From e108057de1f461b39ed8dcf89c12fca58329c1087dbfef3d487d64f7d6ec9286 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Fri, 13 Dec 2019 17:11:29 +0000
Subject: [PATCH] Accepting request 756853 from
 home:jmoellers:branches:devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/756853
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zziplib?expand=0&rev=46
---
 CVE-2018-7725.patch                         |  8 ++++++++
 bsc1154002-prevent-unnecessary-perror.patch | 13 +++++++++++++
 zziplib.changes                             |  9 +++++++++
 zziplib.spec                                |  2 ++
 4 files changed, 32 insertions(+)
 create mode 100644 bsc1154002-prevent-unnecessary-perror.patch

diff --git a/CVE-2018-7725.patch b/CVE-2018-7725.patch
index c86a3e9..215f3c4 100644
--- a/CVE-2018-7725.patch
+++ b/CVE-2018-7725.patch
@@ -17,6 +17,14 @@ Index: zziplib-0.13.69/zzip/memdisk.c
       * If the file is uncompressed, zz_csize and zz_usize should be the same
       * If they are not, we cannot guarantee that either is correct, so ...
       */
+@@ -521,7 +529,6 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir
+     file->zlib.avail_in = zzip_mem_entry_csize(entry);
+     file->zlib.next_in = zzip_mem_entry_to_data(entry);
+ 
+-    debug2("compressed size %i", (int) file->zlib.avail_in);
+     if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
+          goto error;
+     if (file->zlib.next_in < file->buffer)
 Index: zziplib-0.13.69/zzip/zip.c
 ===================================================================
 --- zziplib-0.13.69.orig/zzip/zip.c
diff --git a/bsc1154002-prevent-unnecessary-perror.patch b/bsc1154002-prevent-unnecessary-perror.patch
new file mode 100644
index 0000000..939c01d
--- /dev/null
+++ b/bsc1154002-prevent-unnecessary-perror.patch
@@ -0,0 +1,13 @@
+Index: zziplib-0.13.69/bins/unzip-mem.c
+===================================================================
+--- zziplib-0.13.69.orig/bins/unzip-mem.c
++++ zziplib-0.13.69/bins/unzip-mem.c
+@@ -93,7 +93,7 @@ static void zzip_mem_entry_make(ZZIP_MEM
+ {
+     FILE* file = fopen (entry->zz_name, "wb");
+     if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); }
+-    perror (entry->zz_name);
++    else perror (entry->zz_name);
+     if (status < EXIT_WARNINGS) status = EXIT_WARNINGS;
+ }
+ 
diff --git a/zziplib.changes b/zziplib.changes
index c0acffa..f78f858 100644
--- a/zziplib.changes
+++ b/zziplib.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Dec 13 12:28:30 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
+
+- Make an unconditional error message conditional by checking
+  the return value of a function call.
+  Also removed an unwanted debug output.
+  [bsc#154002, bsc1154002-prevent-unnecessary-perror.patch,
+  CVE-2018-7725.patch]
+
 -------------------------------------------------------------------
 Thu Oct 17 09:30:20 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
 
diff --git a/zziplib.spec b/zziplib.spec
index 4f6b5a0..ba179b4 100644
--- a/zziplib.spec
+++ b/zziplib.spec
@@ -34,6 +34,7 @@ Patch4:         CVE-2018-7725.patch
 Patch5:         CVE-2018-16548.patch
 Patch6:         CVE-2018-17828.patch
 Patch7:         bsc1129403-prevent-division-by-zero.patch
+Patch8:         bsc1154002-prevent-unnecessary-perror.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -75,6 +76,7 @@ ZZipLib.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am