testing/zlib
SHA256
3
0
Fork 0
forked from pool/zlib
Code Pull Requests Activity
fbc541705e
zlib/CVE-2023-45853.patch
Danilo Spinella fbc541705e Accepting request 1149966 from home:dspinella:branches:devel:libraries:c_c++ 
- Update to 1.3.1:
  * Reject overflows of zip header fields in minizip
  * Fix bug in inflateSync() for data held in bit buffer
  * Add LIT_MEM define to use more memory for a small deflate speedup
  * Fix decision on the emission of Zip64 end records in minizip
  * Add bounds checking to ERR_MSG() macro, used by zError()
  * Neutralize zip file traversal attacks in miniunz
  * Fix a bug in ZLIB_DEBUG compiles in check_match()
- Update pacthes:
  * CVE-2023-45853.patch
  * zlib-1.3-IBM-Z-hw-accelerated-deflate-s390x.patch

OBS-URL: https://build.opensuse.org/request/show/1149966
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=99
2024-02-26 11:03:17 +00:00

39 lines
1.6 KiB
Diff
Raw Blame History

From 431e66398552effd82d5c0ea982a521821782ebd Mon Sep 17 00:00:00 2001
From: Hans Wennborg <hans@chromium.org>
Date: Fri, 18 Aug 2023 11:05:33 +0200
Subject: [PATCH] minizip: Check length of comment, filename, and extra field,
in zipOpenNewFileInZip4_64
These are stored in 16-bit fields in the zip file format. Passing longer
values would generate an invalid file.
Passing very long values could also cause the computation of
zi->ci.size_centralheader to overflow, which would cause heap buffer
overflow on subsequent writes to zi->ci.central_header.
---
contrib/minizip/zip.c | 11 +++++++++++
1 file changed, 11 insertions(+)
Index: zlib-1.3.1/contrib/minizip/zip.c
===================================================================
--- zlib-1.3.1.orig/contrib/minizip/zip.c
+++ zlib-1.3.1/contrib/minizip/zip.c
@@ -1054,6 +1054,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_
if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
return ZIP_PARAMERROR;
+ // The filename and comment length must fit in 16 bits.
+ if ((filename!=NULL) && (strlen(filename)>0xffff))
+ return ZIP_PARAMERROR;
+ if ((comment!=NULL) && (strlen(comment)>0xffff))
+ return ZIP_PARAMERROR;
+ // The extra field length must fit in 16 bits. If the member also requires
+ // a Zip64 extra block, that will also need to fit within that 16-bit
+ // length, but that will be checked for later.
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+ return ZIP_PARAMERROR;
+
zi = (zip64_internal*)file;
if (zi->in_opened_file_inzip == 1)
View Git Blame Copy Permalink