packages/zstd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:f11af623e4ef6951aaafbb738c969f2d152ba266
Branches Tags
packages:main
..
compare: packages:75015bdddbf023680bbd4d9452eed860ccac43fe
Branches Tags
packages:main

No commits in common. "f11af623e4ef6951aaafbb738c969f2d152ba266" and "75015bdddbf023680bbd4d9452eed860ccac43fe" have entirely different histories.
f11af623e4 ... 75015bdddb

5 changed files with 5 additions and 165 deletions
Show Stats Expand all files Collapse all files

79
backport-0001-CVE-2022-4899.patch
View File

@ -1,79 +0,0 @@
From f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa Mon Sep 17 00:00:00 2001
From: Elliot Gorokhovsky <embg@fb.com>
Date: Fri, 29 Jul 2022 14:44:22 -0700
Subject: [PATCH] Disallow empty output directory
Reference:https://github.com/facebook/zstd/commit/f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa
Conflict:NA
---
programs/zstdcli.c | 18 ++++++++++++++++--
tests/cli-tests/basic/output_dir.sh | 7 +++++++
.../cli-tests/basic/output_dir.sh.stderr.exact | 2 ++
.../cli-tests/basic/output_dir.sh.stdout.exact | 2 ++
4 files changed, 27 insertions(+), 2 deletions(-)
create mode 100755 tests/cli-tests/basic/output_dir.sh
create mode 100644 tests/cli-tests/basic/output_dir.sh.stderr.exact
create mode 100644 tests/cli-tests/basic/output_dir.sh.stdout.exact
diff --git a/programs/zstdcli.c b/programs/zstdcli.c
index 239aaf4..fb87dec 100644
--- a/programs/zstdcli.c
+++ b/programs/zstdcli.c
@@ -931,9 +931,23 @@ int main(int const argCount, const char* argv[])
if (longCommandWArg(&argument, "--stream-size=")) { streamSrcSize = readSizeTFromChar(&argument); continue; }
if (longCommandWArg(&argument, "--target-compressed-block-size=")) { targetCBlockSize = readSizeTFromChar(&argument); continue; }
if (longCommandWArg(&argument, "--size-hint=")) { srcSizeHint = readSizeTFromChar(&argument); continue; }
- if (longCommandWArg(&argument, "--output-dir-flat")) { NEXT_FIELD(outDirName); continue; }
+ if (longCommandWArg(&argument, "--output-dir-flat")) {
+ NEXT_FIELD(outDirName);
+ if (strlen(outDirName) == 0) {
+ DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
+ CLEAN_RETURN(1);
+ }
+ continue;
+ }
#ifdef UTIL_HAS_MIRRORFILELIST
- if (longCommandWArg(&argument, "--output-dir-mirror")) { NEXT_FIELD(outMirroredDirName); continue; }
+ if (longCommandWArg(&argument, "--output-dir-mirror")) {
+ NEXT_FIELD(outMirroredDirName);
+ if (strlen(outMirroredDirName) == 0) {
+ DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
+ CLEAN_RETURN(1);
+ }
+ continue;
+ }
#endif
#ifndef ZSTD_NOTRACE
if (longCommandWArg(&argument, "--trace")) { char const* traceFile; NEXT_FIELD(traceFile); TRACE_enable(traceFile); continue; }
diff --git a/tests/cli-tests/basic/output_dir.sh b/tests/cli-tests/basic/output_dir.sh
new file mode 100755
index 0000000..a8819d2
--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+println "+ zstd -r * --output-dir-mirror=\"\""
+zstd -r * --output-dir-mirror="" && die "Should not allow empty output dir!"
+println "+ zstd -r * --output-dir-flat=\"\""
+zstd -r * --output-dir-flat="" && die "Should not allow empty output dir!"
+exit 0
diff --git a/tests/cli-tests/basic/output_dir.sh.stderr.exact b/tests/cli-tests/basic/output_dir.sh.stderr.exact
new file mode 100644
index 0000000..e12b504
--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh.stderr.exact
@@ -0,0 +1,2 @@
+error: output dir cannot be empty string (did you mean to pass '.' instead?)
+error: output dir cannot be empty string (did you mean to pass '.' instead?)
diff --git a/tests/cli-tests/basic/output_dir.sh.stdout.exact b/tests/cli-tests/basic/output_dir.sh.stdout.exact
new file mode 100644
index 0000000..1e478cd
--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh.stdout.exact
@@ -0,0 +1,2 @@
++ zstd -r * --output-dir-mirror=""
++ zstd -r * --output-dir-flat=""
--
2.33.0

65
backport-0002-CVE-2022-4899.patch
View File

@ -1,65 +0,0 @@
From e1873ad576cb478fff0e6e44ad99599cd5fd2846 Mon Sep 17 00:00:00 2001
From: Elliot Gorokhovsky <embg@fb.com>
Date: Fri, 29 Jul 2022 11:10:47 -0700
Subject: [PATCH] Fix buffer underflow for null dir1
Reference:https://github.com/facebook/zstd/commit/e1873ad576cb478fff0e6e44ad99599cd5fd2846
Conflict:NA
---
programs/util.c | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/programs/util.c b/programs/util.c
index f53eb03fbe..b874344c4d 100644
--- a/programs/util.c
+++ b/programs/util.c
@@ -870,30 +870,30 @@ static const char * trimPath(const char *pathname)
static char* mallocAndJoin2Dir(const char *dir1, const char *dir2)
{
- const size_t dir1Size = strlen(dir1);
- const size_t dir2Size = strlen(dir2);
- char *outDirBuffer, *buffer, trailingChar;
-
assert(dir1 != NULL && dir2 != NULL);
- outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
- CONTROL(outDirBuffer != NULL);
+ { const size_t dir1Size = strlen(dir1);
+ const size_t dir2Size = strlen(dir2);
+ char *outDirBuffer, *buffer;
- memcpy(outDirBuffer, dir1, dir1Size);
- outDirBuffer[dir1Size] = '\0';
+ outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
+ CONTROL(outDirBuffer != NULL);
- if (dir2[0] == '.')
- return outDirBuffer;
+ memcpy(outDirBuffer, dir1, dir1Size);
+ outDirBuffer[dir1Size] = '\0';
- buffer = outDirBuffer + dir1Size;
- trailingChar = *(buffer - 1);
- if (trailingChar != PATH_SEP) {
- *buffer = PATH_SEP;
- buffer++;
- }
- memcpy(buffer, dir2, dir2Size);
- buffer[dir2Size] = '\0';
+ if (dir2[0] == '.')
+ return outDirBuffer;
- return outDirBuffer;
+ buffer = outDirBuffer + dir1Size;
+ if (dir1Size > 0 && *(buffer - 1) != PATH_SEP) {
+ *buffer = PATH_SEP;
+ buffer++;
+ }
+ memcpy(buffer, dir2, dir2Size);
+ buffer[dir2Size] = '\0';
+
+ return outDirBuffer;
+ }
}
/* this function will return NULL if input srcFileName is not valid name for mirrored output path */

BIN
zstd-1.4.8.tar.gz Normal file
View File

Binary file not shown.

BIN
zstd-1.5.0.tar.gz
View File

Binary file not shown.

26
zstd.spec
View File

@ -1,16 +1,13 @@
%bcond_without pzstd %bcond_without pzstd
Name: zstd Name: zstd
Version: 1.5.0 Version: 1.4.8
Release: 4 Release: 1
Summary: A fast lossless compression algorithm Summary: A fast lossless compression algorithm
License: BSD and GPLv2 License: BSD and GPLv2
URL: https://github.com/facebook/zstd URL: https://github.com/facebook/zstd
Source0: https://github.com/facebook/zstd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source0: https://github.com/facebook/zstd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch6000: backport-0001-CVE-2022-4899.patch
Patch6001: backport-0002-CVE-2022-4899.patch
BuildRequires: gtest-devel gcc-c++ pkg-config BuildRequires: gtest-devel gcc-c++ pkg-config
Provides: libzstd Provides: libzstd
@ -51,7 +48,9 @@ done
%endif %endif
%check %check
make -C tests test %ifarch %{arm}
make -C tests test-zstd
%endif
%if %{with pzstd} %if %{with pzstd}
make -C contrib/pzstd test CXXFLAGS="$RPM_OPT_FLAGS -std=c++11" make -C contrib/pzstd test CXXFLAGS="$RPM_OPT_FLAGS -std=c++11"
%endif %endif
@ -88,21 +87,6 @@ install -D -m644 programs/zstd.1 %{buildroot}%{_mandir}/man1/pzstd.1
%{_mandir}/man1/*.1* %{_mandir}/man1/*.1*
%changelog %changelog
* Tue Apr 4 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 1.5.0-4
* fix CVE-2022-4899
* Thu Feb 16 2023 wangjiang <wangjiang37@h-partners.com> - 1.5.0-3
- enable check
* Tue Oct 25 2022 yanglongkang <yanglongkang@h-partners.com> - 1.5.0-2
- rebuild for next release
* Tue Dec 21 2021 shixuantong <shixuantong@huawei.com> - 1.5.0-1
- update version to 1.5.0
* Tue Mar 16 2021 shixuantong <shixuantong@huawei.com> - 1.4.8-2
- fix CVE-2021-24032
* Thu Jan 28 2021 liudabo <liudabo1@huawei.com> - 1.4.8-1 * Thu Jan 28 2021 liudabo <liudabo1@huawei.com> - 1.4.8-1
- upgrade version to 1.4.8 - upgrade version to 1.4.8