Accepting request 756853 from home:jmoellers:branches:devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/756853 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zziplib?expand=0&rev=46
2019-12-13 17:11:29 +00:00 · 2019-12-13 17:11:29 +00:00 · e108057de1
commit e108057de1
parent 833822ca9d
4 changed files with 32 additions and 0 deletions
--- a/CVE-2018-7725.patch
+++ b/CVE-2018-7725.patch
@ -17,6 +17,14 @@ Index: zziplib-0.13.69/zzip/memdisk.c
      * If the file is uncompressed, zz_csize and zz_usize should be the same
      * If they are not, we cannot guarantee that either is correct, so ...
      */
+@@ -521,7 +529,6 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir
+     file->zlib.avail_in = zzip_mem_entry_csize(entry);
+     file->zlib.next_in = zzip_mem_entry_to_data(entry);
+ 
+-    debug2("compressed size %i", (int) file->zlib.avail_in);
+     if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
+          goto error;
+     if (file->zlib.next_in < file->buffer)
 Index: zziplib-0.13.69/zzip/zip.c
 ===================================================================
 --- zziplib-0.13.69.orig/zzip/zip.c
--- a/bsc1154002-prevent-unnecessary-perror.patch
+++ b/bsc1154002-prevent-unnecessary-perror.patch
@ -0,0 +1,13 @@
+Index: zziplib-0.13.69/bins/unzip-mem.c
+===================================================================
+--- zziplib-0.13.69.orig/bins/unzip-mem.c
+++ zziplib-0.13.69/bins/unzip-mem.c
+@@ -93,7 +93,7 @@ static void zzip_mem_entry_make(ZZIP_MEM
+ {
+     FILE* file = fopen (entry->zz_name, "wb");
+     if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); }
+-    perror (entry->zz_name);
+    else perror (entry->zz_name);
+     if (status < EXIT_WARNINGS) status = EXIT_WARNINGS;
+ }
+ 
--- a/zziplib.changes
+++ b/zziplib.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Dec 13 12:28:30 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
+
+- Make an unconditional error message conditional by checking
+  the return value of a function call.
+  Also removed an unwanted debug output.
+  [bsc#154002, bsc1154002-prevent-unnecessary-perror.patch,
+  CVE-2018-7725.patch]
+
 -------------------------------------------------------------------
 Thu Oct 17 09:30:20 UTC 2019 - Josef Möllers <josef.moellers@suse.com>

--- a/zziplib.spec
+++ b/zziplib.spec
@ -34,6 +34,7 @@ Patch4:         CVE-2018-7725.patch
 Patch5:         CVE-2018-16548.patch
 Patch6:         CVE-2018-17828.patch
 Patch7:         bsc1129403-prevent-division-by-zero.patch
+Patch8:         bsc1154002-prevent-unnecessary-perror.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@ -75,6 +76,7 @@ ZZipLib.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am