Please find attached the debdiff. Best, François
diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog --- zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog 2017-05-28 21:20:05.000000000 +0200 +++ zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog 2020-03-15 17:28:33.000000000 +0100 @@ -1,3 +1,9 @@ +zipios++ (0.1.5.9+cvs.2007.04.28-10+deb10u1) buster; urgency=high + + * fix CVE-2019-13453 for Buster (Closes: #932556) + + -- Francois Mazen <franc...@mzf.fr> Sun, 15 Mar 2020 17:28:33 +0100 + zipios++ (0.1.5.9+cvs.2007.04.28-10) unstable; urgency=medium * QA upload. diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff --- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff 1970-01-01 01:00:00.000000000 +0100 +++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff 2020-03-15 17:28:33.000000000 +0100 @@ -0,0 +1,50 @@ +Description: Fix CVE-2019-13453 +Author: Francois Mazen <franc...@mzf.fr> +Origin: https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/ + +--- a/zipios++/zipheadio.h ++++ b/zipios++/zipheadio.h +@@ -9,6 +9,7 @@ + + #include "zipios++/ziphead.h" + #include "zipios++/zipios_defs.h" ++#include "zipios++/fcollexceptions.h" + + namespace zipios { + +@@ -79,10 +80,16 @@ + static const int buf_len = sizeof ( uint32 ) ; + unsigned char buf [ buf_len ] ; + int rsf = 0 ; +- while ( rsf < buf_len ) { ++ std::streampos original_pos = is.tellg() ; ++ while ( rsf < buf_len && !is.eof() ) { + is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ; + rsf += is.gcount () ; + } ++ if ( rsf != buf_len ) { ++ is.seekg( original_pos ) ; ++ throw InvalidStateException( "Reached end-of-file while trying to read a" ++ "Uint32; the zip archive may be corrupt." ) ; ++ } + return ztohl ( buf ) ; + } + +@@ -95,10 +102,16 @@ + static const int buf_len = sizeof ( uint16 ) ; + unsigned char buf [ buf_len ] ; + int rsf = 0 ; +- while ( rsf < buf_len ) { ++ std::streampos original_pos = is.tellg() ; ++ while ( rsf < buf_len && !is.eof() ) { + is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ; + rsf += is.gcount () ; + } ++ if ( rsf != buf_len ) { ++ is.seekg( original_pos ) ; ++ throw InvalidStateException( "Reached end-of-file while trying to read a" ++ "Uint16; the zip archive may be corrupt." ) ; ++ } + return ztohs ( buf ) ; + } + diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series --- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series 2017-05-09 00:29:06.000000000 +0200 +++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series 2020-03-15 17:28:33.000000000 +0100 @@ -4,3 +4,4 @@ gcc43_fix.diff amd64_fix.diff pkg-config.diff +fix_CVE-2019-13453.diff
signature.asc
Description: This is a digitally signed message part