Hello community, here is the log from the commit of package zziplib for openSUSE:Factory checked in at 2018-03-26 12:00:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zziplib (Old) and /work/SRC/openSUSE:Factory/.zziplib.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zziplib" Mon Mar 26 12:00:51 2018 rev:30 rq:588696 version:0.13.69 Changes: -------- --- /work/SRC/openSUSE:Factory/zziplib/zziplib.changes 2018-02-24 16:37:31.157466434 +0100 +++ /work/SRC/openSUSE:Factory/.zziplib.new/zziplib.changes 2018-03-26 12:01:11.518866901 +0200 @@ -1,0 +2,28 @@ +Mon Mar 19 13:57:10 UTC 2018 - josef.moell...@suse.com + +- Check if data from End of central directory record makes sense. + Especially the Offset of start of central directory must not + a) be negative or + b) point behind the end-of-file. +- Check if compressed size in Central directory file header + makes sense, i.e. the file's data does not extend beyond the + end of the file. + [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch, + bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch] + +------------------------------------------------------------------- +Sat Mar 17 18:53:19 UTC 2018 - avin...@opensuse.org + +- Update to 0.13.69: + * fix a number of CVEs reported with special *.zip PoC files + * completing some doc strings while checking the new man-pages to + look good + * update refs to point to github instead of sf.net + * man-pages are generated with new dbk2man.py - docbook xmlto is + optional now + * a zip-program is still required for testing, but some errors + are gone when not present +- run spec-cleaner +- don't ship Windows only file, README.MSVC6 + +------------------------------------------------------------------- Old: ---- zziplib-0.13.68.tar.gz New: ---- CVE-2018-7725.patch CVE-2018-7726.patch zziplib-0.13.69.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zziplib.spec ++++++ --- /var/tmp/diff_new_pack.DPHu4M/_old 2018-03-26 12:01:13.610791430 +0200 +++ /var/tmp/diff_new_pack.DPHu4M/_new 2018-03-26 12:01:13.618791141 +0200 @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,17 +18,20 @@ %define lname libzzip-0-13 Name: zziplib -Version: 0.13.68 +Version: 0.13.69 Release: 0 Summary: ZIP Compression Library License: LGPL-2.1+ Group: Development/Libraries/C and C++ +# License: LGPL-2.1-or-later Url: http://zziplib.sourceforge.net Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch0: zziplib-0.13.62.patch Patch1: zziplib-0.13.62-wronglinking.patch Patch2: zziplib-largefile.patch +Patch3: CVE-2018-7726.patch +Patch4: CVE-2018-7725.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -65,6 +68,8 @@ %patch0 %patch1 %patch2 +%patch3 -p1 +%patch4 -p1 # do not bother with html docs saving us python2 dependency sed -i -e 's:docs ::g' Makefile.am @@ -85,11 +90,11 @@ %postun -n %{lname} -p /sbin/ldconfig %files -n %{lname} -%doc COPYING.LIB +%license COPYING.LIB %{_libdir}/libzzip*.so.* %files devel -%doc docs/README* ChangeLog README TODO +%doc docs/README.SDL ChangeLog README TODO %{_bindir}/unzzip* %{_bindir}/zz* %{_bindir}/unzip-mem ++++++ CVE-2018-7725.patch ++++++ Index: zziplib-0.13.69/zzip/memdisk.c =================================================================== --- zziplib-0.13.69.orig/zzip/memdisk.c +++ zziplib-0.13.69/zzip/memdisk.c @@ -222,6 +222,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI item->zz_filetype = zzip_disk_entry_get_filetype(entry); /* + * If zz_data+zz_csize exceeds the size of the file, bail out + */ + if ((item->zz_data + item->zz_csize) < disk->buffer || + (item->zz_data + item->zz_csize) >= disk->endbuf) + { + goto error; + } + /* * If the file is uncompressed, zz_csize and zz_usize should be the same * If they are not, we cannot guarantee that either is correct, so ... */ Index: zziplib-0.13.69/zzip/zip.c =================================================================== --- zziplib-0.13.69.orig/zzip/zip.c +++ zziplib-0.13.69/zzip/zip.c @@ -408,7 +408,7 @@ __zzip_parse_root_directory(int fd, struct _disk_trailer *trailer, struct zzip_dir_hdr **hdr_return, zzip_plugin_io_t io, - zzip_off_t filesize); + zzip_off_t filesize) { auto struct zzip_disk_entry dirent; struct zzip_dir_hdr *hdr; ++++++ CVE-2018-7726.patch ++++++ Index: zziplib-0.13.69/docs/zziplib.html =================================================================== --- zziplib-0.13.69.orig/docs/zziplib.html +++ zziplib-0.13.69/docs/zziplib.html @@ -415,7 +415,8 @@ generated 2003-12-12 <code>(<nobr>int fd</nobr>, <nobr>struct zzip_disk_trailer * trailer</nobr>, <nobr>struct zzip_dir_hdr ** hdr_return</nobr>, -<nobr>zzip_plugin_io_t io</nobr>)</code> +<nobr>zzip_plugin_io_t io</nobr>, +<nobr>zzip_off_t filesize</nobr>)</code> </td></tr><tr valign="top"> <td valign="top"><code>ZZIP_DIR* @@ -1091,7 +1092,8 @@ generated 2003-12-12 <code>(<nobr>int fd</nobr>, <nobr>struct zzip_disk_trailer * trailer</nobr>, <nobr>struct zzip_dir_hdr ** hdr_return</nobr>, -<nobr>zzip_plugin_io_t io</nobr>)</code> +<nobr>zzip_plugin_io_t io</nobr>, +<nobr>zzip_off_t filesize</nobr>)</code> </code></code><dt> <dd><p> (../zzip/zip.c) Index: zziplib-0.13.69/zzip/zip.c =================================================================== --- zziplib-0.13.69.orig/zzip/zip.c +++ zziplib-0.13.69/zzip/zip.c @@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz int __zzip_parse_root_directory(int fd, struct _disk_trailer *trailer, struct zzip_dir_hdr **hdr_return, - zzip_plugin_io_t io); + zzip_plugin_io_t io, + zzip_off_t filesize); _zzip_inline static char *__zzip_aligned4(char *p); @@ -406,7 +407,8 @@ int __zzip_parse_root_directory(int fd, struct _disk_trailer *trailer, struct zzip_dir_hdr **hdr_return, - zzip_plugin_io_t io) + zzip_plugin_io_t io, + zzip_off_t filesize); { auto struct zzip_disk_entry dirent; struct zzip_dir_hdr *hdr; @@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd, zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); __correct_rootseek(zz_rootseek, zz_rootsize, trailer); + if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize) + return ZZIP_CORRUPTED; + if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) return ZZIP_CORRUPTED; @@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir) (long) _disk_trailer_rootseek(&trailer)); if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0, - dir->io)) != 0) + dir->io, filesize)) != 0) { goto error; } error: return rv; ++++++ zziplib-0.13.68.tar.gz -> zziplib-0.13.69.tar.gz ++++++ ++++ 36045 lines of diff (skipped) ++++++ zziplib-largefile.patch ++++++ --- /var/tmp/diff_new_pack.DPHu4M/_old 2018-03-26 12:01:14.130772671 +0200 +++ /var/tmp/diff_new_pack.DPHu4M/_new 2018-03-26 12:01:14.138772382 +0200 @@ -2,7 +2,7 @@ =================================================================== --- configure.ac.orig +++ configure.ac -@@ -125,7 +125,7 @@ if test ".$ac_cv_sys_largefile_sensitive +@@ -129,7 +129,7 @@ if test ".$ac_cv_sys_largefile_sensitive elif test ".$with_largefile" != ".no" ; then AC_MSG_RESULT(compiles library as 64bit off_t variant dnl - and renaming some function names)
