Tony Mancill pushed to branch master at Debian Java Maintainers / zip4j
Commits: a0c10886 by tony mancill at 2023-01-16T12:10:51-08:00 Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038) - - - - - b1b77797 by tony mancill at 2023-01-16T12:12:12-08:00 Freshen years in debian/copyright - - - - - 9df4a943 by tony mancill at 2023-01-16T12:12:35-08:00 Bump Standards-Version to 4.6.2 - - - - - 2b9b7f84 by tony mancill at 2023-01-16T12:15:03-08:00 Prepare changelog for upload - - - - - 5 changed files: - debian/changelog - debian/control - debian/copyright - + debian/patches/CVE-2023-22899.patch - + debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,17 @@ +zip4j (2.11.2-3) unstable; urgency=high + + * Team upload. + + [ Debian Janitor ] + * Remove constraints unnecessary since buster (oldstable) + + [ tony mancill ] + * Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038) + * Freshen years in debian/copyright + * Bump Standards-Version to 4.6.2 + + -- tony mancill <tmanc...@debian.org> Mon, 16 Jan 2023 12:12:37 -0800 + zip4j (2.11.2-2) unstable; urgency=medium * Update debian/watch to watch GitHub tags. ===================================== debian/control ===================================== @@ -9,7 +9,7 @@ Build-Depends: default-jdk, libmaven-bundle-plugin-java, maven-debian-helper, -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Git: https://salsa.debian.org/java-team/zip4j.git Vcs-Browser: https://salsa.debian.org/java-team/zip4j Homepage: http://www.lingala.net/zip4j ===================================== debian/copyright ===================================== @@ -3,11 +3,11 @@ Upstream-Name: zip4j Source: https://github.com/srikanth-lingala/zip4j/releases Files: * -Copyright: 2019-2022, Srikanth Reddy Lingala <srikanth.mail...@gmail.com> +Copyright: 2019-2023, Srikanth Reddy Lingala <srikanth.mail...@gmail.com> License: Apache-2.0 Files: debian/* -Copyright: 2019-2022, Andrius Merkys <mer...@debian.org> +Copyright: 2019-2023, Andrius Merkys <mer...@debian.org> License: Apache-2.0 License: Apache-2.0 ===================================== debian/patches/CVE-2023-22899.patch ===================================== @@ -0,0 +1,43 @@ +Description: Check for MAC even when DataDescritor exists + Addresses vulnerability CVE-2023-22899 + Zip4j through 2.11.2, as used in Threema and other products, does not + always check the MAC when decrypting a ZIP archive. +Source: https://github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3.patch +From: Srikanth Reddy Lingala <srikanth.mail...@gmail.com> +Date: Sun, 15 Jan 2023 11:19:55 -0500 +Bug-Vendor: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029038 +Forwarded: not-needed + +--- + .../zip4j/io/inputstream/AesCipherInputStream.java | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/src/main/java/net/lingala/zip4j/io/inputstream/AesCipherInputStream.java ++++ b/src/main/java/net/lingala/zip4j/io/inputstream/AesCipherInputStream.java +@@ -4,9 +4,7 @@ + import net.lingala.zip4j.exception.ZipException; + import net.lingala.zip4j.model.AESExtraDataRecord; + import net.lingala.zip4j.model.LocalFileHeader; +-import net.lingala.zip4j.model.enums.CompressionMethod; + import net.lingala.zip4j.util.InternalZipConstants; +-import net.lingala.zip4j.util.Zip4jUtil; + + import java.io.IOException; + import java.io.InputStream; +@@ -124,16 +122,6 @@ + } + + private void verifyContent(byte[] storedMac) throws IOException { +- if (getLocalFileHeader().isDataDescriptorExists() +- && CompressionMethod.DEFLATE.equals(Zip4jUtil.getCompressionMethod(getLocalFileHeader()))) { +- // Skip content verification in case of Deflate compression and if data descriptor exists. +- // In this case, we do not know the exact size of compressed data before hand and it is possible that we read +- // and pass more than required data into inflater, thereby corrupting the aes mac bytes. +- // See usage of PushBackInputStream in the project for how this push back of data is done +- // Unfortunately, in this case we cannot perform a content verification and have to skip +- return; +- } +- + byte[] calculatedMac = getDecrypter().getCalculatedAuthenticationBytes(); + byte[] first10BytesOfCalculatedMac = new byte[AES_AUTH_LENGTH]; + System.arraycopy(calculatedMac, 0, first10BytesOfCalculatedMac, 0, InternalZipConstants.AES_AUTH_LENGTH); ===================================== debian/patches/series ===================================== @@ -0,0 +1 @@ +CVE-2023-22899.patch View it on GitLab: https://salsa.debian.org/java-team/zip4j/-/compare/14d20c213d1d152445e49e6625f9a3bbedbfe442...2b9b7f84c3fcd9d012e1a11637fcf6c563d51baf -- View it on GitLab: https://salsa.debian.org/java-team/zip4j/-/compare/14d20c213d1d152445e49e6625f9a3bbedbfe442...2b9b7f84c3fcd9d012e1a11637fcf6c563d51baf You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list pkg-java-comm...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits