On 31.05.2017 22:55, Moritz Muehlenhoff wrote: > On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote: >> I was contacted by someone at SUSE that is working on fixing the security >> bugs - but even if successful, I don't know how good the quality will be or >> how much testing will be able to get done before stretch is released. >> Removal might be safest option
That was probably me ;-) The patches I prepared were just that: patches to fix the issues at hand, e.g. check if a file offset is within range before fetching something from that offset. They fix the issues of the CVEs and will allow the zziplib to handle the corrupt archives attached to the CVEs. Most likely there are other places where the code will happily use part of an ASCII string as a file offset! In the end, the code might need to be more strict, rejecting a file if it looks corrupt. All in all, IMHO the code needs a thorough rework to properly check values and offsets and, as said, reject corrupt archives. Although zziplib is still quite high on my list of tasks, unfortunately at the moment I do not have enough time to do this, so either someone else will do it or I need to find some time for that, maybe next years hackweek. > Unfortunately removal didn't work our for stretch and will have to wait > for buster. > > I'm attaching the patches used by SuSE to address these vulnerabilities > (extracted from their srpm). > > Cheers, > Moritz > Josef
