Accepting request 30400 from Base:System

Copy from Base:System/gzip based on submit request 30400 from user mseben OBS-URL: https://build.opensuse.org/request/show/30400 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gzip?expand=0&rev=13
2010-01-29 14:00:15 +00:00 · 2010-01-29 14:00:15 +00:00 · c7c6ba1ff6
commit c7c6ba1ff6
parent 89554c6fe1
12 changed files with 112 additions and 88 deletions
--- a/futimens.diff
+++ b/futimens.diff
@ -1,38 +0,0 @@
--- gzip.c
-+++ gzip.c
-@@ -1639,7 +1639,7 @@
- 	}
-       }
- 
-    if (futimens (ofd, ofname, timespec) != 0)
-+    if (gl_futimens (ofd, ofname, timespec) != 0)
-       {
- 	int e = errno;
- 	WARN ((stderr, "%s: ", program_name));
--- lib/utimens.c
-+++ lib/utimens.c
-@@ -75,8 +75,8 @@
-    Return 0 on success, -1 (setting errno) on failure.  */
- 
- int
-futimens (int fd ATTRIBUTE_UNUSED,
-	  char const *file, struct timespec const timespec[2])
-+gl_futimens (int fd ATTRIBUTE_UNUSED,
-+	     char const *file, struct timespec const timespec[2])
- {
-   /* Some Linux-based NFS clients are buggy, and mishandle time stamps
-      of files in NFS file systems in some cases.  We have no
-@@ -185,5 +185,5 @@
- int
- utimens (char const *file, struct timespec const timespec[2])
- {
-  return futimens (-1, file, timespec);
-+  return gl_futimens (-1, file, timespec);
- }
--- lib/utimens.h
-+++ lib/utimens.h
-@@ -1,3 +1,3 @@
- #include <time.h>
-int futimens (int, char const *, struct timespec const [2]);
-+int gl_futimens (int, char const *, struct timespec const [2]);
- int utimens (char const *, struct timespec const [2]);
--- a/gzip-1.3.12.tar.gz
+++ b/gzip-1.3.12.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3f565be05f7f3d1aff117c030eb7c738300510b7d098cedea796ca8e4cd587af
-size 462169
--- a/gzip-1.3.13.tar.gz
+++ b/gzip-1.3.13.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d06ff9f5c523651bed3dcde6e6aa8118eee48b22534a157a2588705fa517ca3
+size 813865
--- a/gzip-CVE-2010-0001.diff
+++ b/gzip-CVE-2010-0001.diff
@ -0,0 +1,16 @@
+* unlzw.c (unlzw): Avoid integer overflow.
+Aki Helin reported the segfault along with an input to trigger the bug.
+Index: gzip-1.3.13/unlzw.c
+===================================================================
+--- gzip-1.3.13.orig/unlzw.c
+++ gzip-1.3.13/unlzw.c
+@@ -244,7 +244,8 @@ int unlzw(in, out)
+ 	int  o;
+ 
+     resetbuf:
+-	e = insize-(o = (posbits>>3));
+        o = posbits >> 3;
+        e = o <= insize ? insize - o : 0;
+ 
+ 	for (i = 0 ; i < e ; ++i) {
+ 	    inbuf[i] = inbuf[i+o];
--- a/gzip-rsyncable.diff
+++ b/gzip-rsyncable.diff
@ -5,9 +5,11 @@ tried out in the default gzip for Debian Sarge, and may go into the
 upstream gzip at somepoint in the not-too-distant future.

 ================================================================================
--- gzip-1.3.12/deflate.c
-+++ gzip-1.3.12/deflate.c
-@@ -135,6 +135,14 @@ static char rcsid[] = "$Id: deflate.c,v
+Index: gzip-1.3.13/deflate.c
+===================================================================
+--- gzip-1.3.13.orig/deflate.c
+++ gzip-1.3.13/deflate.c
+@@ -131,6 +131,14 @@
 #endif
 /* Matches of length 3 are discarded if their distance exceeds TOO_FAR */
 
@ -22,7 +24,7 @@ upstream gzip at somepoint in the not-too-distant future.
 /* ===========================================================================
  * Local data used by the "longest match" routines.
  */
-@@ -216,6 +224,8 @@ local int compr_level;
+@@ -212,6 +220,8 @@ local int compr_level;
 unsigned near good_match;
 /* Use a faster search when the previous match is longer than this */
 
@ -31,7 +33,7 @@ upstream gzip at somepoint in the not-too-distant future.
 
 /* Values for max_lazy_match, good_match and max_chain_length, depending on
  * the desired pack level (0..9). The values given below have been tuned to
-@@ -314,6 +324,10 @@ void lm_init (pack_level, flags)
+@@ -310,6 +320,10 @@ void lm_init (pack_level, flags)
 #endif
     /* prev will be initialized on the fly */
 
@ -42,7 +44,7 @@ upstream gzip at somepoint in the not-too-distant future.
     /* Set the default configuration parameters:
      */
     max_lazy_match   = configuration_table[pack_level].max_lazy;
-@@ -550,6 +564,8 @@ local void fill_window()
+@@ -546,6 +560,8 @@ local void fill_window()
         memcpy((char*)window, (char*)window+WSIZE, (unsigned)WSIZE);
         match_start -= WSIZE;
         strstart    -= WSIZE; /* we now have strstart >= MAX_DIST: */
@ -51,7 +53,7 @@ upstream gzip at somepoint in the not-too-distant future.
 
         block_start -= (long) WSIZE;
 
-@@ -577,13 +593,46 @@ local void fill_window()
+@@ -573,13 +589,46 @@ local void fill_window()
     }
 }
 
@ -99,7 +101,7 @@ upstream gzip at somepoint in the not-too-distant future.
 
 /* ===========================================================================
  * Processes a new input file and return its compressed length. This
-@@ -594,7 +643,7 @@ local void fill_window()
+@@ -590,7 +639,7 @@ local void fill_window()
 local off_t deflate_fast()
 {
     IPos hash_head; /* head of the hash chain */
@ -108,7 +110,7 @@ upstream gzip at somepoint in the not-too-distant future.
     unsigned match_length = 0;  /* length of best match */
 
     prev_length = MIN_MATCH-1;
-@@ -624,6 +673,7 @@ local off_t deflate_fast()
+@@ -620,6 +669,7 @@ local off_t deflate_fast()
 
             lookahead -= match_length;
 
@ -116,7 +118,7 @@ upstream gzip at somepoint in the not-too-distant future.
 	    /* Insert new strings in the hash table only if the match length
              * is not too large. This saves time but degrades compression.
              */
-@@ -652,9 +702,14 @@ local off_t deflate_fast()
+@@ -648,9 +698,14 @@ local off_t deflate_fast()
             /* No match, output a literal byte */
             Tracevv((stderr,"%c",window[strstart]));
             flush = ct_tally (0, window[strstart]);
@ -131,7 +133,7 @@ upstream gzip at somepoint in the not-too-distant future.
         if (flush) FLUSH_BLOCK(0), block_start = strstart;
 
         /* Make sure that we always have enough lookahead, except
-@@ -728,6 +783,7 @@ off_t deflate()
+@@ -724,6 +779,7 @@ off_t deflate()
              */
             lookahead -= prev_length-1;
             prev_length -= 2;
@ -139,7 +141,7 @@ upstream gzip at somepoint in the not-too-distant future.
             do {
                 strstart++;
                 INSERT_STRING(strstart, hash_head);
-@@ -740,24 +796,39 @@ off_t deflate()
+@@ -736,24 +792,39 @@ off_t deflate()
             match_available = 0;
             match_length = MIN_MATCH-1;
             strstart++;
@ -183,9 +185,11 @@ upstream gzip at somepoint in the not-too-distant future.
             strstart++;
             lookahead--;
         }
--- gzip-1.3.12/doc/gzip.texi
-+++ gzip-1.3.12/doc/gzip.texi
-@@ -350,6 +350,14 @@ specified on the command line are direct
+Index: gzip-1.3.13/doc/gzip.texi
+===================================================================
+--- gzip-1.3.13.orig/doc/gzip.texi
+++ gzip-1.3.13/doc/gzip.texi
+@@ -353,6 +353,14 @@ specified on the command line are direct
 into the directory and compress all the files it finds there (or
 decompress them in the case of @command{gunzip}).
 
@ -200,17 +204,19 @@ upstream gzip at somepoint in the not-too-distant future.
 @item --suffix @var{suf}
 @itemx -S @var{suf}
 Use suffix @var{suf} instead of @samp{.gz}.  Any suffix can be
--- gzip-1.3.12/gzip.c
-+++ gzip-1.3.12/gzip.c
-@@ -231,6 +231,7 @@ int  ofd;                  /* output fil
+Index: gzip-1.3.13/gzip.c
+===================================================================
+--- gzip-1.3.13.orig/gzip.c
+++ gzip-1.3.13/gzip.c
+@@ -229,6 +229,7 @@ int  ofd;                  /* output fil
 unsigned insize;           /* valid bytes in inbuf */
 unsigned inptr;            /* index of next byte to be processed in inbuf */
 unsigned outcnt;           /* bytes in output buffer */
 +int rsync = 0;             /* make ryncable chunks */
 
- struct option longopts[] =
- {
-@@ -260,6 +261,7 @@ struct option longopts[] =
+ static int handled_sig[] =
+   {
+@@ -282,6 +283,7 @@ struct option longopts[] =
     {"best",       0, 0, '9'}, /* compress better */
     {"lzw",        0, 0, 'Z'}, /* make output compatible with old compress */
     {"bits",       1, 0, 'b'}, /* max number of bits per code (implies -Z) */
@ -218,7 +224,7 @@ upstream gzip at somepoint in the not-too-distant future.
     { 0, 0, 0, 0 }
 };
 
-@@ -341,6 +343,7 @@ local void help()
+@@ -363,6 +365,7 @@ local void help()
  "  -Z, --lzw         produce output compatible with old compress",
  "  -b, --bits=BITS   max number of bits per code (implies -Z)",
 #endif
@ -226,7 +232,7 @@ upstream gzip at somepoint in the not-too-distant future.
  "",
  "With no FILE, or when FILE is -, read standard input.",
  "",
-@@ -469,6 +472,9 @@ int main (argc, argv)
+@@ -493,6 +496,9 @@ int main (argc, argv)
 	    recursive = 1;
 #endif
 	    break;
@ -236,8 +242,10 @@ upstream gzip at somepoint in the not-too-distant future.
 	case 'S':
 #ifdef NO_MULTIPLE_DOTS
             if (*optarg == '.') optarg++;
--- gzip-1.3.12/gzip.h
-+++ gzip-1.3.12/gzip.h
+Index: gzip-1.3.13/gzip.h
+===================================================================
+--- gzip-1.3.13.orig/gzip.h
+++ gzip-1.3.13/gzip.h
@@ -158,6 +158,7 @@ EXTERN(uch, window);         /* Sliding
 extern unsigned insize; /* valid bytes in inbuf */
 extern unsigned inptr;  /* index of next byte to be processed in inbuf */
@ -255,8 +263,10 @@ upstream gzip at somepoint in the not-too-distant future.
 
         /* in bits.c */
 void     bi_init    OF((file_t zipfile));
--- gzip-1.3.12/trees.c
-+++ gzip-1.3.12/trees.c
+Index: gzip-1.3.13/trees.c
+===================================================================
+--- gzip-1.3.13.orig/trees.c
+++ gzip-1.3.13/trees.c
@@ -59,12 +59,13 @@
  *      void ct_tally (int dist, int lc);
  *          Save the match info and tally the frequency counts.
@ -275,7 +285,7 @@ upstream gzip at somepoint in the not-too-distant future.
 
 #include <config.h>
 #include <ctype.h>
-@@ -860,9 +861,10 @@ local void send_all_trees(lcodes, dcodes
+@@ -856,9 +857,10 @@ local void send_all_trees(lcodes, dcodes
  * trees or store, and output the encoded block to the zip file. This function
  * returns the total compressed length for the file so far.
  */
@ -287,7 +297,7 @@ upstream gzip at somepoint in the not-too-distant future.
     int eof;          /* true if this is the last block for a file */
 {
     ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */
-@@ -955,6 +957,10 @@ off_t flush_block(buf, stored_len, eof)
+@@ -951,6 +953,10 @@ off_t flush_block(buf, stored_len, eof)
         Assert (input_len == bytes_in, "bad input size");
         bi_windup();
         compressed_len += 7;  /* align on byte boundary */
--- a/gzip.changes
+++ b/gzip.changes
@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Tue Jan 19 15:26:41 UTC 2010 - mseben@novell.com
+
+- updated to 1.3.13
+  - gzip interprets an argument of "-" as indicating stdin, but when
+    "-" is not the first name on the command line, it doesn't work.
+  - remove useless if-before-free tests 
+  - remove useless casts to avoid "make syntax-check" failures
+  - avoid spurious warnings from clang
+  - avoid a leak on a error path
+  - don't misinterpret a failing test as successful
+  - avoid creating an undersized buffer for the hufts table
+    A malformed input file can cause gzip to crash with a segmentation
+    violation or hang in an endless loop.
+  - avoid silent data loss e.g., on NFS, due to unchecked close of stdout
+  - build require automake-1.11 and produce xz-compressed tarballs, too
+- deprecated futimens.diff and CVE-2009-2624.diff
+
+-------------------------------------------------------------------
+Thu Jan 14 17:17:49 UTC 2010 - mseben@novell.com
+
+- added gzip-CVE-2009-2624.diff and gzip-CVE-2010-0001.diff  : fix
+  possible denial of service and arbitrary code execution
+
 -------------------------------------------------------------------
 Sun Dec  6 18:57:34 CET 2009 - jengelh@medozas.de

--- a/gzip.spec
+++ b/gzip.spec
@ -1,5 +1,5 @@
 #
-# spec file for package gzip (Version 1.3.12)
+# spec file for package gzip (Version 1.3.13)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -23,8 +23,8 @@ License:        GPLv2+
 Group:          Productivity/Archiving/Compression
 AutoReqProv:    on
 PreReq:         %{install_info_prereq}
-Version:        1.3.12
-Release:        100
+Version:        1.3.13
+Release:        1
 Summary:        GNU Zip Compression Utilities
 Source:         %{name}-%{version}.tar.gz
 Patch:          zgrep.diff
@ -32,8 +32,10 @@ Patch1:         tempfile.diff
 Patch2:         zmore.diff
 Patch3:         non-exec-stack.diff
 Patch4:         http://rsync.samba.org/ftp/unpacked/rsync/patches/gzip-rsyncable.diff
-Patch5:         futimens.diff
 Patch6:         zdiff.diff
+#CVE-2010-0001 integer overflow could lead to array index error in  archives, compressed with
+#the (LZW) compression algorithm
+Patch8:         gzip-CVE-2010-0001.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -55,8 +57,8 @@ Authors:
 %patch2
 %patch3
 %patch4 -p1
-%patch5
 %patch6
+%patch8 -p1

 %build
 CFLAGS="$RPM_OPT_FLAGS -fomit-frame-pointer \
@ -104,7 +106,7 @@ ln -sf zmore.1 $RPM_BUILD_ROOT%{_mandir}/man1/zless.1
 %defattr(-, root, root)
 /bin/*
 /usr/bin/*
-%doc README README-alpha AUTHORS ChangeLog TODO NEWS THANKS
+%doc README AUTHORS ChangeLog TODO NEWS THANKS
 %doc %{_infodir}/*.gz
 %doc %{_mandir}/man*/*.gz

--- a/non-exec-stack.diff
+++ b/non-exec-stack.diff
@ -1,6 +1,8 @@
--- lib/match.c
+Index: lib/match.c
+===================================================================
+--- lib/match.c.orig
 +++ lib/match.c
-@@ -770,3 +770,4 @@
+@@ -770,3 +770,4 @@ match_init:
 # endif /* __ia64__ */
 #endif /* mc68000 || mc68020 */
 #endif /* i386 || _I386   */
--- a/tempfile.diff
+++ b/tempfile.diff
@ -1,6 +1,8 @@
--- znew.in
+Index: znew.in
+===================================================================
+--- znew.in.orig
 +++ znew.in
-@@ -55,8 +55,9 @@
+@@ -59,8 +59,9 @@ block=1024
 # block is the disk block size (best guess, need not be exact)
 
 warn="(does not preserve modes and timestamp)"
@ -12,7 +14,7 @@
 echo hi > $tmp || exit
 if test -z "`(${CPMOD-cpmod} $tmp $tmp) 2>&1`"; then
   cpmod=${CPMOD-cpmod}
-@@ -72,7 +73,8 @@
+@@ -76,7 +77,8 @@ fi
 # check if GZIP env. variable uses -S or --suffix
 gzip -q $tmp
 ext=`echo $tmp* | sed "s|$tmp||"`
--- a/zdiff.diff
+++ b/zdiff.diff
@ -1,6 +1,8 @@
--- zdiff.in
+Index: zdiff.in
+===================================================================
+--- zdiff.in.orig
 +++ zdiff.in
-@@ -101,15 +101,17 @@ elif test $# -eq 2; then
+@@ -105,15 +105,17 @@ elif test $# -eq 2; then
 				5<&0
 		    then
 			gzip_status=$(
--- a/zgrep.diff
+++ b/zgrep.diff
@ -1,6 +1,8 @@
--- zgrep.in
+Index: zgrep.in
+===================================================================
+--- zgrep.in.orig
 +++ zgrep.in
-@@ -149,10 +149,18 @@
+@@ -148,10 +148,18 @@ res=0
 
 for i
 do
--- a/zmore.diff
+++ b/zmore.diff
@ -1,6 +1,8 @@
--- zmore.in
+Index: zmore.in
+===================================================================
+--- zmore.in.orig
 +++ zmore.in
-@@ -52,11 +52,33 @@
+@@ -55,11 +55,33 @@ else
    trap 'stty $ncb echo 2>/dev/null; exit' 0 2 3 5 10 13 15
 fi
 
@ -35,7 +37,7 @@
     fi
 else
     FIRST=1
-@@ -80,7 +102,7 @@
+@@ -83,7 +105,7 @@ else
 	fi
 	if test "$ANS" != 's'; then
 		echo "------> $FILE <------"