pool/zziplib
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 569981 from devel:libraries:c_c++

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/569981
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/zziplib?expand=0&rev=25
This commit is contained in:
Dominique Leuenberger 2018-01-30 14:38:10 +00:00 committed by Git OBS Bridge
commit dc531973ec
11 changed files with 38 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
v0.13.67.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1278178bdabac832da6bbf161033d890d335a2e38493c5af553ff5ce7b9b0220
size 1072276

3
zziplib-0.13.62.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1b8033f1a1fd6385f4820b01ee32d8eca818409235d22caf5119e0078c7525b
size 685770

22
zziplib-CVE-2017-5974.patch
View File

@ -1,22 +0,0 @@
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
/* override sizes/offsets with zip64 values for largefile support */
zzip_extra_zip64 *block = (zzip_extra_zip64 *)
zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
- if (block)
+ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
{
- item->zz_usize = __zzip_get64(block->z_usize);
- item->zz_csize = __zzip_get64(block->z_csize);
- item->zz_offset = __zzip_get64(block->z_offset);
- item->zz_diskstart = __zzip_get32(block->z_diskstart);
+ item->zz_usize = ZZIP_GET64(block->z_usize);
+ item->zz_csize = ZZIP_GET64(block->z_csize);
+ item->zz_offset = ZZIP_GET64(block->z_offset);
+ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
}
}
/* NOTE:

26
zziplib-CVE-2017-5975.patch
View File

@ -1,26 +0,0 @@
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
return 0; /* errno=ENOMEM; */
___ struct zzip_file_header *header =
zzip_disk_entry_to_file_header(disk, entry);
+ if (!header)
+ { free(item); return 0; }
/* there is a number of duplicated information in the file header
* or the disk entry block. Theoretically some part may be missing
* that exists in the other, ... but we will prefer the disk entry.
Index: zziplib-0.13.62/zzip/mmapped.c
===================================================================
--- zziplib-0.13.62.orig/zzip/mmapped.c
+++ zziplib-0.13.62/zzip/mmapped.c
@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
(disk->buffer + zzip_disk_entry_fileoffset(entry));
if (disk->buffer > file_header || file_header >= disk->endbuf)
return 0;
+ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
+ return 0;
return (struct zzip_file_header *) file_header;
}

55
zziplib-CVE-2017-5976.patch
View File

@ -1,55 +0,0 @@
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
{
void *mem = malloc(ext1 + 2);
item->zz_ext[1] = mem;
+ item->zz_extlen[1] = ext1 + 2;
memcpy(mem, ptr1, ext1);
((char *) (mem))[ext1 + 0] = 0;
((char *) (mem))[ext1 + 1] = 0;
@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
{
void *mem = malloc(ext2 + 2);
item->zz_ext[2] = mem;
+ item->zz_extlen[2] = ext2 + 2;
memcpy(mem, ptr2, ext2);
((char *) (mem))[ext2 + 0] = 0;
((char *) (mem))[ext2 + 1] = 0;
@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
while (1)
{
ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
- if (ext)
+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
{
+ char *endblock = (char *)ext + entry->zz_extlen[i];
+
while (*(short *) (ext->z_datatype))
{
if (datatype == zzip_extra_block_get_datatype(ext))
@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
e += zzip_extra_block_headerlength;
e += zzip_extra_block_get_datasize(ext);
ext = (void *) e;
+ if (e >= endblock)
+ {
+ break;
+ }
____;
}
}
Index: zziplib-0.13.62/zzip/memdisk.h
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.h
+++ zziplib-0.13.62/zzip/memdisk.h
@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
int zz_filetype; /* (from "z_filetype") */
char* zz_comment; /* zero-terminated (from "comment") */
ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
}; /* the extra blocks are NOT converted */
#define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)

31
zziplib-CVE-2017-5978.patch
View File

@ -1,31 +0,0 @@
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
* that exists in the other, ... but we will prefer the disk entry.
*/
item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
+ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
item->zz_data = zzip_file_header_to_data(header);
item->zz_flags = zzip_disk_entry_get_flags(entry);
item->zz_compr = zzip_disk_entry_get_compr(entry);
@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
int /* */ ext2 = zzip_file_header_get_extras(header);
char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
- if (ext1)
+ if (ext1 && ((ptr1 + ext1) < disk->endbuf))
{
void *mem = malloc(ext1 + 2);
item->zz_ext[1] = mem;
@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
((char *) (mem))[ext1 + 0] = 0;
((char *) (mem))[ext1 + 1] = 0;
}
- if (ext2)
+ if (ext2 && ((ptr2 + ext2) < disk->endbuf))
{
void *mem = malloc(ext2 + 2);
item->zz_ext[2] = mem;

13
zziplib-CVE-2017-5979.patch
View File

@ -1,13 +0,0 @@
Index: zziplib-0.13.62/zzip/fseeko.c
===================================================================
--- zziplib-0.13.62.orig/zzip/fseeko.c
+++ zziplib-0.13.62/zzip/fseeko.c
@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
return 0;
/* we read out chunks of 8 KiB in the hope to match disk granularity */
___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
+ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
if (! entry)
return 0;
___ unsigned char *buffer = malloc(pagesize);

14
zziplib-CVE-2017-5981.patch
View File

@ -1,14 +0,0 @@
Index: zziplib-0.13.62/zzip/fseeko.c
===================================================================
--- zziplib-0.13.62.orig/zzip/fseeko.c
+++ zziplib-0.13.62/zzip/fseeko.c
@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
} else
continue;
- assert(0 <= root && root < mapsize);
+ if (root < 0 || root >= mapsize)
+ goto error;
if (fseeko(disk, root, SEEK_SET) == -1)
goto error;
if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)

50
zziplib-unzipcat-NULL-name.patch
View File

@ -1,50 +0,0 @@
Index: zziplib-0.13.62/bins/unzzipcat.c
===================================================================
--- zziplib-0.13.62.orig/bins/unzzipcat.c
+++ zziplib-0.13.62/bins/unzzipcat.c
@@ -91,8 +91,11 @@ main (int argc, char ** argv)
for (; entry ; entry = zzip_disk_findnext(disk, entry))
{
char* name = zzip_disk_entry_strdup_name (disk, entry);
- printf ("%s\n", name);
- free (name);
+ if (name)
+ {
+ printf ("%s\n", name);
+ free (name);
+ }
}
return 0;
}
@@ -112,10 +115,13 @@ main (int argc, char ** argv)
for (; entry ; entry = zzip_disk_findnext(disk, entry))
{
char* name = zzip_disk_entry_strdup_name (disk, entry);
- if (! fnmatch (argv[argn], name,
- FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD))
- zzip_disk_cat_file (disk, name, stdout);
- free (name);
+ if (name)
+ {
+ if (! fnmatch (argv[argn], name,
+ FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD))
+ zzip_disk_cat_file (disk, name, stdout);
+ free (name);
+ }
}
}
return 0;
Index: zziplib-0.13.62/zzip/fseeko.c
===================================================================
--- zziplib-0.13.62.orig/zzip/fseeko.c
+++ zziplib-0.13.62/zzip/fseeko.c
@@ -300,7 +300,8 @@ zzip_entry_findfirst(FILE * disk)
* central directory was written directly before : */
root = mapoffs - rootsize;
}
- } else if (zzip_disk64_trailer_check_magic(p))
+ } else if ((p + sizeof(struct zzip_disk64_trailer)) <= (buffer + mapsize)
+ && zzip_disk64_trailer_check_magic(p))
{
struct zzip_disk64_trailer *trailer =
(struct zzip_disk64_trailer *) p;

28
zziplib.changes
View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Tue Jan 23 20:18:19 UTC 2018 - tchvatal@suse.com
- Drop tests as they fail completely anyway, not finding lib needing
zip command, this should allow us to kill python dependency
- Also drop docs subdir avoiding python dependency for it
* The generated xmls were used for mans too but we shipped those
only in devel pkg and as such we will live without them
-------------------------------------------------------------------
Tue Jan 23 20:03:01 UTC 2018 - tchvatal@suse.com
- Version update to 0.13.67:
* Various fixes found by fuzzing
* Merged bellow patches
- Remove merged patches:
* zziplib-CVE-2017-5974.patch
* zziplib-CVE-2017-5975.patch
* zziplib-CVE-2017-5976.patch
* zziplib-CVE-2017-5978.patch
* zziplib-CVE-2017-5979.patch
* zziplib-CVE-2017-5981.patch
- Switch to github tarball as upstream seem no longer pull it to
sourceforge
- Remove no longer applying patch zziplib-unzipcat-NULL-name.patch
* The sourcecode was quite changed for this to work this way
anymore, lets hope this is fixed too
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Nov 1 12:37:02 UTC 2017 - mpluskal@suse.com Wed Nov 1 12:37:02 UTC 2017 - mpluskal@suse.com

34
zziplib.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package zziplib # spec file for package zziplib
# #
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -18,32 +18,23 @@
%define lname libzzip-0-13 %define lname libzzip-0-13
Name: zziplib Name: zziplib
Version: 0.13.62 Version: 0.13.67
Release: 0 Release: 0
Summary: Free Zip Compression Library with an Easy-to-Use API Summary: Free Zip Compression Library with an Easy-to-Use API
License: LGPL-2.1+ License: LGPL-2.1+
Group: System/Libraries Group: System/Libraries
Url: http://zziplib.sourceforge.net Url: http://zziplib.sourceforge.net
Source0: http://prdownloads.sourceforge.net/zziplib/%{name}-%{version}.tar.bz2 Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz
Source2: baselibs.conf Source2: baselibs.conf
Patch0: zziplib-0.13.62.patch Patch0: zziplib-0.13.62.patch
Patch1: zziplib-0.13.62-wronglinking.patch Patch1: zziplib-0.13.62-wronglinking.patch
Patch2: zziplib-largefile.patch Patch2: zziplib-largefile.patch
Patch3: zziplib-CVE-2017-5974.patch
Patch4: zziplib-CVE-2017-5975.patch
Patch5: zziplib-CVE-2017-5976.patch
Patch6: zziplib-CVE-2017-5978.patch
Patch7: zziplib-CVE-2017-5979.patch
Patch8: zziplib-unzipcat-NULL-name.patch
Patch9: zziplib-CVE-2017-5981.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: dos2unix
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: xmlto BuildRequires: xmlto
BuildRequires: pkgconfig(python2)
BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(zlib)
%description %description
@ -75,13 +66,8 @@ ZZipLib.
%patch0 %patch0
%patch1 %patch1
%patch2 %patch2
%patch3 -p1 # do not bother with html docs saving us python2 dependency
%patch4 -p1 sed -i -e 's:docs ::g' Makefile.am
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build %build
autoreconf -fiv autoreconf -fiv
@ -94,31 +80,25 @@ make %{?_smp_mflags}
%install %install
%make_install %make_install
# Fix wrong encoding
dos2unix docs/README.MSVC6
dos2unix docs/sdocbook.css
rm -f docs/Make* docs/zziplib-manpages.ar rm -f docs/Make* docs/zziplib-manpages.ar
find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
%fdupes %{buildroot} %fdupes %{buildroot}
%check
make %{?_smp_mflags} check || exit 0
%post -n %{lname} -p /sbin/ldconfig %post -n %{lname} -p /sbin/ldconfig
%postun -n %{lname} -p /sbin/ldconfig %postun -n %{lname} -p /sbin/ldconfig
%files -n %{lname} %files -n %{lname}
%license COPYING.LIB
%{_libdir}/libzzip*.so.* %{_libdir}/libzzip*.so.*
%files devel %files devel
%doc docs/README* docs/* ChangeLog README TODO %doc docs/README* ChangeLog README TODO
%{_bindir}/unzzip* %{_bindir}/unzzip*
%{_bindir}/zz* %{_bindir}/zz*
%{_bindir}/unzip-mem %{_bindir}/unzip-mem
%{_libdir}/libzzip*.so %{_libdir}/libzzip*.so
%{_includedir}/* %{_includedir}/*
%{_libdir}/pkgconfig/*.pc %{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/*
%{_datadir}/aclocal/*.m4 %{_datadir}/aclocal/*.m4
%changelog %changelog