - ((char *) (mem))[ext2 + 1] = 0; -@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR - while (1) - { - ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i]; -- if (ext) -+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength)) - { -+ char *endblock = (char *)ext + entry->zz_extlen[i]; -+ - while (*(short *) (ext->z_datatype)) - { - if (datatype == zzip_extra_block_get_datatype(ext)) -@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR - e += zzip_extra_block_headerlength; - e += zzip_extra_block_get_datasize(ext); - ext = (void *) e; -+ if (e >= endblock) -+ { -+ break; -+ } - ____; - } - } -Index: zziplib-0.13.62/zzip/memdisk.h -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.h -+++ zziplib-0.13.62/zzip/memdisk.h -@@ -66,6 +66,7 @@ struct _zzip_mem_entry { - int zz_filetype; /* (from "z_filetype") */ - char* zz_comment; /* zero-terminated (from "comment") */ - ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */ -+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */ - }; /* the extra blocks are NOT converted */ - - #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list) diff --git a/zziplib-CVE-2017-5978.patch b/zziplib-CVE-2017-5978.patch deleted file mode 100644 index 1e98011..0000000 --- a/zziplib-CVE-2017-5978.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - * that exists in the other, ... but we will prefer the disk entry. - */ - item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry); -- item->zz_name = zzip_disk_entry_strdup_name(disk, entry); -+ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup(""); - item->zz_data = zzip_file_header_to_data(header); - item->zz_flags = zzip_disk_entry_get_flags(entry); - item->zz_compr = zzip_disk_entry_get_compr(entry); -@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - int /* */ ext2 = zzip_file_header_get_extras(header); - char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header); - -- if (ext1) -+ if (ext1 && ((ptr1 + ext1) < disk->endbuf)) - { - void *mem = malloc(ext1 + 2); - item->zz_ext[1] = mem; -@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - ((char *) (mem))[ext1 + 0] = 0; - ((char *) (mem))[ext1 + 1] = 0; - } -- if (ext2) -+ if (ext2 && ((ptr2 + ext2) < disk->endbuf)) - { - void *mem = malloc(ext2 + 2); - item->zz_ext[2] = mem; diff --git a/zziplib-CVE-2017-5979.patch b/zziplib-CVE-2017-5979.patch deleted file mode 100644 index a4b1509..0000000 --- a/zziplib-CVE-2017-5979.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk) - return 0; - /* we read out chunks of 8 KiB in the hope to match disk granularity */ - ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */ -- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry)); -+ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry)); - if (! entry) - return 0; - ___ unsigned char *buffer = malloc(pagesize); diff --git a/zziplib-CVE-2017-5981.patch b/zziplib-CVE-2017-5981.patch deleted file mode 100644 index 3dc0d9f..0000000 --- a/zziplib-CVE-2017-5981.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk) - } else - continue; - -- assert(0 <= root && root < mapsize); -+ if (root < 0 || root >= mapsize) -+ goto error; - if (fseeko(disk, root, SEEK_SET) == -1) - goto error; - if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk) diff --git a/zziplib-unzipcat-NULL-name.patch b/zziplib-unzipcat-NULL-name.patch deleted file mode 100644 index e3021ce..0000000 --- a/zziplib-unzipcat-NULL-name.patch +++ /dev/null @@ -1,50 +0,0 @@ -Index: zziplib-0.13.62/bins/unzzipcat.c -=================================================================== ---- zziplib-0.13.62.orig/bins/unzzipcat.c -+++ zziplib-0.13.62/bins/unzzipcat.c -@@ -91,8 +91,11 @@ main (int argc, char ** argv) - for (; entry ; entry = zzip_disk_findnext(disk, entry)) - { - char* name = zzip_disk_entry_strdup_name (disk, entry); -- printf ("%s\n", name); -- free (name); -+ if (name) -+ { -+ printf ("%s\n", name); -+ free (name); -+ } - } - return 0; - } -@@ -112,10 +115,13 @@ main (int argc, char ** argv) - for (; entry ; entry = zzip_disk_findnext(disk, entry)) - { - char* name = zzip_disk_entry_strdup_name (disk, entry); -- if (! fnmatch (argv[argn], name, -- FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD)) -- zzip_disk_cat_file (disk, name, stdout); -- free (name); -+ if (name) -+ { -+ if (! fnmatch (argv[argn], name, -+ FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD)) -+ zzip_disk_cat_file (disk, name, stdout); -+ free (name); -+ } - } - } - return 0; -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -300,7 +300,8 @@ zzip_entry_findfirst(FILE * disk) - * central directory was written directly before : */ - root = mapoffs - rootsize; - } -- } else if (zzip_disk64_trailer_check_magic(p)) -+ } else if ((p + sizeof(struct zzip_disk64_trailer)) <= (buffer + mapsize) -+ && zzip_disk64_trailer_check_magic(p)) - { - struct zzip_disk64_trailer *trailer = - (struct zzip_disk64_trailer *) p; diff --git a/zziplib.changes b/zziplib.changes index 826eef9..1ec93dd 100644 --- a/zziplib.changes +++ b/zziplib.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Tue Jan 23 20:18:19 UTC 2018 - tchvatal@suse.com + +- Drop tests as they fail completely anyway, not finding lib needing + zip command, this should allow us to kill python dependency +- Also drop docs subdir avoiding python dependency for it + * The generated xmls were used for mans too but we shipped those + only in devel pkg and as such we will live without them + +------------------------------------------------------------------- +Tue Jan 23 20:03:01 UTC 2018 - tchvatal@suse.com + +- Version update to 0.13.67: + * Various fixes found by fuzzing + * Merged bellow patches +- Remove merged patches: + * zziplib-CVE-2017-5974.patch + * zziplib-CVE-2017-5975.patch + * zziplib-CVE-2017-5976.patch + * zziplib-CVE-2017-5978.patch + * zziplib-CVE-2017-5979.patch + * zziplib-CVE-2017-5981.patch +- Switch to github tarball as upstream seem no longer pull it to + sourceforge +- Remove no longer applying patch zziplib-unzipcat-NULL-name.patch + * The sourcecode was quite changed for this to work this way + anymore, lets hope this is fixed too + ------------------------------------------------------------------- Wed Nov 1 12:37:02 UTC 2017 - mpluskal@suse.com diff --git a/zziplib.spec b/zziplib.spec index 0a00364..e15c293 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,32 +18,23 @@ %define lname libzzip-0-13 Name: zziplib -Version: 0.13.62 +Version: 0.13.67 Release: 0 Summary: Free Zip Compression Library with an Easy-to-Use API License: LGPL-2.1+ Group: System/Libraries Url: http://zziplib.sourceforge.net -Source0: http://prdownloads.sourceforge.net/zziplib/%{name}-%{version}.tar.bz2 +Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz Source2: baselibs.conf Patch0: zziplib-0.13.62.patch Patch1: zziplib-0.13.62-wronglinking.patch Patch2: zziplib-largefile.patch -Patch3: zziplib-CVE-2017-5974.patch -Patch4: zziplib-CVE-2017-5975.patch -Patch5: zziplib-CVE-2017-5976.patch -Patch6: zziplib-CVE-2017-5978.patch -Patch7: zziplib-CVE-2017-5979.patch -Patch8: zziplib-unzipcat-NULL-name.patch -Patch9: zziplib-CVE-2017-5981.patch BuildRequires: autoconf BuildRequires: automake -BuildRequires: dos2unix BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: xmlto -BuildRequires: pkgconfig(python2) BuildRequires: pkgconfig(zlib) %description @@ -75,13 +66,8 @@ ZZipLib. %patch0 %patch1 %patch2 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +# do not bother with html docs saving us python2 dependency +sed -i -e 's:docs ::g' Makefile.am %build autoreconf -fiv @@ -94,31 +80,25 @@ make %{?_smp_mflags} %install %make_install -# Fix wrong encoding -dos2unix docs/README.MSVC6 -dos2unix docs/sdocbook.css rm -f docs/Make* docs/zziplib-manpages.ar find %{buildroot} -type f -name "*.la" -delete -print %fdupes %{buildroot} -%check -make %{?_smp_mflags} check || exit 0 - %post -n %{lname} -p /sbin/ldconfig %postun -n %{lname} -p /sbin/ldconfig %files -n %{lname} +%license COPYING.LIB %{_libdir}/libzzip*.so.* %files devel -%doc docs/README* docs/* ChangeLog README TODO +%doc docs/README* ChangeLog README TODO %{_bindir}/unzzip* %{_bindir}/zz* %{_bindir}/unzip-mem %{_libdir}/libzzip*.so %{_includedir}/* %{_libdir}/pkgconfig/*.pc -%{_mandir}/man3/* %{_datadir}/aclocal/*.m4 %changelog