Hello community,
here is the log from the commit of package libzip for openSUSE:Factory checked
in at 2017-12-21 11:26:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libzip (Old)
and /work/SRC/openSUSE:Factory/.libzip.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzip"
Thu Dec 21 11:26:02 2017 rev:32 rq:558324 version:1.3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/libzip/libzip.changes 2017-10-13
14:16:57.905913748 +0200
+++ /work/SRC/openSUSE:Factory/.libzip.new/libzip.changes 2017-12-21
11:26:11.796755998 +0100
@@ -1,0 +2,19 @@
+Tue Dec 19 07:52:41 UTC 2017 - pgaj...@suse.com
+
+- updated to version 1.3.2:
+ * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
failed.
+ * Install zipconf.h into ${PREFIX}/include
+ * Add zip_libzip_version()
+ * Fix AES tests on Linux
+ * Support bzip2 compressed zip archives
+ * Improve file progress callback code
+ * Fix zip_fdopen()
+ * CVE-2017-12858: Fix double free()
+ * CVE-2017-14107: Improve EOCD64 parsing
+- removed patches (upstreamed)
+ * libzip-CVE-2017-12858.patch
+ * libzip-CVE-2017-14107.patch
+- added patch (fixed in head)
+ * libzip-uninitialized-value.patch
+
+-------------------------------------------------------------------
Old:
----
libzip-1.2.0.tar.xz
libzip-CVE-2017-12858.patch
libzip-CVE-2017-14107.patch
New:
----
libzip-1.3.2.tar.gz
libzip-uninitialized-value.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libzip.spec ++++++
--- /var/tmp/diff_new_pack.xpJn0V/_old 2017-12-21 11:26:13.280683643 +0100
+++ /var/tmp/diff_new_pack.xpJn0V/_new 2017-12-21 11:26:13.280683643 +0100
@@ -18,18 +18,19 @@
%define sover 5
Name: libzip
-Version: 1.2.0
+Version: 1.3.2
Release: 0
Summary: C library for reading, creating, and modifying zip archives
License: BSD-3-Clause
Group: Development/Libraries/C and C++
-Url: http://www.nih.at/libzip
-Source0: http://www.nih.at/libzip/%{name}-%{version}.tar.xz
+Url: https://libzip.org/
+Source0: https://libzip.org/download/libzip-%{version}.tar.gz
Source1: baselibs.conf
# PATCH-FIX-OPENSUSE: close on exec, upstream is aware, will be probably fixes
next release
Patch1: libzip-ocloexec.patch
-Patch2: libzip-CVE-2017-12858.patch
-Patch3: libzip-CVE-2017-14107.patch
+#
https://github.com/nih-at/libzip/commit/8609c9ce6c8e613a7b5825e4d0eba8a31fe67e75
+Patch2: libzip-uninitialized-value.patch
+BuildRequires: automake
BuildRequires: libtool
BuildRequires: pkgconfig
# for tests
@@ -83,9 +84,9 @@
%setup -q
%patch1 -p1
%patch2 -p1
-%patch3 -p1
%build
+autoreconf -fi
%configure \
--disable-static
%if %{do_profiling}
@@ -128,7 +129,6 @@
%{_libdir}/%{name}.so
%{_includedir}/zip.h
%{_includedir}/zipconf.h
-%{_libdir}/%{name}/
%{_libdir}/pkgconfig/%{name}.pc
%{_mandir}/man3/*.3%{ext_man}
++++++ libzip-uninitialized-value.patch ++++++
>From 8609c9ce6c8e613a7b5825e4d0eba8a31fe67e75 Mon Sep 17 00:00:00 2001
From: Dieter Baron <di...@nih.at>
Date: Mon, 18 Dec 2017 16:50:41 +0100
Subject: [PATCH] Fix logic determining which stat members are known / valid.
---
lib/zip_source_compress.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/lib/zip_source_compress.c b/lib/zip_source_compress.c
index 37e0318a..0b97f938 100644
--- a/lib/zip_source_compress.c
+++ b/lib/zip_source_compress.c
@@ -43,7 +43,7 @@ struct context {
bool end_of_input;
bool end_of_stream;
bool can_store;
- bool is_stored;
+ bool is_stored; /* only valid if end_of_stream is true */
bool compress;
zip_int32_t method;
@@ -158,6 +158,9 @@ context_new(zip_int32_t method, bool compress, int
compression_flags, zip_compre
ctx->algorithm = algorithm;
ctx->method = method;
ctx->compress = compress;
+ ctx->end_of_input = false;
+ ctx->end_of_stream = false;
+ ctx->is_stored = false;
if ((ctx->ud = ctx->algorithm->allocate(ZIP_CM_ACTUAL(method),
compression_flags, &ctx->error)) == NULL) {
zip_error_fini(&ctx->error);
@@ -325,17 +328,18 @@ compress_callback(zip_source_t *src, void *ud, void
*data, zip_uint64_t len, zip
st = (zip_stat_t *)data;
if (ctx->compress) {
- st->comp_method = ctx->is_stored ? ZIP_CM_STORE :
ZIP_CM_ACTUAL(ctx->method);
if (ctx->end_of_stream) {
+ st->comp_method = ctx->is_stored ? ZIP_CM_STORE :
ZIP_CM_ACTUAL(ctx->method);
st->comp_size = ctx->size;
- st->valid |= ZIP_STAT_COMP_SIZE;
+ st->valid |= ZIP_STAT_COMP_SIZE | ZIP_STAT_COMP_METHOD;
}
else {
- st->valid &= ~ZIP_STAT_COMP_SIZE;
+ st->valid &= ~(ZIP_STAT_COMP_SIZE | ZIP_STAT_COMP_METHOD);
}
}
else {
st->comp_method = ZIP_CM_STORE;
+ st->valid |= ZIP_STAT_COMP_METHOD;
if (ctx->end_of_stream) {
st->size = ctx->size;
st->valid |= ZIP_STAT_SIZE;
@@ -344,7 +348,6 @@ compress_callback(zip_source_t *src, void *ud, void *data,
zip_uint64_t len, zip
st->valid &= ~ZIP_STAT_SIZE;
}
}
- st->valid |= ZIP_STAT_COMP_METHOD;
}
return 0;
