Hello community, here is the log from the commit of package libzip for openSUSE:Factory checked in at 2017-12-21 11:26:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzip (Old) and /work/SRC/openSUSE:Factory/.libzip.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzip" Thu Dec 21 11:26:02 2017 rev:32 rq:558324 version:1.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libzip/libzip.changes 2017-10-13 14:16:57.905913748 +0200 +++ /work/SRC/openSUSE:Factory/.libzip.new/libzip.changes 2017-12-21 11:26:11.796755998 +0100 @@ -1,0 +2,19 @@ +Tue Dec 19 07:52:41 UTC 2017 - pgaj...@suse.com + +- updated to version 1.3.2: + * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. + * Install zipconf.h into ${PREFIX}/include + * Add zip_libzip_version() + * Fix AES tests on Linux + * Support bzip2 compressed zip archives + * Improve file progress callback code + * Fix zip_fdopen() + * CVE-2017-12858: Fix double free() + * CVE-2017-14107: Improve EOCD64 parsing +- removed patches (upstreamed) + * libzip-CVE-2017-12858.patch + * libzip-CVE-2017-14107.patch +- added patch (fixed in head) + * libzip-uninitialized-value.patch + +------------------------------------------------------------------- Old: ---- libzip-1.2.0.tar.xz libzip-CVE-2017-12858.patch libzip-CVE-2017-14107.patch New: ---- libzip-1.3.2.tar.gz libzip-uninitialized-value.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzip.spec ++++++ --- /var/tmp/diff_new_pack.xpJn0V/_old 2017-12-21 11:26:13.280683643 +0100 +++ /var/tmp/diff_new_pack.xpJn0V/_new 2017-12-21 11:26:13.280683643 +0100 @@ -18,18 +18,19 @@ %define sover 5 Name: libzip -Version: 1.2.0 +Version: 1.3.2 Release: 0 Summary: C library for reading, creating, and modifying zip archives License: BSD-3-Clause Group: Development/Libraries/C and C++ -Url: http://www.nih.at/libzip -Source0: http://www.nih.at/libzip/%{name}-%{version}.tar.xz +Url: https://libzip.org/ +Source0: https://libzip.org/download/libzip-%{version}.tar.gz Source1: baselibs.conf # PATCH-FIX-OPENSUSE: close on exec, upstream is aware, will be probably fixes next release Patch1: libzip-ocloexec.patch -Patch2: libzip-CVE-2017-12858.patch -Patch3: libzip-CVE-2017-14107.patch +# https://github.com/nih-at/libzip/commit/8609c9ce6c8e613a7b5825e4d0eba8a31fe67e75 +Patch2: libzip-uninitialized-value.patch +BuildRequires: automake BuildRequires: libtool BuildRequires: pkgconfig # for tests @@ -83,9 +84,9 @@ %setup -q %patch1 -p1 %patch2 -p1 -%patch3 -p1 %build +autoreconf -fi %configure \ --disable-static %if %{do_profiling} @@ -128,7 +129,6 @@ %{_libdir}/%{name}.so %{_includedir}/zip.h %{_includedir}/zipconf.h -%{_libdir}/%{name}/ %{_libdir}/pkgconfig/%{name}.pc %{_mandir}/man3/*.3%{ext_man} ++++++ libzip-uninitialized-value.patch ++++++ >From 8609c9ce6c8e613a7b5825e4d0eba8a31fe67e75 Mon Sep 17 00:00:00 2001 From: Dieter Baron <di...@nih.at> Date: Mon, 18 Dec 2017 16:50:41 +0100 Subject: [PATCH] Fix logic determining which stat members are known / valid. --- lib/zip_source_compress.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/zip_source_compress.c b/lib/zip_source_compress.c index 37e0318a..0b97f938 100644 --- a/lib/zip_source_compress.c +++ b/lib/zip_source_compress.c @@ -43,7 +43,7 @@ struct context { bool end_of_input; bool end_of_stream; bool can_store; - bool is_stored; + bool is_stored; /* only valid if end_of_stream is true */ bool compress; zip_int32_t method; @@ -158,6 +158,9 @@ context_new(zip_int32_t method, bool compress, int compression_flags, zip_compre ctx->algorithm = algorithm; ctx->method = method; ctx->compress = compress; + ctx->end_of_input = false; + ctx->end_of_stream = false; + ctx->is_stored = false; if ((ctx->ud = ctx->algorithm->allocate(ZIP_CM_ACTUAL(method), compression_flags, &ctx->error)) == NULL) { zip_error_fini(&ctx->error); @@ -325,17 +328,18 @@ compress_callback(zip_source_t *src, void *ud, void *data, zip_uint64_t len, zip st = (zip_stat_t *)data; if (ctx->compress) { - st->comp_method = ctx->is_stored ? ZIP_CM_STORE : ZIP_CM_ACTUAL(ctx->method); if (ctx->end_of_stream) { + st->comp_method = ctx->is_stored ? ZIP_CM_STORE : ZIP_CM_ACTUAL(ctx->method); st->comp_size = ctx->size; - st->valid |= ZIP_STAT_COMP_SIZE; + st->valid |= ZIP_STAT_COMP_SIZE | ZIP_STAT_COMP_METHOD; } else { - st->valid &= ~ZIP_STAT_COMP_SIZE; + st->valid &= ~(ZIP_STAT_COMP_SIZE | ZIP_STAT_COMP_METHOD); } } else { st->comp_method = ZIP_CM_STORE; + st->valid |= ZIP_STAT_COMP_METHOD; if (ctx->end_of_stream) { st->size = ctx->size; st->valid |= ZIP_STAT_SIZE; @@ -344,7 +348,6 @@ compress_callback(zip_source_t *src, void *ud, void *data, zip_uint64_t len, zip st->valid &= ~ZIP_STAT_SIZE; } } - st->valid |= ZIP_STAT_COMP_METHOD; } return 0;