rpm/gzip
SHA256
1
0
Fork 0
forked from pool/gzip
Code Pull Requests Activity

Accepting request 48470 from home:vuntz:branches:Base:System

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/48470
OBS-URL: https://build.opensuse.org/package/show/Base:System/gzip?expand=0&rev=12
This commit is contained in:
Pavol Rusnak 2010-09-19 18:10:36 +00:00 committed by Git OBS Bridge
parent 443c3baf68
commit 8cdc6a4ecc
7 changed files with 40 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gzip-1.3.13.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1d06ff9f5c523651bed3dcde6e6aa8118eee48b22534a157a2588705fa517ca3
size 813865

3
gzip-1.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d166cfd3da380da1bd535633e8890bfb5664f9e68870a611d1dc01a3e9f711ee
size 907411

16
gzip-CVE-2010-0001.diff
View File

@ -1,16 +0,0 @@
* unlzw.c (unlzw): Avoid integer overflow.
Aki Helin reported the segfault along with an input to trigger the bug.
Index: gzip-1.3.13/unlzw.c
===================================================================
--- gzip-1.3.13.orig/unlzw.c
+++ gzip-1.3.13/unlzw.c
@@ -244,7 +244,8 @@ int unlzw(in, out)
int o;
resetbuf:
- e = insize-(o = (posbits>>3));
+ o = posbits >> 3;
+ e = o <= insize ? insize - o : 0;
for (i = 0 ; i < e ; ++i) {
inbuf[i] = inbuf[i+o];

20
gzip.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Sun Sep 19 09:48:02 CEST 2010 - vuntz@opensuse.org
- Update to version 1.4:
+ gzip -d could segfault and/or clobber the stack, possibly
leading to arbitrary code execution. This affects x86_64 but
not 32-bit systems. This fixes CVE-2010-0001. See also
rh#554418.
+ gzip -d would fail with a CRC error for some valid inputs.
So far, the only valid input known to exhibit this failure was
compressed "from FAT filesystem (MS-DOS, OS/2, NT)". In
addition, to trigger the failure, your memcpy implementation
must copy in the "reverse" order.
- Drop gzip-CVE-2010-0001.diff: fixed upstream.
- Remove AutoReqProv: it's default now.
- Use %configure, %makeinstall, and %{_bindir}.
- Update zdiff.diff: some of the patch is upstream now. It's
unclear to me if the rest is still needed :/ So leaving it.
- Rebase zgrep.diff.
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de

32
gzip.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package gzip (Version 1.3.13)
# spec file for package gzip (Version 1.4)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -21,10 +21,9 @@ Name: gzip
Url: http://www.gzip.org/
License: GPLv2+
Group: Productivity/Archiving/Compression
AutoReqProv: on
PreReq: %{install_info_prereq}
Version: 1.3.13
Release: 2
Version: 1.4
Release: 1
Summary: GNU Zip Compression Utilities
Source: %{name}-%{version}.tar.gz
Patch: zgrep.diff
@ -33,9 +32,6 @@ Patch2: zmore.diff
Patch3: non-exec-stack.diff
Patch4: http://rsync.samba.org/ftp/unpacked/rsync/patches/gzip-rsyncable.diff
Patch6: zdiff.diff
#CVE-2010-0001 integer overflow could lead to array index error in archives, compressed with
#the (LZW) compression algorithm
Patch8: gzip-CVE-2010-0001.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -44,12 +40,6 @@ Whenever possible, each file is replaced by one with the extension .gz,
while keeping the same ownership modes and access and modification
times.
Authors:
--------
Jean-loup Gailly <gzip@prep.ai.mit.edu>
%prep
%setup -q
%patch
@ -58,13 +48,11 @@ Authors:
%patch3
%patch4 -p1
%patch6
%patch8 -p1
%build
CFLAGS="$RPM_OPT_FLAGS -fomit-frame-pointer \
-W -Wall -Wno-unused-parameter -Wstrict-prototypes -Wpointer-arith"
./configure CFLAGS="$CFLAGS" \
--prefix=%{_prefix} --infodir=%{_infodir} --mandir=%{_mandir}
%configure
profile_gzip()
{
tmpfile=$(mktemp)
@ -94,18 +82,18 @@ for i in 1 2 3 4 5 6 7 8 9; do
done
%install
make DESTDIR=$RPM_BUILD_ROOT install
%makeinstall
mkdir -p $RPM_BUILD_ROOT/bin
mv $RPM_BUILD_ROOT/usr/bin/{gzip,gunzip,zcat} $RPM_BUILD_ROOT/bin
sed -i 's:/usr/bin:/bin:' $RPM_BUILD_ROOT/bin/{gunzip,zcat}
ln -sf /bin/gzip /bin/gunzip /bin/zcat $RPM_BUILD_ROOT/usr/bin
ln -sf zmore $RPM_BUILD_ROOT/usr/bin/zless
mv $RPM_BUILD_ROOT%{_bindir}/{gzip,gunzip,zcat} $RPM_BUILD_ROOT/bin
sed -i 's:%{_bindir}:/bin:' $RPM_BUILD_ROOT/bin/{gunzip,zcat}
ln -sf /bin/gzip /bin/gunzip /bin/zcat $RPM_BUILD_ROOT%{_bindir}
ln -sf zmore $RPM_BUILD_ROOT%{_bindir}/zless
ln -sf zmore.1 $RPM_BUILD_ROOT%{_mandir}/man1/zless.1
%files
%defattr(-, root, root)
/bin/*
/usr/bin/*
%{_bindir}/*
%doc README AUTHORS ChangeLog TODO NEWS THANKS
%doc %{_infodir}/*.gz
%doc %{_mandir}/man*/*.gz

15
zdiff.diff
View File

@ -2,25 +2,16 @@ Index: zdiff.in
===================================================================
--- zdiff.in.orig
+++ zdiff.in
@@ -105,15 +105,17 @@ elif test $# -eq 2; then
@@ -105,9 +105,9 @@ elif test $# -eq 2; then
5<&0
then
gzip_status=$(
- exec 4>&1
- (gzip -cdfq -- "$1" 4>&-; echo $? >&4) 3>&- |
- ( (gzip -cdfq -- "$2" 4>&-; echo $? >&4) 3>&- 5<&- </dev/null |
- eval "$cmp" /dev/fd/5 -) 5<&0
+ exec 4>&1 6<&0
+ (gzip -cdfq -- "$1" 4>&-; echo $? >&4) 3>&- 6<&- |
+ ( (gzip -cdfq -- "$2" 4>&- 0<&6 6<&-; echo $? >&4) 3>&- 5<&- </dev/null |
+ eval "$cmp" /dev/fd/5 - >&3) 5<&0
eval "$cmp" /dev/fd/5 - >&3) 5<&0
)
+ cmp_status=$?
case $gzip_status in
*[1-9]*) gzip_status=1;;
*) gzip_status=0;;
esac
+ (exit $cmp_status)
else
F=`expr "/$2" : '.*/\(.*\)[-.][zZtga]*$'` || F=$prog
tmp=
cmp_status=$?

5
zgrep.diff
View File

@ -2,7 +2,7 @@ Index: zgrep.in
===================================================================
--- zgrep.in.orig
+++ zgrep.in
@@ -148,10 +148,18 @@ res=0
@@ -176,13 +176,21 @@ res=0
for i
do
@ -17,6 +17,9 @@ Index: zgrep.in
# Fail if gzip or grep (or sed) fails.
gzip_status=$(
exec 5>&1
if test $pat_on_stdin -eq 1; then
eval "exec $pat_fd<&0"
fi
- (gzip -cdfq -- "$i" 5>&-; echo $? >&5) 3>&- |
+ ($uncompress -cdfq -- "$i" 5>&-; echo $? >&5) 3>&- |
if test $files_with_matches -eq 1; then