zziplib: fix CVE-2018-16548

2019-01-12 21:56:16 -06:00 · 2019-01-12 21:56:16 -06:00 · 456e4095c5
commit 456e4095c5
parent 19f6d119b1
3 changed files with 265 additions and 2 deletions
--- a/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch
+++ b/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch
@ -0,0 +1,91 @@
+From 535fa8d4deedc1da59884ce4f2fcc6528bf07251 Mon Sep 17 00:00:00 2001
+From: Nathan Owens <ndowens04@gmail.com>
+Date: Sat, 12 Jan 2019 22:29:49 -0600
+Subject: [PATCH] CVE-2018-17828
+
+---
+ bins/unzzipcat-big.c |  57 ++++++++++++++++++++++++++++++++++++++++++-
+ test/test.zip        | Bin 1361 -> 0 bytes
+ 2 files changed, 56 insertions(+), 1 deletion(-)
+ delete mode 100644 test/test.zip
+
+diff --git bins/unzzipcat-big.c bins/unzzipcat-big.c
+index 982d262..88c4d65 100644
+--- bins/unzzipcat-big.c
+++ bins/unzzipcat-big.c
+@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out)
+     }
+ }
+ 
+/*
+ * NAME: remove_dotdotslash
+ * PURPOSE: To remove any "../" components from the given pathname
+ * ARGUMENTS: path: path name with maybe "../" components
+ * RETURNS: Nothing, "path" is modified in-place
+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
+ *	Also, "path" is not used after creating it.
+ *	So modifying "path" in-place is safe to do.
+ */
+static inline void
+remove_dotdotslash(char *path)
+{
+    /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
+    char *dotdotslash;
+    int warned = 0;
+
+    dotdotslash = path;
+    while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
+    {
+        /*
+         * Remove only if at the beginning of the pathname ("../path/name")
+         * or when preceded by a slash ("path/../name"),
+         * otherwise not ("path../name..")!
+         */
+        if (dotdotslash == path || dotdotslash[-1] == '/')
+        {
+            char *src, *dst;
+            if (!warned)
+            {
+                /* Note: the first time through the pathname is still intact */
+                fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
+                warned = 1;
+            }
+            /* We cannot use strcpy(), as there "The strings may not overlap" */
+            for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
+                ;
+        }
+        else
+            dotdotslash +=3;	/* skip this instance to prevent infinite loop */
+    }
+}
+
+ static void makedirs(const char* name)
+ {
+       char* p = strrchr(name, '/');
+@@ -70,6 +112,16 @@ static void makedirs(const char* name)
+ 
+ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ {
+   char *name_stripped;
+   FILE *fp;
+   int mustfree = 0;
+
+   if ((name_stripped = strdup(name)) != NULL)
+   {
+       remove_dotdotslash(name_stripped);
+       name = name_stripped;
+       mustfree = 1;
+   }
+    if (subdirs)
+    {
+       char* p = strrchr(name, '/');
+@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
+           free (dir_name);
+       }
+    }
+-   return fopen(name, mode);      
+   fp = fopen(name, mode);
+   if (mustfree)
+       free(name_stripped);
+    return fp;
+ }
--- a/srcpkgs/zziplib/patches/CVE-2018-16548.patch
+++ b/srcpkgs/zziplib/patches/CVE-2018-16548.patch
@ -0,0 +1,172 @@
+From 59c36ebe29fddd832c7afecc26dc5fe3e61faf1f Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 13:55:35 +0200
+Subject: [PATCH 1/3] One more free() to avoid memory leak.
+
+---
+ zzip/zip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git zzip/zip.c zzip/zip.c
+index 14e2e06..a28456f 100644
+--- zzip/zip.c
+++ zzip/zip.c
+@@ -575,6 +575,8 @@ __zzip_parse_root_directory(int fd,
+         if (hdr_return)
+             *hdr_return = hdr0;
+     }                           /* else zero (sane) entries */
+    else
+        free(hdr0);
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+     return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+ #  else
+-- 
+2.20.1
+
+
+From 490d6e72031790da0a4d229d13f7d5a389789977 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:49:28 +0200
+Subject: [PATCH 2/3] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ zzip/zip.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git zzip/zip.c zzip/zip.c
+index a28456f..51a1a4d 100644
+--- zzip/zip.c
+++ zzip/zip.c
+@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ int __zzip_parse_root_directory(int fd,
+                                 struct _disk_trailer *trailer,
+                                 struct zzip_dir_hdr **hdr_return,
+-                                zzip_plugin_io_t io);
+                                zzip_plugin_io_t io,
+				zzip_off_t filesize);
+ 
+ _zzip_inline static char *__zzip_aligned4(char *p);
+ 
+@@ -406,7 +407,8 @@ int
+ __zzip_parse_root_directory(int fd,
+                             struct _disk_trailer *trailer,
+                             struct zzip_dir_hdr **hdr_return,
+-                            zzip_plugin_io_t io)
+                            zzip_plugin_io_t io,
+                            zzip_off_t filesize)
+ {
+     auto struct zzip_disk_entry dirent;
+     struct zzip_dir_hdr *hdr;
+@@ -421,7 +423,8 @@ __zzip_parse_root_directory(int fd,
+     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+ 
+-    if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
+    if (zz_entries <= 0 || zz_rootsize < 0 ||
+        zz_rootseek < 0 || zz_rootseek >= filesize)
+         return ZZIP_CORRUPTED;
+ 
+     hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
+@@ -472,9 +475,15 @@ __zzip_parse_root_directory(int fd,
+         } else
+         {
+             if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+	    {
+	    	free(hdr0);
+                 return ZZIP_DIR_SEEK;
+	    }
+             if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+	    {
+	    	free(hdr0);
+                 return ZZIP_DIR_READ;
+	    }
+             d = &dirent;
+         }
+ 
+@@ -574,13 +583,16 @@ __zzip_parse_root_directory(int fd,
+ 
+         if (hdr_return)
+             *hdr_return = hdr0;
+	else
+	{
+	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+	    free(hdr0);
+	}
+     }                           /* else zero (sane) entries */
+-    else
+-        free(hdr0);
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  else
+-    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  endif
+ }
+ 
+@@ -757,7 +769,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
+           (long) _disk_trailer_rootseek(&trailer));
+ 
+     if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
+-                                          dir->io)) != 0)
+                                          dir->io, filesize)) != 0)
+         { goto error; }
+   error:
+     return rv;
+-- 
+2.20.1
+
+
+From aab49d23bc28d13183cb62e71b884e24595cbe65 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:32:04 +0200
+Subject: [PATCH 3/3] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ zzip/zip.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git zzip/zip.c zzip/zip.c
+index 51a1a4d..a685280 100644
+--- zzip/zip.c
+++ zzip/zip.c
+@@ -587,13 +587,34 @@ __zzip_parse_root_directory(int fd,
+ 	{
+ 	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+ 	    free(hdr0);
+	    /* Make sure we don't free it again in case of error */
+	    hdr0 = NULL;
+ 	}
+     }                           /* else zero (sane) entries */
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+    if (entries != zz_entries)
+    {
+	/* If it was assigned to *hdr_return, undo assignment */
+	if (p_reclen && hdr_return)
+	    *hdr_return = NULL;
+	/* Free it, if it was not already free()'d */
+	if (hdr0 != NULL)
+	    free(hdr0);
+	return ZZIP_CORRUPTED;
+    }
+ #  else
+-    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+    if (((entries & (unsigned)0xFFFF) != zz_entries)
+    {
+	/* If it was assigned to *hdr_return, undo assignment */
+	if (p_reclen && hdr_return)
+	    *hdr_return = NULL;
+	/* Free it, if it was not already free()'d */
+	if (hdr0 != NULL)
+	    free(hdr0);
+	return ZZIP_CORRUPTED;
+    }
+ #  endif
+    return 0;
+ }
+ 
+ /* ------------------------- high-level interface ------------------------- */
+-- 
+2.20.1
+
--- a/srcpkgs/zziplib/template
+++ b/srcpkgs/zziplib/template
@ -1,14 +1,14 @@
 # Template file for 'zziplib'
 pkgname=zziplib
 version=0.13.69
-revision=1
+revision=2
 build_style=gnu-configure
 hostmakedepends="pkg-config python"
 makedepends="zlib-devel"
 short_desc="Lightweight library to extract data from zip files"
 maintainer="Juan RP <xtraeme@voidlinux.org>"
-homepage="https://github.com/gdraheim/zziplib"
 license="LGPL-2.1-or-later, MPL-1.1"
+homepage="https://github.com/gdraheim/zziplib"
 distfiles="https://github.com/gdraheim/zziplib/archive/v${version}.tar.gz"
 checksum=846246d7cdeee405d8d21e2922c6e97f55f24ecbe3b6dcf5778073a88f120544