From 4e76995571b1f1724ed79e958df48d3c19f62861 Mon Sep 17 00:00:00 2001 From: Helmut Pozimski Date: Wed, 14 Jun 2017 21:37:13 +0200 Subject: [PATCH] zziplib: add patches to fix multiple CVEs fixes for CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980 and CVE-2017-5981. Patches from SuSe via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854727#35 --- srcpkgs/zziplib/patches/CVE-2017-5974.patch | 22 ++++++++ srcpkgs/zziplib/patches/CVE-2017-5975.patch | 26 +++++++++ srcpkgs/zziplib/patches/CVE-2017-5976.patch | 55 +++++++++++++++++++ srcpkgs/zziplib/patches/CVE-2017-5978.patch | 31 +++++++++++ srcpkgs/zziplib/patches/CVE-2017-5979.patch | 13 +++++ srcpkgs/zziplib/patches/CVE-2017-5981.patch | 14 +++++ .../patches/zziplib-unzipcat-NULL-name.patch | 50 +++++++++++++++++ srcpkgs/zziplib/template | 2 +- 8 files changed, 212 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/zziplib/patches/CVE-2017-5974.patch create mode 100644 srcpkgs/zziplib/patches/CVE-2017-5975.patch create mode 100644 srcpkgs/zziplib/patches/CVE-2017-5976.patch create mode 100644 srcpkgs/zziplib/patches/CVE-2017-5978.patch create mode 100644 srcpkgs/zziplib/patches/CVE-2017-5979.patch create mode 100644 srcpkgs/zziplib/patches/CVE-2017-5981.patch create mode 100644 srcpkgs/zziplib/patches/zziplib-unzipcat-NULL-name.patch diff --git a/srcpkgs/zziplib/patches/CVE-2017-5974.patch b/srcpkgs/zziplib/patches/CVE-2017-5974.patch new file mode 100644 index 0000000000..8de66daa01 --- /dev/null +++ b/srcpkgs/zziplib/patches/CVE-2017-5974.patch @@ -0,0 +1,22 @@ +Index: zziplib-0.13.62/zzip/memdisk.c +=================================================================== +--- zzip/memdisk.c ++++ zzip/memdisk.c +@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + /* override sizes/offsets with zip64 values for largefile support */ + zzip_extra_zip64 *block = (zzip_extra_zip64 *) + zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64); +- if (block) ++ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4)) + { +- item->zz_usize = __zzip_get64(block->z_usize); +- item->zz_csize = __zzip_get64(block->z_csize); +- item->zz_offset = __zzip_get64(block->z_offset); +- item->zz_diskstart = __zzip_get32(block->z_diskstart); ++ item->zz_usize = ZZIP_GET64(block->z_usize); ++ item->zz_csize = ZZIP_GET64(block->z_csize); ++ item->zz_offset = ZZIP_GET64(block->z_offset); ++ item->zz_diskstart = ZZIP_GET32(block->z_diskstart); + } + } + /* NOTE: diff --git a/srcpkgs/zziplib/patches/CVE-2017-5975.patch b/srcpkgs/zziplib/patches/CVE-2017-5975.patch new file mode 100644 index 0000000000..87d48901b3 --- /dev/null +++ b/srcpkgs/zziplib/patches/CVE-2017-5975.patch @@ -0,0 +1,26 @@ +Index: zziplib-0.13.62/zzip/memdisk.c +=================================================================== +--- zzip/memdisk.c ++++ zzip/memdisk.c +@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + return 0; /* errno=ENOMEM; */ + ___ struct zzip_file_header *header = + zzip_disk_entry_to_file_header(disk, entry); ++ if (!header) ++ { free(item); return 0; } + /* there is a number of duplicated information in the file header + * or the disk entry block. Theoretically some part may be missing + * that exists in the other, ... but we will prefer the disk entry. +Index: zziplib-0.13.62/zzip/mmapped.c +=================================================================== +--- zzip/mmapped.c ++++ zzip/mmapped.c +@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK + (disk->buffer + zzip_disk_entry_fileoffset(entry)); + if (disk->buffer > file_header || file_header >= disk->endbuf) + return 0; ++ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC) ++ return 0; + return (struct zzip_file_header *) file_header; + } + diff --git a/srcpkgs/zziplib/patches/CVE-2017-5976.patch b/srcpkgs/zziplib/patches/CVE-2017-5976.patch new file mode 100644 index 0000000000..42bad44435 --- /dev/null +++ b/srcpkgs/zziplib/patches/CVE-2017-5976.patch @@ -0,0 +1,55 @@ +Index: zziplib-0.13.62/zzip/memdisk.c +=================================================================== +--- zzip/memdisk.c ++++ zzip/memdisk.c +@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + { + void *mem = malloc(ext1 + 2); + item->zz_ext[1] = mem; ++ item->zz_extlen[1] = ext1 + 2; + memcpy(mem, ptr1, ext1); + ((char *) (mem))[ext1 + 0] = 0; + ((char *) (mem))[ext1 + 1] = 0; +@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + { + void *mem = malloc(ext2 + 2); + item->zz_ext[2] = mem; ++ item->zz_extlen[2] = ext2 + 2; + memcpy(mem, ptr2, ext2); + ((char *) (mem))[ext2 + 0] = 0; + ((char *) (mem))[ext2 + 1] = 0; +@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR + while (1) + { + ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i]; +- if (ext) ++ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength)) + { ++ char *endblock = (char *)ext + entry->zz_extlen[i]; ++ + while (*(short *) (ext->z_datatype)) + { + if (datatype == zzip_extra_block_get_datatype(ext)) +@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR + e += zzip_extra_block_headerlength; + e += zzip_extra_block_get_datasize(ext); + ext = (void *) e; ++ if (e >= endblock) ++ { ++ break; ++ } + ____; + } + } +Index: zziplib-0.13.62/zzip/memdisk.h +=================================================================== +--- zzip/memdisk.h ++++ zzip/memdisk.h +@@ -66,6 +66,7 @@ struct _zzip_mem_entry { + int zz_filetype; /* (from "z_filetype") */ + char* zz_comment; /* zero-terminated (from "comment") */ + ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */ ++ int zz_extlen[3]; /* length of zz_ext[i] in bytes */ + }; /* the extra blocks are NOT converted */ + + #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list) diff --git a/srcpkgs/zziplib/patches/CVE-2017-5978.patch b/srcpkgs/zziplib/patches/CVE-2017-5978.patch new file mode 100644 index 0000000000..33dc5a17e6 --- /dev/null +++ b/srcpkgs/zziplib/patches/CVE-2017-5978.patch @@ -0,0 +1,31 @@ +Index: zziplib-0.13.62/zzip/memdisk.c +=================================================================== +--- zzip/memdisk.c ++++ zzip/memdisk.c +@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + * that exists in the other, ... but we will prefer the disk entry. + */ + item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry); +- item->zz_name = zzip_disk_entry_strdup_name(disk, entry); ++ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup(""); + item->zz_data = zzip_file_header_to_data(header); + item->zz_flags = zzip_disk_entry_get_flags(entry); + item->zz_compr = zzip_disk_entry_get_compr(entry); +@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + int /* */ ext2 = zzip_file_header_get_extras(header); + char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header); + +- if (ext1) ++ if (ext1 && ((ptr1 + ext1) < disk->endbuf)) + { + void *mem = malloc(ext1 + 2); + item->zz_ext[1] = mem; +@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + ((char *) (mem))[ext1 + 0] = 0; + ((char *) (mem))[ext1 + 1] = 0; + } +- if (ext2) ++ if (ext2 && ((ptr2 + ext2) < disk->endbuf)) + { + void *mem = malloc(ext2 + 2); + item->zz_ext[2] = mem; diff --git a/srcpkgs/zziplib/patches/CVE-2017-5979.patch b/srcpkgs/zziplib/patches/CVE-2017-5979.patch new file mode 100644 index 0000000000..815a375357 --- /dev/null +++ b/srcpkgs/zziplib/patches/CVE-2017-5979.patch @@ -0,0 +1,13 @@ +Index: zziplib-0.13.62/zzip/fseeko.c +=================================================================== +--- zzip/fseeko.c ++++ zzip/fseeko.c +@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk) + return 0; + /* we read out chunks of 8 KiB in the hope to match disk granularity */ + ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */ +- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry)); ++ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry)); + if (! entry) + return 0; + ___ unsigned char *buffer = malloc(pagesize); diff --git a/srcpkgs/zziplib/patches/CVE-2017-5981.patch b/srcpkgs/zziplib/patches/CVE-2017-5981.patch new file mode 100644 index 0000000000..c6655c8f89 --- /dev/null +++ b/srcpkgs/zziplib/patches/CVE-2017-5981.patch @@ -0,0 +1,14 @@ +Index: zziplib-0.13.62/zzip/fseeko.c +=================================================================== +--- zzip/fseeko.c ++++ zzip/fseeko.c +@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk) + } else + continue; + +- assert(0 <= root && root < mapsize); ++ if (root < 0 || root >= mapsize) ++ goto error; + if (fseeko(disk, root, SEEK_SET) == -1) + goto error; + if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk) diff --git a/srcpkgs/zziplib/patches/zziplib-unzipcat-NULL-name.patch b/srcpkgs/zziplib/patches/zziplib-unzipcat-NULL-name.patch new file mode 100644 index 0000000000..e4bef52318 --- /dev/null +++ b/srcpkgs/zziplib/patches/zziplib-unzipcat-NULL-name.patch @@ -0,0 +1,50 @@ +Index: zziplib-0.13.62/bins/unzzipcat.c +=================================================================== +--- bins/unzzipcat.c ++++ bins/unzzipcat.c +@@ -91,8 +91,11 @@ main (int argc, char ** argv) + for (; entry ; entry = zzip_disk_findnext(disk, entry)) + { + char* name = zzip_disk_entry_strdup_name (disk, entry); +- printf ("%s\n", name); +- free (name); ++ if (name) ++ { ++ printf ("%s\n", name); ++ free (name); ++ } + } + return 0; + } +@@ -112,10 +115,13 @@ main (int argc, char ** argv) + for (; entry ; entry = zzip_disk_findnext(disk, entry)) + { + char* name = zzip_disk_entry_strdup_name (disk, entry); +- if (! fnmatch (argv[argn], name, +- FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD)) +- zzip_disk_cat_file (disk, name, stdout); +- free (name); ++ if (name) ++ { ++ if (! fnmatch (argv[argn], name, ++ FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD)) ++ zzip_disk_cat_file (disk, name, stdout); ++ free (name); ++ } + } + } + return 0; +Index: zziplib-0.13.62/zzip/fseeko.c +=================================================================== +--- zzip/fseeko.c ++++ zzip/fseeko.c +@@ -300,7 +300,8 @@ zzip_entry_findfirst(FILE * disk) + * central directory was written directly before : */ + root = mapoffs - rootsize; + } +- } else if (zzip_disk64_trailer_check_magic(p)) ++ } else if ((p + sizeof(struct zzip_disk64_trailer)) <= (buffer + mapsize) ++ && zzip_disk64_trailer_check_magic(p)) + { + struct zzip_disk64_trailer *trailer = + (struct zzip_disk64_trailer *) p; diff --git a/srcpkgs/zziplib/template b/srcpkgs/zziplib/template index 821f1c067e..5845d0e882 100644 --- a/srcpkgs/zziplib/template +++ b/srcpkgs/zziplib/template @@ -1,7 +1,7 @@ # Template file for 'zziplib' pkgname=zziplib version=0.13.62 -revision=2 +revision=3 build_style=gnu-configure hostmakedepends="automake libtool pkg-config python" makedepends="zlib-devel"