packages/zziplib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:aca266462ad5312e8569addfae25dfc4ab2cb7e7
Branches Tags
packages:main
..
compare: packages:811c698b69e8adc39f954c5a804cc9210c7e9752
Branches Tags
packages:main

No commits in common. "aca266462ad5312e8569addfae25dfc4ab2cb7e7" and "811c698b69e8adc39f954c5a804cc9210c7e9752" have entirely different histories.
aca266462a ... 811c698b69

16 changed files with 518 additions and 306 deletions
Show Stats Expand all files Collapse all files

76
CVE-2018-16548-1.patch Normal file
View File

@ -0,0 +1,76 @@
From b6ce8a1ca9442f89fae3482921fadc928ecbbb05 Mon Sep 17 00:00:00 2001
From: jmoellers <josef.moellers@suse.com>
Date: Fri, 7 Sep 2018 11:32:04 +0200
Subject: [PATCH 1/3] Avoid memory leak from __zzip_parse_root_directory().
(cherry picked from commit 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb)
https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb
Signed-off-by: Yufa Fang <fangyufa1@huawei.com>
---
zzip/zip.c | 36 ++++++++++++++++++++++++++++++++++--
1 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/zzip/zip.c b/zzip/zip.c
index 14e2e06..8318463 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd,
} else
{
if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+ {
+ free(hdr0);
return ZZIP_DIR_SEEK;
+ }
if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+ {
+ free(hdr0);
return ZZIP_DIR_READ;
+ }
d = &dirent;
}
@@ -574,12 +580,38 @@ __zzip_parse_root_directory(int fd,
if (hdr_return)
*hdr_return = hdr0;
+ else
+ {
+ /* If it is not assigned to *hdr_return, it will never be free()'d */
+ free(hdr0);
+ /* Make sure we don't free it again in case of error */
+ hdr0 = NULL;
+ }
} /* else zero (sane) entries */
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
- return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+ if (entries != zz_entries)
+ {
+ /* If it was assigned to *hdr_return, undo assignment */
+ if (p_reclen && hdr_return)
+ *hdr_return = NULL;
+ /* Free it, if it was not already free()'d */
+ if (hdr0 != NULL)
+ free(hdr0);
+ return ZZIP_CORRUPTED;
+ }
# else
- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+ if (((entries & (unsigned)0xFFFF) != zz_entries)
+ {
+ /* If it was assigned to *hdr_return, undo assignment */
+ if (p_reclen && hdr_return)
+ *hdr_return = NULL;
+ /* Free it, if it was not already free()'d */
+ if (hdr0 != NULL)
+ free(hdr0);
+ return ZZIP_CORRUPTED;
+ }
# endif
+ return 0;
}
/* ------------------------- high-level interface ------------------------- */
--
2.19.1

56
CVE-2018-16548-2.patch Normal file
View File

@ -0,0 +1,56 @@
From e8d90fe7525c177f0c28f6843f2a25da2e6e5045 Mon Sep 17 00:00:00 2001
From: jmoellers <josef.moellers@suse.com>
Date: Fri, 7 Sep 2018 11:49:28 +0200
Subject: [PATCH 2/3] Avoid memory leak from __zzip_parse_root_directory().
(cherry picked from commit d2e5d5c53212e54a97ad64b793a4389193fec687)
https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687
Signed-off-by: Yufa Fang <fangyufa1@huawei.com>
---
zzip/zip.c | 25 ++-----------------------
1 file changed, 2 insertions(+), 23 deletions(-)
diff --git a/zzip/zip.c b/zzip/zip.c
index 8318463..79fd9ad 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -584,34 +584,13 @@ __zzip_parse_root_directory(int fd,
{
/* If it is not assigned to *hdr_return, it will never be free()'d */
free(hdr0);
- /* Make sure we don't free it again in case of error */
- hdr0 = NULL;
}
} /* else zero (sane) entries */
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
- if (entries != zz_entries)
- {
- /* If it was assigned to *hdr_return, undo assignment */
- if (p_reclen && hdr_return)
- *hdr_return = NULL;
- /* Free it, if it was not already free()'d */
- if (hdr0 != NULL)
- free(hdr0);
- return ZZIP_CORRUPTED;
- }
+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
# else
- if (((entries & (unsigned)0xFFFF) != zz_entries)
- {
- /* If it was assigned to *hdr_return, undo assignment */
- if (p_reclen && hdr_return)
- *hdr_return = NULL;
- /* Free it, if it was not already free()'d */
- if (hdr0 != NULL)
- free(hdr0);
- return ZZIP_CORRUPTED;
- }
+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
# endif
- return 0;
}
/* ------------------------- high-level interface ------------------------- */
--
2.19.1

28
CVE-2018-16548-3.patch Normal file
View File

@ -0,0 +1,28 @@
From a37ce0d441050356efc5fcaa48e1cdcf21a6b8e1 Mon Sep 17 00:00:00 2001
From: jmoellers <josef.moellers@suse.com>
Date: Fri, 7 Sep 2018 13:55:35 +0200
Subject: [PATCH 3/3] One more free() to avoid memory leak.
(cherry picked from commit 0e1dadb05c1473b9df2d7b8f298dab801778ef99)
https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99
Signed-off-by: Yufa Fang <fangyufa1@huawei.com>
---
zzip/zip.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/zzip/zip.c b/zzip/zip.c
index 79fd9ad..f97a40a 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -586,6 +586,8 @@ __zzip_parse_root_directory(int fd,
free(hdr0);
}
} /* else zero (sane) entries */
+ else
+ free(hdr0);
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
# else
--
2.19.1

345
CVE-2018-17828.patch Normal file
View File

@ -0,0 +1,345 @@
From 81dfa6b3e08f6934885ba5c98939587d6850d08e Mon Sep 17 00:00:00 2001
From: Josef Moellers <jmoellers@suse.de>
Date: Thu, 4 Oct 2018 14:21:48 +0200
Subject: [PATCH] Fix issue #62: Remove any "../" components from pathnames of
extracted files. [CVE-2018-17828]
https://github.com/gdraheim/zziplib/commit/f609ae8971f3c0ce64d38276b778001d0bbfc84b
---
bins/unzzipcat-big.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
bins/unzzipcat-mem.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
bins/unzzipcat-mix.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
bins/unzzipcat-zip.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 224 insertions(+), 4 deletions(-)
diff --git a/bins/unzzipcat-big.c b/bins/unzzipcat-big.c
index 982d262..88c4d65 100644
--- a/bins/unzzipcat-big.c
+++ b/bins/unzzipcat-big.c
@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out)
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -70,6 +112,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c
index 9bc966b..793bde8 100644
--- a/bins/unzzipcat-mem.c
+++ b/bins/unzzipcat-mem.c
@@ -58,6 +58,48 @@ static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out)
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -75,6 +117,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -84,7 +136,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
static int unzzip_cat (int argc, char ** argv, int extract)
diff --git a/bins/unzzipcat-mix.c b/bins/unzzipcat-mix.c
index 91c2f00..73b6ed6 100644
--- a/bins/unzzipcat-mix.c
+++ b/bins/unzzipcat-mix.c
@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -86,6 +128,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
static int unzzip_cat (int argc, char ** argv, int extract)
diff --git a/bins/unzzipcat-zip.c b/bins/unzzipcat-zip.c
index 2810f85..7f7f3fa 100644
--- a/bins/unzzipcat-zip.c
+++ b/bins/unzzipcat-zip.c
@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
}
}
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ * Also, "path" is not used after creating it.
+ * So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+ char *dotdotslash;
+ int warned = 0;
+
+ dotdotslash = path;
+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+ {
+ /*
+ * Remove only if at the beginning of the pathname ("../path/name")
+ * or when preceded by a slash ("path/../name"),
+ * otherwise not ("path../name..")!
+ */
+ if (dotdotslash == path || dotdotslash[-1] == '/')
+ {
+ char *src, *dst;
+ if (!warned)
+ {
+ /* Note: the first time through the pathname is still intact */
+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+ warned = 1;
+ }
+ /* We cannot use strcpy(), as there "The strings may not overlap" */
+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+ ;
+ }
+ else
+ dotdotslash +=3; /* skip this instance to prevent infinite loop */
+ }
+}
+
static void makedirs(const char* name)
{
char* p = strrchr(name, '/');
@@ -86,6 +128,16 @@ static void makedirs(const char* name)
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
+ char *name_stripped;
+ FILE *fp;
+ int mustfree = 0;
+
+ if ((name_stripped = strdup(name)) != NULL)
+ {
+ remove_dotdotslash(name_stripped);
+ name = name_stripped;
+ mustfree = 1;
+ }
if (subdirs)
{
char* p = strrchr(name, '/');
@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
free (dir_name);
}
}
- return fopen(name, mode);
+ fp = fopen(name, mode);
+ if (mustfree)
+ free(name_stripped);
+ return fp;
}
static int unzzip_cat (int argc, char ** argv, int extract)
--
2.19.1

26
backport-0001-CVE-2020-18442.patch
View File

@ -1,26 +0,0 @@
From ac9ae39ef419e9f0f83da1e583314d8c7cda34a6 Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:48:45 +0100
Subject: [PATCH 01/35] #68 ssize_t return value of zzip_file_read is a signed
value being possibly -1
---
bins/unzzipcat-zip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bins/unzzipcat-zip.c b/bins/unzzipcat-zip.c
index dd78c2b..385aeaf 100644
--- a/bins/unzzipcat-zip.c
+++ b/bins/unzzipcat-zip.c
@@ -34,7 +34,7 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_file_read (file, buffer, 1024)))
+ while (0 < (len = zzip_file_read (file, buffer, 1024)))
{
fwrite (buffer, 1, len, out);
}
--
1.8.3.1

34
backport-0002-CVE-2020-18442.patch
View File

@ -1,34 +0,0 @@
From 7e786544084548da7fcfcd9090d3c4e7f5777f7e Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:50:26 +0100
Subject: [PATCH 02/35] #68 return value of zzip_mem_disk_fread is signed
---
bins/unzip-mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c
index cc009f8..50eb5a6 100644
--- a/bins/unzip-mem.c
+++ b/bins/unzip-mem.c
@@ -81,7 +81,7 @@ static void zzip_mem_entry_pipe(ZZIP_MEM_DISK* disk,
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
fwrite (buffer, len, 1, out);
zzip_mem_disk_fclose (file);
@@ -115,7 +115,7 @@ static void zzip_mem_entry_test(ZZIP_MEM_DISK* disk,
{
unsigned long crc = crc32 (0L, NULL, 0);
unsigned char buffer[1024]; int len;
- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
+ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
crc = crc32 (crc, buffer, len);
}
--
1.8.3.1

34
backport-0003-CVE-2020-18442.patch
View File

@ -1,34 +0,0 @@
From d453977f59ca59c61bf59dec28dd724498828f2a Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:51:12 +0100
Subject: [PATCH 03/35] #68 return value of zzip_entry_fread is signed
---
bins/unzzipcat-big.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bins/unzzipcat-big.c b/bins/unzzipcat-big.c
index 111ef47..ecebe11 100644
--- a/bins/unzzipcat-big.c
+++ b/bins/unzzipcat-big.c
@@ -26,7 +26,7 @@ static void unzzip_big_entry_fprint(ZZIP_ENTRY* entry, FILE* out)
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
+ while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
{
DBG2("entry read %i", len);
fwrite (buffer, len, 1, out);
@@ -45,7 +45,7 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out)
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
+ while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
fwrite (buffer, len, 1, out);
zzip_entry_fclose (file);
--
1.8.3.1

34
backport-0004-CVE-2020-18442.patch
View File

@ -1,34 +0,0 @@
From 0a9db9ded9d15fbdb63bf5cf451920d0a368c00e Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:51:56 +0100
Subject: [PATCH 04/35] #68 return value of zzip_mem_disk_fread is signed
---
bins/unzzipcat-mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c
index 6bd79b7..1b5bc22 100644
--- a/bins/unzzipcat-mem.c
+++ b/bins/unzzipcat-mem.c
@@ -35,7 +35,7 @@ static void unzzip_mem_entry_fprint(ZZIP_MEM_DISK* disk,
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
fwrite (buffer, len, 1, out);
zzip_mem_disk_fclose (file);
@@ -48,7 +48,7 @@ static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out)
if (file)
{
char buffer[1025]; int len;
- while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
+ while (0 < (len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
{
fwrite (buffer, 1, len, out);
}
--
1.8.3.1

25
backport-0005-CVE-2020-18442.patch
View File

@ -1,25 +0,0 @@
From a34a96fbda1e58fbec5c79f4c0b5063e031ce11d Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:52:47 +0100
Subject: [PATCH 05/35] #68 return value of zzip_fread is signed
---
bins/unzzipcat-mix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bins/unzzipcat-mix.c b/bins/unzzipcat-mix.c
index e18987d..8f3d0b8 100644
--- a/bins/unzzipcat-mix.c
+++ b/bins/unzzipcat-mix.c
@@ -34,7 +34,7 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_fread (buffer, 1, 1024, file)))
+ while (0 < (len = zzip_fread (buffer, 1, 1024, file)))
{
fwrite (buffer, 1, len, out);
}
--
1.8.3.1

34
backport-0006-CVE-2020-18442.patch
View File

@ -1,34 +0,0 @@
From fa1f78abe1b08544061204019016809664f2618c Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:53:50 +0100
Subject: [PATCH 06/35] #68 return value of zzip_entry_fread is signed
---
bins/unzzipshow.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bins/unzzipshow.c b/bins/unzzipshow.c
index 9d8c2ed..5672d3b 100644
--- a/bins/unzzipshow.c
+++ b/bins/unzzipshow.c
@@ -22,7 +22,7 @@ static void zzip_entry_fprint(ZZIP_ENTRY* entry, FILE* out)
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
+ while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
fwrite (buffer, len, 1, out);
zzip_entry_fclose (file);
@@ -35,7 +35,7 @@ static void zzip_cat_file(FILE* disk, char* name, FILE* out)
if (file)
{
char buffer[1024]; int len;
- while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
+ while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
fwrite (buffer, len, 1, out);
zzip_entry_fclose (file);
--
1.8.3.1

25
backport-0007-CVE-2020-18442.patch
View File

@ -1,25 +0,0 @@
From f7a6fa9f0c29aecb4c2299568ed2e6094c34aca7 Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Mon, 4 Jan 2021 21:55:08 +0100
Subject: [PATCH 07/35] #68 return value of posix read(2) is signed
---
bins/zzipmake-zip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bins/zzipmake-zip.c b/bins/zzipmake-zip.c
index 8e09c31..b37877c 100644
--- a/bins/zzipmake-zip.c
+++ b/bins/zzipmake-zip.c
@@ -57,7 +57,7 @@ int rezzip_make (int argc, char ** argv)
continue;
}
- while ((n = read (input, buf, 16)))
+ while (0 < (n = read (input, buf, 16)))
{
zzip_write (output, buf, n);
}
--
1.8.3.1

33
backport-CVE-2020-18770.patch
View File

@ -1,33 +0,0 @@
From 99462cac1c6581bce36fe17fd1f430cbe114f0af Mon Sep 17 00:00:00 2001
From: Valentin Lefebvre <valentin.lefebvre@suse.com>
Date: Wed, 20 Sep 2023 12:04:56 +0200
Subject: [PATCH] mmappend.c: pre-check header trailer magic
* Avoid potential ASAN:SIGSEGV invalid memory access by pre-check the header
trailer magic.
* CVE-2020-18770
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
---
zzip/mmapped.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/zzip/mmapped.c b/zzip/mmapped.c
index 8af18f4..49990e6 100644
--- a/zzip/mmapped.c
+++ b/zzip/mmapped.c
@@ -269,7 +269,9 @@ zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry)
return 0;
}
___ struct zzip_file_header *file_header = (void *) ptr;
- if (zzip_file_header_get_magic(file_header) != ZZIP_FILE_HEADER_MAGIC)
+ if (file_header != 'P' || /* quick pre-check for trailer magic */
+ zzip_file_header_get_magic(file_header) != ZZIP_FILE_HEADER_MAGIC)
+
{
errno = EBADMSG;
return 0;
--
2.40.1

BIN
v0.13.69.tar.gz Normal file
View File

Binary file not shown.

BIN
v0.13.71.tar.gz
View File

Binary file not shown.

24
zziplib-0.13.71-sw.patch
View File

@ -1,24 +0,0 @@
diff -Naur zziplib-0.13.71.org/configure zziplib-0.13.71.sw/configure
--- zziplib-0.13.71.org/configure 2022-02-28 06:07:23.580000000 +0000
+++ zziplib-0.13.71.sw/configure 2022-02-28 06:08:52.270000000 +0000
@@ -14802,7 +14802,7 @@
$as_echo_n "(cached) " >&6
else
if test "$cross_compiling" = "yes"; then
- case "$host_cpu" in alpha*|arm*|bfin*|hp*|mips*|sh*|sparc*|ia64|nv1)
+ case "$host_cpu" in sw_64*|alpha*|arm*|bfin*|hp*|mips*|sh*|sparc*|ia64|nv1)
ax_cv_have_aligned_access_required="yes"
;; esac
else
diff -Naur zziplib-0.13.71.org/m4/ax_check_aligned_access_required.m4 zziplib-0.13.71.sw/m4/ax_check_aligned_access_required.m4
--- zziplib-0.13.71.org/m4/ax_check_aligned_access_required.m4 2022-02-28 06:07:23.590000000 +0000
+++ zziplib-0.13.71.sw/m4/ax_check_aligned_access_required.m4 2022-02-28 06:08:21.470000000 +0000
@@ -29,7 +29,7 @@
[AC_CACHE_CHECK([if pointers to integers require aligned access],
[ax_cv_have_aligned_access_required],
[if test "$cross_compiling" = "yes"; then
- case "$host_cpu" in alpha*|arm*|bfin*|hp*|mips*|sh*|sparc*|ia64|nv1)
+ case "$host_cpu" in sw_64*|alpha*|arm*|bfin*|hp*|mips*|sh*|sparc*|ia64|nv1)
ax_cv_have_aligned_access_required="yes"
;; esac
else

50
zziplib.spec
View File

@ -1,26 +1,21 @@
%define disable_rpath \ %define disable_rpath \
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool \ sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' */libtool \
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool
Name: zziplib Name: zziplib
Version: 0.13.71 Version: 0.13.69
Release: 5 Release: 5
Summary: Lightweight library for zip compression Summary: Lightweight library for zip compression
License: LGPLv2+ or MPLv1.1 License: LGPLv2+ or MPLv1.1
URL: http://zziplib.sourceforge.net URL: http://zziplib.sourceforge.net
Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz
Patch6000: backport-0001-CVE-2020-18442.patch Patch6000: CVE-2018-16548-1.patch
Patch6001: backport-0002-CVE-2020-18442.patch Patch6001: CVE-2018-16548-2.patch
Patch6002: backport-0003-CVE-2020-18442.patch Patch6002: CVE-2018-16548-3.patch
Patch6003: backport-0004-CVE-2020-18442.patch Patch6003: CVE-2018-17828.patch
Patch6004: backport-0005-CVE-2020-18442.patch
Patch6005: backport-0006-CVE-2020-18442.patch
Patch6006: backport-0007-CVE-2020-18442.patch
Patch6007: zziplib-0.13.71-sw.patch
Patch6008: backport-CVE-2020-18770.patch
BuildRequires: perl-interpreter zip xmlto BuildRequires: perl-interpreter python2 python2-rpm-macros zip xmlto
BuildRequires: zlib-devel SDL-devel pkgconfig autoconf automake gcc make BuildRequires: zlib-devel SDL-devel pkgconfig autoconf automake gcc make
Provides: zziplib-utils Provides: zziplib-utils
@ -52,27 +47,23 @@ This package includes help documentation and manuals related to zziplib.
%prep %prep
%setup -q %setup -q
sed -i -e 's:docs ::g' Makefile.am
%patch6000 -p1 %patch6000 -p1
%patch6001 -p1 %patch6001 -p1
%patch6002 -p1 %patch6002 -p1
%patch6003 -p1 %patch6003 -p1
%patch6004 -p1
%patch6005 -p1 find . -name '*.py' | xargs sed -i 's@#! /usr/bin/python@#! %__python2@g;s@#! /usr/bin/env python@#! %__python2@g'
%patch6006 -p1
%patch6007 -p1
%patch6008 -p1
%build %build
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export PYTHON=%__python2
%configure --disable-static --enable-sdl --enable-frame-pointer --enable-builddir=_builddir %configure --disable-static --enable-sdl --enable-frame-pointer --enable-builddir=_builddir
# remove rpath
%disable_rpath %disable_rpath
%make_build %make_build
%install %install
%make_install %make_install
rm -rf docs/Make* docs/zziplib-manpages.ar
find %{buildroot} -type f -name "*.la" -delete -print
%post -p /sbin/ldconfig %post -p /sbin/ldconfig
@ -95,21 +86,6 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Wed Sep 27 2023 licihua <licihua@huawei.com> - 0.13.71-5
- fix CVE-2020-18770
* Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 0.13.71-4
- Add sw64 architecture
* Sat Sep 04 2021 shixuantong <shixuantong@huawei.com> - 0.13.71-3
- remove rpath
* Fri Jun 25 2021 shixuantong <shixuantong@huawei.com> - 0.13.71-2
- fix CVE-2020-18442
* Tue Nov 3 2020 tianwei <tianwei12@huawei.com> - 0.13.71-1
- update to 0.13.71 and remove python2
* Fri Feb 14 2020 chengquan <chengquan3@huawei.com> - 0.13.36-5 * Fri Feb 14 2020 chengquan <chengquan3@huawei.com> - 0.13.36-5
- Add necessary BuildRequires - Add necessary BuildRequires