diff --git a/.gitignore b/.gitignore index a810290..2b7387c 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ zziplib-0.13.49.tar.bz2 /v0.13.67.tar.gz /v0.13.68.tar.gz /v0.13.69.tar.gz +/v0.13.71.tar.gz diff --git a/CVE-2018-16548.part1.patch b/CVE-2018-16548.part1.patch deleted file mode 100644 index 25c2b74..0000000 --- a/CVE-2018-16548.part1.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 11:32:04 +0200 -Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory(). - ---- - test/test.zip | Bin 1361 -> 1361 bytes - zzip/zip.c | 36 ++++++++++++++++++++++++++++++++++-- - 2 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/zzip/zip.c b/zzip/zip.c -index 88b833b..a685280 100644 ---- a/zzip/zip.c -+++ b/zzip/zip.c -@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd, - } else - { - if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) -+ { -+ free(hdr0); - return ZZIP_DIR_SEEK; -+ } - if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) -+ { -+ free(hdr0); - return ZZIP_DIR_READ; -+ } - d = &dirent; - } - -@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd, - - if (hdr_return) - *hdr_return = hdr0; -+ else -+ { -+ /* If it is not assigned to *hdr_return, it will never be free()'d */ -+ free(hdr0); -+ /* Make sure we don't free it again in case of error */ -+ hdr0 = NULL; -+ } - } /* else zero (sane) entries */ - # ifndef ZZIP_ALLOW_MODULO_ENTRIES -- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); -+ if (entries != zz_entries) -+ { -+ /* If it was assigned to *hdr_return, undo assignment */ -+ if (p_reclen && hdr_return) -+ *hdr_return = NULL; -+ /* Free it, if it was not already free()'d */ -+ if (hdr0 != NULL) -+ free(hdr0); -+ return ZZIP_CORRUPTED; -+ } - # else -- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); -+ if (((entries & (unsigned)0xFFFF) != zz_entries) -+ { -+ /* If it was assigned to *hdr_return, undo assignment */ -+ if (p_reclen && hdr_return) -+ *hdr_return = NULL; -+ /* Free it, if it was not already free()'d */ -+ if (hdr0 != NULL) -+ free(hdr0); -+ return ZZIP_CORRUPTED; -+ } - # endif -+ return 0; - } - - /* ------------------------- high-level interface ------------------------- */ diff --git a/CVE-2018-16548.part2.patch b/CVE-2018-16548.part2.patch deleted file mode 100644 index b9bea26..0000000 --- a/CVE-2018-16548.part2.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 11:49:28 +0200 -Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory(). - ---- - zzip/zip.c | 25 ++----------------------- - 1 file changed, 2 insertions(+), 23 deletions(-) - -diff --git a/zzip/zip.c b/zzip/zip.c -index a685280..51a1a4d 100644 ---- a/zzip/zip.c -+++ b/zzip/zip.c -@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd, - { - /* If it is not assigned to *hdr_return, it will never be free()'d */ - free(hdr0); -- /* Make sure we don't free it again in case of error */ -- hdr0 = NULL; - } - } /* else zero (sane) entries */ - # ifndef ZZIP_ALLOW_MODULO_ENTRIES -- if (entries != zz_entries) -- { -- /* If it was assigned to *hdr_return, undo assignment */ -- if (p_reclen && hdr_return) -- *hdr_return = NULL; -- /* Free it, if it was not already free()'d */ -- if (hdr0 != NULL) -- free(hdr0); -- return ZZIP_CORRUPTED; -- } -+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; - # else -- if (((entries & (unsigned)0xFFFF) != zz_entries) -- { -- /* If it was assigned to *hdr_return, undo assignment */ -- if (p_reclen && hdr_return) -- *hdr_return = NULL; -- /* Free it, if it was not already free()'d */ -- if (hdr0 != NULL) -- free(hdr0); -- return ZZIP_CORRUPTED; -- } -+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; - # endif -- return 0; - } - - /* ------------------------- high-level interface ------------------------- */ diff --git a/CVE-2018-16548.part3.patch b/CVE-2018-16548.part3.patch deleted file mode 100644 index f2f8214..0000000 --- a/CVE-2018-16548.part3.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 13:55:35 +0200 -Subject: [PATCH] One more free() to avoid memory leak. - ---- - zzip/zip.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/zzip/zip.c b/zzip/zip.c -index 51a1a4d..bc6c080 100644 ---- a/zzip/zip.c -+++ b/zzip/zip.c -@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd, - free(hdr0); - } - } /* else zero (sane) entries */ -+ else -+ free(hdr0); - # ifndef ZZIP_ALLOW_MODULO_ENTRIES - return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; - # else diff --git a/CVE-2018-17828.part2.patch b/CVE-2018-17828.part2.patch deleted file mode 100644 index 111167c..0000000 --- a/CVE-2018-17828.part2.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c -index c45cb72..ff564a5 100644 ---- a/bins/unzip-mem.c -+++ b/bins/unzip-mem.c -@@ -88,10 +88,49 @@ static void zzip_mem_entry_pipe(ZZIP_MEM_DISK* disk, - } - } - -+static inline void -+remove_dotdotslash(char *path) -+{ -+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ -+ char *dotdotslash; -+ int warned = 0; -+ -+ dotdotslash = path; -+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) -+ { -+ /* -+ * Remove only if at the beginning of the pathname ("../path/name") -+ * or when preceded by a slash ("path/../name"), -+ * otherwise not ("path../name..")! -+ */ -+ if (dotdotslash == path || dotdotslash[-1] == '/') -+ { -+ char *src, *dst; -+ if (!warned) -+ { -+ /* Note: the first time through the pathname is still intact */ -+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); -+ warned = 1; -+ } -+ /* We cannot use strcpy(), as there "The strings may not overlap" */ -+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) -+ ; -+ } -+ else -+ dotdotslash +=3; /* skip this instance to prevent infinite loop */ -+ } -+} -+ - static void zzip_mem_entry_make(ZZIP_MEM_DISK* disk, - ZZIP_MEM_ENTRY* entry) - { -- FILE* file = fopen (entry->zz_name, "wb"); -+ char name_stripped[PATH_MAX]; -+ FILE* file; -+ -+ strncpy(name_stripped, entry->zz_name, PATH_MAX); -+ remove_dotdotslash(name_stripped); -+ -+ file = fopen (name_stripped, "wb"); - if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); } - perror (entry->zz_name); - if (status < EXIT_WARNINGS) status = EXIT_WARNINGS; diff --git a/CVE-2018-17828.patch b/CVE-2018-17828.patch deleted file mode 100644 index a340295..0000000 --- a/CVE-2018-17828.patch +++ /dev/null @@ -1,341 +0,0 @@ -From 81dfa6b3e08f6934885ba5c98939587d6850d08e Mon Sep 17 00:00:00 2001 -From: Josef Moellers -Date: Thu, 4 Oct 2018 14:21:48 +0200 -Subject: [PATCH] Fix issue #62: Remove any "../" components from pathnames of - extracted files. [CVE-2018-17828] - ---- - bins/unzzipcat-big.c | 57 +++++++++++++++++++++++++++++++++++++++++++- - bins/unzzipcat-mem.c | 57 +++++++++++++++++++++++++++++++++++++++++++- - bins/unzzipcat-mix.c | 57 +++++++++++++++++++++++++++++++++++++++++++- - bins/unzzipcat-zip.c | 57 +++++++++++++++++++++++++++++++++++++++++++- - 4 files changed, 224 insertions(+), 4 deletions(-) - -diff --git a/bins/unzzipcat-big.c b/bins/unzzipcat-big.c -index 982d262..88c4d65 100644 ---- a/bins/unzzipcat-big.c -+++ b/bins/unzzipcat-big.c -@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out) - } - } - -+/* -+ * NAME: remove_dotdotslash -+ * PURPOSE: To remove any "../" components from the given pathname -+ * ARGUMENTS: path: path name with maybe "../" components -+ * RETURNS: Nothing, "path" is modified in-place -+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! -+ * Also, "path" is not used after creating it. -+ * So modifying "path" in-place is safe to do. -+ */ -+static inline void -+remove_dotdotslash(char *path) -+{ -+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ -+ char *dotdotslash; -+ int warned = 0; -+ -+ dotdotslash = path; -+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) -+ { -+ /* -+ * Remove only if at the beginning of the pathname ("../path/name") -+ * or when preceded by a slash ("path/../name"), -+ * otherwise not ("path../name..")! -+ */ -+ if (dotdotslash == path || dotdotslash[-1] == '/') -+ { -+ char *src, *dst; -+ if (!warned) -+ { -+ /* Note: the first time through the pathname is still intact */ -+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); -+ warned = 1; -+ } -+ /* We cannot use strcpy(), as there "The strings may not overlap" */ -+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) -+ ; -+ } -+ else -+ dotdotslash +=3; /* skip this instance to prevent infinite loop */ -+ } -+} -+ - static void makedirs(const char* name) - { - char* p = strrchr(name, '/'); -@@ -70,6 +112,16 @@ static void makedirs(const char* name) - - static FILE* create_fopen(char* name, char* mode, int subdirs) - { -+ char *name_stripped; -+ FILE *fp; -+ int mustfree = 0; -+ -+ if ((name_stripped = strdup(name)) != NULL) -+ { -+ remove_dotdotslash(name_stripped); -+ name = name_stripped; -+ mustfree = 1; -+ } - if (subdirs) - { - char* p = strrchr(name, '/'); -@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) - free (dir_name); - } - } -- return fopen(name, mode); -+ fp = fopen(name, mode); -+ if (mustfree) -+ free(name_stripped); -+ return fp; - } - - -diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c -index 9bc966b..793bde8 100644 ---- a/bins/unzzipcat-mem.c -+++ b/bins/unzzipcat-mem.c -@@ -58,6 +58,48 @@ static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out) - } - } - -+/* -+ * NAME: remove_dotdotslash -+ * PURPOSE: To remove any "../" components from the given pathname -+ * ARGUMENTS: path: path name with maybe "../" components -+ * RETURNS: Nothing, "path" is modified in-place -+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! -+ * Also, "path" is not used after creating it. -+ * So modifying "path" in-place is safe to do. -+ */ -+static inline void -+remove_dotdotslash(char *path) -+{ -+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ -+ char *dotdotslash; -+ int warned = 0; -+ -+ dotdotslash = path; -+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) -+ { -+ /* -+ * Remove only if at the beginning of the pathname ("../path/name") -+ * or when preceded by a slash ("path/../name"), -+ * otherwise not ("path../name..")! -+ */ -+ if (dotdotslash == path || dotdotslash[-1] == '/') -+ { -+ char *src, *dst; -+ if (!warned) -+ { -+ /* Note: the first time through the pathname is still intact */ -+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); -+ warned = 1; -+ } -+ /* We cannot use strcpy(), as there "The strings may not overlap" */ -+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) -+ ; -+ } -+ else -+ dotdotslash +=3; /* skip this instance to prevent infinite loop */ -+ } -+} -+ - static void makedirs(const char* name) - { - char* p = strrchr(name, '/'); -@@ -75,6 +117,16 @@ static void makedirs(const char* name) - - static FILE* create_fopen(char* name, char* mode, int subdirs) - { -+ char *name_stripped; -+ FILE *fp; -+ int mustfree = 0; -+ -+ if ((name_stripped = strdup(name)) != NULL) -+ { -+ remove_dotdotslash(name_stripped); -+ name = name_stripped; -+ mustfree = 1; -+ } - if (subdirs) - { - char* p = strrchr(name, '/'); -@@ -84,7 +136,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) - free (dir_name); - } - } -- return fopen(name, mode); -+ fp = fopen(name, mode); -+ if (mustfree) -+ free(name_stripped); -+ return fp; - } - - static int unzzip_cat (int argc, char ** argv, int extract) -diff --git a/bins/unzzipcat-mix.c b/bins/unzzipcat-mix.c -index 91c2f00..73b6ed6 100644 ---- a/bins/unzzipcat-mix.c -+++ b/bins/unzzipcat-mix.c -@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out) - } - } - -+/* -+ * NAME: remove_dotdotslash -+ * PURPOSE: To remove any "../" components from the given pathname -+ * ARGUMENTS: path: path name with maybe "../" components -+ * RETURNS: Nothing, "path" is modified in-place -+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! -+ * Also, "path" is not used after creating it. -+ * So modifying "path" in-place is safe to do. -+ */ -+static inline void -+remove_dotdotslash(char *path) -+{ -+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ -+ char *dotdotslash; -+ int warned = 0; -+ -+ dotdotslash = path; -+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) -+ { -+ /* -+ * Remove only if at the beginning of the pathname ("../path/name") -+ * or when preceded by a slash ("path/../name"), -+ * otherwise not ("path../name..")! -+ */ -+ if (dotdotslash == path || dotdotslash[-1] == '/') -+ { -+ char *src, *dst; -+ if (!warned) -+ { -+ /* Note: the first time through the pathname is still intact */ -+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); -+ warned = 1; -+ } -+ /* We cannot use strcpy(), as there "The strings may not overlap" */ -+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) -+ ; -+ } -+ else -+ dotdotslash +=3; /* skip this instance to prevent infinite loop */ -+ } -+} -+ - static void makedirs(const char* name) - { - char* p = strrchr(name, '/'); -@@ -86,6 +128,16 @@ static void makedirs(const char* name) - - static FILE* create_fopen(char* name, char* mode, int subdirs) - { -+ char *name_stripped; -+ FILE *fp; -+ int mustfree = 0; -+ -+ if ((name_stripped = strdup(name)) != NULL) -+ { -+ remove_dotdotslash(name_stripped); -+ name = name_stripped; -+ mustfree = 1; -+ } - if (subdirs) - { - char* p = strrchr(name, '/'); -@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) - free (dir_name); - } - } -- return fopen(name, mode); -+ fp = fopen(name, mode); -+ if (mustfree) -+ free(name_stripped); -+ return fp; - } - - static int unzzip_cat (int argc, char ** argv, int extract) -diff --git a/bins/unzzipcat-zip.c b/bins/unzzipcat-zip.c -index 2810f85..7f7f3fa 100644 ---- a/bins/unzzipcat-zip.c -+++ b/bins/unzzipcat-zip.c -@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out) - } - } - -+/* -+ * NAME: remove_dotdotslash -+ * PURPOSE: To remove any "../" components from the given pathname -+ * ARGUMENTS: path: path name with maybe "../" components -+ * RETURNS: Nothing, "path" is modified in-place -+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! -+ * Also, "path" is not used after creating it. -+ * So modifying "path" in-place is safe to do. -+ */ -+static inline void -+remove_dotdotslash(char *path) -+{ -+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ -+ char *dotdotslash; -+ int warned = 0; -+ -+ dotdotslash = path; -+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) -+ { -+ /* -+ * Remove only if at the beginning of the pathname ("../path/name") -+ * or when preceded by a slash ("path/../name"), -+ * otherwise not ("path../name..")! -+ */ -+ if (dotdotslash == path || dotdotslash[-1] == '/') -+ { -+ char *src, *dst; -+ if (!warned) -+ { -+ /* Note: the first time through the pathname is still intact */ -+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); -+ warned = 1; -+ } -+ /* We cannot use strcpy(), as there "The strings may not overlap" */ -+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) -+ ; -+ } -+ else -+ dotdotslash +=3; /* skip this instance to prevent infinite loop */ -+ } -+} -+ - static void makedirs(const char* name) - { - char* p = strrchr(name, '/'); -@@ -86,6 +128,16 @@ static void makedirs(const char* name) - - static FILE* create_fopen(char* name, char* mode, int subdirs) - { -+ char *name_stripped; -+ FILE *fp; -+ int mustfree = 0; -+ -+ if ((name_stripped = strdup(name)) != NULL) -+ { -+ remove_dotdotslash(name_stripped); -+ name = name_stripped; -+ mustfree = 1; -+ } - if (subdirs) - { - char* p = strrchr(name, '/'); -@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) - free (dir_name); - } - } -- return fopen(name, mode); -+ fp = fopen(name, mode); -+ if (mustfree) -+ free(name_stripped); -+ return fp; - } - - static int unzzip_cat (int argc, char ** argv, int extract) diff --git a/sources b/sources index 4a02881..562f581 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v0.13.69.tar.gz) = ade026289737f43ca92a8746818d87dd7618d473dbce159546ce9071c9e4cbe164a6b1c9efff16efb7aa0327b2ec6b34f3256c6bda19cd6e325703fffc810ef0 +SHA512 (v0.13.71.tar.gz) = e035d0ac26dca78335ae3defc652543ff7b353a1a95d76ed1beeb21a08e16f287a62d488f528cfbb77d5b558581b68d439aa0823577524e9aa61a3cf5f208cb5 diff --git a/zziplib.spec b/zziplib.spec index 6ff3d16..a379384 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,22 +1,17 @@ Summary: Lightweight library to easily extract data from zip files Name: zziplib -Version: 0.13.69 -Release: 9%{?dist} +Version: 0.13.71 +Release: 1%{?dist} License: LGPLv2+ or MPLv1.1 URL: http://zziplib.sourceforge.net/ Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz Patch0: zziplib-0.13.69-multilib.patch -Patch1: CVE-2018-17828.patch -Patch2: CVE-2018-17828.part2.patch -Patch3: CVE-2018-16548.part1.patch -Patch4: CVE-2018-16548.part2.patch -Patch5: CVE-2018-16548.part3.patch - +BuildRequires: make BuildRequires: gcc BuildRequires: perl-interpreter -BuildRequires: python2 -BuildRequires: python2-rpm-macros +BuildRequires: python +BuildRequires: python-rpm-macros BuildRequires: zip BuildRequires: xmlto BuildRequires: zlib-devel @@ -65,32 +60,21 @@ zziplib library. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 - -# Force py2 for the build -find . -name '*.py' | xargs sed -i 's@#! /usr/bin/python@#! %__python2@g;s@#! /usr/bin/env python@#! %__python2@g' %build export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" -export PYTHON=%__python2 %configure \ --disable-static \ --enable-sdl \ - --enable-frame-pointer \ - --enable-builddir=_builddir + --enable-frame-pointer # Remove rpath on 64bit archs -sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' */libtool -sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool # Only patch generated _config.h on non-i686 and armv7hl # These platforms have a correct _config.h already + %ifnarch i686 armv7hl -cd _builddir %apply_patch %{PATCH0} -p2 -cd .. %endif %make_build @@ -118,6 +102,12 @@ cd .. %{_mandir}/man3/* %changelog +* Thu Jan 21 2021 Jakub Martisko - 0.13.71-1 +- Rebase to 0.13.71 +- Drop the CVE patches, they are now part of the upstream package +- Build no longer requires python2 +- Resolves: 1807565 + * Wed Jul 29 2020 Fedora Release Engineering - 0.13.69-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild