From 9f9eb8c9ed2a2ab07e684cecfbfff558ece33792 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Mon, 23 Mar 2015 07:49:24 -0500
Subject: [PATCH] CVE-2015-2331: integer overflow when processing ZIP archives
 (#1204676,#1204677)

---
 libzip-0.11.2-CVE-2015-2331.patch | 12 ++++++++++++
 libzip.spec                       |  9 ++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 libzip-0.11.2-CVE-2015-2331.patch

diff --git a/libzip-0.11.2-CVE-2015-2331.patch b/libzip-0.11.2-CVE-2015-2331.patch
new file mode 100644
index 0000000..44aeb5a
--- /dev/null
+++ b/libzip-0.11.2-CVE-2015-2331.patch
@@ -0,0 +1,12 @@
+diff -up libzip-0.11.2/lib/zip_dirent.c.CVE-2015-2331 libzip-0.11.2/lib/zip_dirent.c
+--- libzip-0.11.2/lib/zip_dirent.c.CVE-2015-2331	2013-11-28 10:57:10.000000000 -0600
++++ libzip-0.11.2/lib/zip_dirent.c	2015-03-23 07:45:27.486986723 -0500
+@@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struc
+ 
+     if (nentry == 0)
+ 	cd->entry = NULL;
+-    else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
++    else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(zip_entry_t *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);
+ 	return NULL;
diff --git a/libzip.spec b/libzip.spec
index 25da572..bcc898b 100644
--- a/libzip.spec
+++ b/libzip.spec
@@ -3,13 +3,17 @@
 
 Name:    libzip
 Version: 0.11.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: C library for reading, creating, and modifying zip archives
 
 License: BSD
 URL:     http://www.nih.at/libzip/index.html
 Source0: http://www.nih.at/libzip/libzip-%{version}.tar.xz
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1204677
+# http://hg.nih.at/libzip/raw-rev/9f11d54f692e
+Patch1: libzip-0.11.2-CVE-2015-2331.patch
+
 #BuildRequires:  automake libtool
 BuildRequires:  zlib-devel
 
@@ -93,6 +97,9 @@ make check
 
 
 %changelog
+* Mon Mar 23 2015 Rex Dieter <rdieter@fedoraproject.org> 0.11.2-4
+- CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)
+
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild