diff --git a/.gitignore b/.gitignore index e69de29..a810290 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,7 @@ +zziplib-0.13.49.tar.bz2 +/zziplib-0.13.59.tar.bz2 +/zziplib-0.13.60.tar.bz2 +/zziplib-0.13.62.tar.bz2 +/v0.13.67.tar.gz +/v0.13.68.tar.gz +/v0.13.69.tar.gz diff --git a/CVE-2018-16548.part1.patch b/CVE-2018-16548.part1.patch new file mode 100644 index 0000000..25c2b74 --- /dev/null +++ b/CVE-2018-16548.part1.patch @@ -0,0 +1,71 @@ +From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001 +From: jmoellers +Date: Fri, 7 Sep 2018 11:32:04 +0200 +Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory(). + +--- + test/test.zip | Bin 1361 -> 1361 bytes + zzip/zip.c | 36 ++++++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 88b833b..a685280 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd, + } else + { + if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) ++ { ++ free(hdr0); + return ZZIP_DIR_SEEK; ++ } + if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) ++ { ++ free(hdr0); + return ZZIP_DIR_READ; ++ } + d = &dirent; + } + +@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd, + + if (hdr_return) + *hdr_return = hdr0; ++ else ++ { ++ /* If it is not assigned to *hdr_return, it will never be free()'d */ ++ free(hdr0); ++ /* Make sure we don't free it again in case of error */ ++ hdr0 = NULL; ++ } + } /* else zero (sane) entries */ + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); ++ if (entries != zz_entries) ++ { ++ /* If it was assigned to *hdr_return, undo assignment */ ++ if (p_reclen && hdr_return) ++ *hdr_return = NULL; ++ /* Free it, if it was not already free()'d */ ++ if (hdr0 != NULL) ++ free(hdr0); ++ return ZZIP_CORRUPTED; ++ } + # else +- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); ++ if (((entries & (unsigned)0xFFFF) != zz_entries) ++ { ++ /* If it was assigned to *hdr_return, undo assignment */ ++ if (p_reclen && hdr_return) ++ *hdr_return = NULL; ++ /* Free it, if it was not already free()'d */ ++ if (hdr0 != NULL) ++ free(hdr0); ++ return ZZIP_CORRUPTED; ++ } + # endif ++ return 0; + } + + /* ------------------------- high-level interface ------------------------- */ diff --git a/CVE-2018-16548.part2.patch b/CVE-2018-16548.part2.patch new file mode 100644 index 0000000..b9bea26 --- /dev/null +++ b/CVE-2018-16548.part2.patch @@ -0,0 +1,50 @@ +From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001 +From: jmoellers +Date: Fri, 7 Sep 2018 11:49:28 +0200 +Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory(). + +--- + zzip/zip.c | 25 ++----------------------- + 1 file changed, 2 insertions(+), 23 deletions(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index a685280..51a1a4d 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd, + { + /* If it is not assigned to *hdr_return, it will never be free()'d */ + free(hdr0); +- /* Make sure we don't free it again in case of error */ +- hdr0 = NULL; + } + } /* else zero (sane) entries */ + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- if (entries != zz_entries) +- { +- /* If it was assigned to *hdr_return, undo assignment */ +- if (p_reclen && hdr_return) +- *hdr_return = NULL; +- /* Free it, if it was not already free()'d */ +- if (hdr0 != NULL) +- free(hdr0); +- return ZZIP_CORRUPTED; +- } ++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else +- if (((entries & (unsigned)0xFFFF) != zz_entries) +- { +- /* If it was assigned to *hdr_return, undo assignment */ +- if (p_reclen && hdr_return) +- *hdr_return = NULL; +- /* Free it, if it was not already free()'d */ +- if (hdr0 != NULL) +- free(hdr0); +- return ZZIP_CORRUPTED; +- } ++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; + # endif +- return 0; + } + + /* ------------------------- high-level interface ------------------------- */ diff --git a/CVE-2018-16548.part3.patch b/CVE-2018-16548.part3.patch new file mode 100644 index 0000000..f2f8214 --- /dev/null +++ b/CVE-2018-16548.part3.patch @@ -0,0 +1,22 @@ +From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001 +From: jmoellers +Date: Fri, 7 Sep 2018 13:55:35 +0200 +Subject: [PATCH] One more free() to avoid memory leak. + +--- + zzip/zip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 51a1a4d..bc6c080 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd, + free(hdr0); + } + } /* else zero (sane) entries */ ++ else ++ free(hdr0); + # ifndef ZZIP_ALLOW_MODULO_ENTRIES + return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else diff --git a/CVE-2018-17828.part2.patch b/CVE-2018-17828.part2.patch new file mode 100644 index 0000000..111167c --- /dev/null +++ b/CVE-2018-17828.part2.patch @@ -0,0 +1,55 @@ +diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c +index c45cb72..ff564a5 100644 +--- a/bins/unzip-mem.c ++++ b/bins/unzip-mem.c +@@ -88,10 +88,49 @@ static void zzip_mem_entry_pipe(ZZIP_MEM_DISK* disk, + } + } + ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void zzip_mem_entry_make(ZZIP_MEM_DISK* disk, + ZZIP_MEM_ENTRY* entry) + { +- FILE* file = fopen (entry->zz_name, "wb"); ++ char name_stripped[PATH_MAX]; ++ FILE* file; ++ ++ strncpy(name_stripped, entry->zz_name, PATH_MAX); ++ remove_dotdotslash(name_stripped); ++ ++ file = fopen (name_stripped, "wb"); + if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); } + perror (entry->zz_name); + if (status < EXIT_WARNINGS) status = EXIT_WARNINGS; diff --git a/CVE-2018-17828.patch b/CVE-2018-17828.patch new file mode 100644 index 0000000..a340295 --- /dev/null +++ b/CVE-2018-17828.patch @@ -0,0 +1,341 @@ +From 81dfa6b3e08f6934885ba5c98939587d6850d08e Mon Sep 17 00:00:00 2001 +From: Josef Moellers +Date: Thu, 4 Oct 2018 14:21:48 +0200 +Subject: [PATCH] Fix issue #62: Remove any "../" components from pathnames of + extracted files. [CVE-2018-17828] + +--- + bins/unzzipcat-big.c | 57 +++++++++++++++++++++++++++++++++++++++++++- + bins/unzzipcat-mem.c | 57 +++++++++++++++++++++++++++++++++++++++++++- + bins/unzzipcat-mix.c | 57 +++++++++++++++++++++++++++++++++++++++++++- + bins/unzzipcat-zip.c | 57 +++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 224 insertions(+), 4 deletions(-) + +diff --git a/bins/unzzipcat-big.c b/bins/unzzipcat-big.c +index 982d262..88c4d65 100644 +--- a/bins/unzzipcat-big.c ++++ b/bins/unzzipcat-big.c +@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out) + } + } + ++/* ++ * NAME: remove_dotdotslash ++ * PURPOSE: To remove any "../" components from the given pathname ++ * ARGUMENTS: path: path name with maybe "../" components ++ * RETURNS: Nothing, "path" is modified in-place ++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! ++ * Also, "path" is not used after creating it. ++ * So modifying "path" in-place is safe to do. ++ */ ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void makedirs(const char* name) + { + char* p = strrchr(name, '/'); +@@ -70,6 +112,16 @@ static void makedirs(const char* name) + + static FILE* create_fopen(char* name, char* mode, int subdirs) + { ++ char *name_stripped; ++ FILE *fp; ++ int mustfree = 0; ++ ++ if ((name_stripped = strdup(name)) != NULL) ++ { ++ remove_dotdotslash(name_stripped); ++ name = name_stripped; ++ mustfree = 1; ++ } + if (subdirs) + { + char* p = strrchr(name, '/'); +@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) + free (dir_name); + } + } +- return fopen(name, mode); ++ fp = fopen(name, mode); ++ if (mustfree) ++ free(name_stripped); ++ return fp; + } + + +diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c +index 9bc966b..793bde8 100644 +--- a/bins/unzzipcat-mem.c ++++ b/bins/unzzipcat-mem.c +@@ -58,6 +58,48 @@ static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out) + } + } + ++/* ++ * NAME: remove_dotdotslash ++ * PURPOSE: To remove any "../" components from the given pathname ++ * ARGUMENTS: path: path name with maybe "../" components ++ * RETURNS: Nothing, "path" is modified in-place ++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! ++ * Also, "path" is not used after creating it. ++ * So modifying "path" in-place is safe to do. ++ */ ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void makedirs(const char* name) + { + char* p = strrchr(name, '/'); +@@ -75,6 +117,16 @@ static void makedirs(const char* name) + + static FILE* create_fopen(char* name, char* mode, int subdirs) + { ++ char *name_stripped; ++ FILE *fp; ++ int mustfree = 0; ++ ++ if ((name_stripped = strdup(name)) != NULL) ++ { ++ remove_dotdotslash(name_stripped); ++ name = name_stripped; ++ mustfree = 1; ++ } + if (subdirs) + { + char* p = strrchr(name, '/'); +@@ -84,7 +136,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) + free (dir_name); + } + } +- return fopen(name, mode); ++ fp = fopen(name, mode); ++ if (mustfree) ++ free(name_stripped); ++ return fp; + } + + static int unzzip_cat (int argc, char ** argv, int extract) +diff --git a/bins/unzzipcat-mix.c b/bins/unzzipcat-mix.c +index 91c2f00..73b6ed6 100644 +--- a/bins/unzzipcat-mix.c ++++ b/bins/unzzipcat-mix.c +@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out) + } + } + ++/* ++ * NAME: remove_dotdotslash ++ * PURPOSE: To remove any "../" components from the given pathname ++ * ARGUMENTS: path: path name with maybe "../" components ++ * RETURNS: Nothing, "path" is modified in-place ++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! ++ * Also, "path" is not used after creating it. ++ * So modifying "path" in-place is safe to do. ++ */ ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void makedirs(const char* name) + { + char* p = strrchr(name, '/'); +@@ -86,6 +128,16 @@ static void makedirs(const char* name) + + static FILE* create_fopen(char* name, char* mode, int subdirs) + { ++ char *name_stripped; ++ FILE *fp; ++ int mustfree = 0; ++ ++ if ((name_stripped = strdup(name)) != NULL) ++ { ++ remove_dotdotslash(name_stripped); ++ name = name_stripped; ++ mustfree = 1; ++ } + if (subdirs) + { + char* p = strrchr(name, '/'); +@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) + free (dir_name); + } + } +- return fopen(name, mode); ++ fp = fopen(name, mode); ++ if (mustfree) ++ free(name_stripped); ++ return fp; + } + + static int unzzip_cat (int argc, char ** argv, int extract) +diff --git a/bins/unzzipcat-zip.c b/bins/unzzipcat-zip.c +index 2810f85..7f7f3fa 100644 +--- a/bins/unzzipcat-zip.c ++++ b/bins/unzzipcat-zip.c +@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out) + } + } + ++/* ++ * NAME: remove_dotdotslash ++ * PURPOSE: To remove any "../" components from the given pathname ++ * ARGUMENTS: path: path name with maybe "../" components ++ * RETURNS: Nothing, "path" is modified in-place ++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! ++ * Also, "path" is not used after creating it. ++ * So modifying "path" in-place is safe to do. ++ */ ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void makedirs(const char* name) + { + char* p = strrchr(name, '/'); +@@ -86,6 +128,16 @@ static void makedirs(const char* name) + + static FILE* create_fopen(char* name, char* mode, int subdirs) + { ++ char *name_stripped; ++ FILE *fp; ++ int mustfree = 0; ++ ++ if ((name_stripped = strdup(name)) != NULL) ++ { ++ remove_dotdotslash(name_stripped); ++ name = name_stripped; ++ mustfree = 1; ++ } + if (subdirs) + { + char* p = strrchr(name, '/'); +@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) + free (dir_name); + } + } +- return fopen(name, mode); ++ fp = fopen(name, mode); ++ if (mustfree) ++ free(name_stripped); ++ return fp; + } + + static int unzzip_cat (int argc, char ** argv, int extract) diff --git a/sources b/sources new file mode 100644 index 0000000..4a02881 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (v0.13.69.tar.gz) = ade026289737f43ca92a8746818d87dd7618d473dbce159546ce9071c9e4cbe164a6b1c9efff16efb7aa0327b2ec6b34f3256c6bda19cd6e325703fffc810ef0 diff --git a/zziplib-0.13.69-multilib.patch b/zziplib-0.13.69-multilib.patch new file mode 100644 index 0000000..24cf64b --- /dev/null +++ b/zziplib-0.13.69-multilib.patch @@ -0,0 +1,31 @@ +diff -up ./_builddir/zzip/_config.h.orig ./_builddir/zzip/_config.h +--- ./_builddir/zzip/_config.h.orig 2018-07-23 09:11:59.971840954 +0300 ++++ ./_builddir/zzip/_config.h 2018-07-23 09:12:07.438731527 +0300 +@@ -139,6 +139,11 @@ + /* whether the system defaults to 32bit off_t but can do 64bit when requested + */ + /* #undef LARGEFILE_SENSITIVE */ ++#if __WORDSIZE == 32 ++#ifndef ZZIP_LARGEFILE_SENSITIVE ++#define ZZIP_LARGEFILE_SENSITIVE 1 ++#endif ++#endif + + /* Define to the sub-directory where libtool stores uninstalled libraries. */ + #ifndef ZZIP_LT_OBJDIR +@@ -197,6 +202,15 @@ + /* The number of bytes in type short */ + /* #undef SIZEOF_SHORT */ + ++/* The number of bytes in type long */ ++#ifndef ZZIP_SIZEOF_LONG ++#if __WORDSIZE == 32 ++#define ZZIP_SIZEOF_LONG 4 ++#elif __WORDSIZE == 64 ++#define ZZIP_SIZEOF_LONG 8 ++#endif ++#endif ++ + /* Define to 1 if you have the ANSI C header files. */ + #ifndef ZZIP_STDC_HEADERS + #define ZZIP_STDC_HEADERS 1 diff --git a/zziplib.spec b/zziplib.spec new file mode 100644 index 0000000..6ff3d16 --- /dev/null +++ b/zziplib.spec @@ -0,0 +1,281 @@ +Summary: Lightweight library to easily extract data from zip files +Name: zziplib +Version: 0.13.69 +Release: 9%{?dist} +License: LGPLv2+ or MPLv1.1 +URL: http://zziplib.sourceforge.net/ +Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz +Patch0: zziplib-0.13.69-multilib.patch + +Patch1: CVE-2018-17828.patch +Patch2: CVE-2018-17828.part2.patch +Patch3: CVE-2018-16548.part1.patch +Patch4: CVE-2018-16548.part2.patch +Patch5: CVE-2018-16548.part3.patch + +BuildRequires: gcc +BuildRequires: perl-interpreter +BuildRequires: python2 +BuildRequires: python2-rpm-macros +BuildRequires: zip +BuildRequires: xmlto +BuildRequires: zlib-devel +BuildRequires: SDL-devel +BuildRequires: pkgconfig +#BuildRequires: autoconf +#BuildRequires: automake + +%description +The zziplib library is intentionally lightweight, it offers the ability to +easily extract data from files archived in a single zip file. Applications +can bundle files into a single zip archive and access them. The implementation +is based only on the (free) subset of compression with the zlib algorithm +which is actually used by the zip/unzip tools. + +%package utils +Summary: Utilities for the zziplib library +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description utils +The zziplib library is intentionally lightweight, it offers the ability to +easily extract data from files archived in a single zip file. Applications +can bundle files into a single zip archive and access them. The implementation +is based only on the (free) subset of compression with the zlib algorithm +which is actually used by the zip/unzip tools. + +This packages contains all the utilities that come with the zziplib library. + +%package devel +Summary: Development files for the zziplib library +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig +Requires: zlib-devel +Requires: SDL-devel + +%description devel +The zziplib library is intentionally lightweight, it offers the ability to +easily extract data from files archived in a single zip file. Applications +can bundle files into a single zip archive and access them. The implementation +is based only on the (free) subset of compression with the zlib algorithm +which is actually used by the zip/unzip tools. + +This package contains files required to build applications that will use the +zziplib library. + +%prep +%setup -q + +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +# Force py2 for the build +find . -name '*.py' | xargs sed -i 's@#! /usr/bin/python@#! %__python2@g;s@#! /usr/bin/env python@#! %__python2@g' + +%build +export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" +export PYTHON=%__python2 +%configure \ + --disable-static \ + --enable-sdl \ + --enable-frame-pointer \ + --enable-builddir=_builddir +# Remove rpath on 64bit archs +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' */libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool +# Only patch generated _config.h on non-i686 and armv7hl +# These platforms have a correct _config.h already +%ifnarch i686 armv7hl +cd _builddir +%apply_patch %{PATCH0} -p2 +cd .. +%endif + +%make_build + + +%install +%make_install + +%ldconfig_scriptlets + +%files +%doc docs/COPYING* ChangeLog README TODO +%{_libdir}/*.so.* + +%files utils +%{_bindir}/* + +%files devel +%doc docs/README.SDL docs/*.htm +%{_includedir}/* +%exclude %{_libdir}/*.la +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_datadir}/aclocal/*.m4 +%{_mandir}/man3/* + +%changelog +* Wed Jul 29 2020 Fedora Release Engineering - 0.13.69-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 0.13.69-8 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri Jan 31 2020 Fedora Release Engineering - 0.13.69-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 0.13.69-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 0.13.69-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jan 24 2019 Jakub Martisko - 0.13.69-4 +- Add the missing CVE-2018-17828.part2.patch file +- Fix Formating of the previous 2 changelog entries + +* Thu Jan 24 2019 Jakub Martisko - 0.13.69-3 +- Related: #1626202 +- Resolves: CVE-2018-16548 + +* Thu Jan 24 2019 Jakub Martisko - 0.13.69-2 +- Related: 1635890 +- Resolves: CVE-2018-17828 + +* Mon Jul 23 2018 Alexander Bokovoy - 0.13.69-1 +- Update to 0.13.69 release +- Fixes: #1598246 (CVE-2018-6541) +- Fixes: #1554673 (CVE-2018-7727) +- Use versioned python executables everywhere + +* Sat Jul 14 2018 Fedora Release Engineering - 0.13.68-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sun Mar 18 2018 Iryna Shcherbina - 0.13.68-2 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Wed Feb 14 2018 Alexander Bokovoy - 0.13.68-1 +- 0.13.68 +- Fixes: #1543942 (CVE-2018-6484) + +* Fri Feb 09 2018 Fedora Release Engineering - 0.13.67-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Feb 01 2018 Alexander Bokovoy - 0.13.67-1 +- Update release +- CVE-2018-6381 + +* Thu Aug 03 2017 Fedora Release Engineering - 0.13.62-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.13.62-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.13.62-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 0.13.62-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 0.13.62-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 0.13.62-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.13.62-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 0.13.62-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jan 30 2013 Jindrich Novy 0.13.62-2 +- rebuild with -fno-strict-aliasing + +* Wed Oct 10 2012 Matthias Saou 0.13.62-1 +- Update to 0.13.62. +- Remove no longer needed -Wl patch. + +* Sun Jul 22 2012 Fedora Release Engineering - 0.13.60-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Mar 8 2012 Tom Callaway - 0.13.60-1 +- update to 0.13.60 + +* Sat Jan 14 2012 Fedora Release Engineering - 0.13.59-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.13.59-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Dec 9 2010 Hans de Goede 0.13.59-2 +- Fix broken zzip/_config.h which causes apps using zziplib to fail to compile + +* Sat Dec 4 2010 Matthias Saou 0.13.59-1 +- Update to 0.13.59. +- Remove no longer needed 'open' patch. +- Rebase the multilib patch, still required. +- Re-enable _smp_mflags, build works again with it apparently. + +* Mon Jul 27 2009 Fedora Release Engineering - 0.13.49-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 0.13.49-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 22 2008 Matthias Saou 0.13.49-6 +- Patch _config.h to make it identical for 32bit and 64bit archs (#343521). + +* Tue Feb 19 2008 Fedora Release Engineering +- Autorebuild for GCC 4.3 + +* Wed Aug 8 2007 Matthias Saou 0.13.49-4 +- Include patch to fix fd.open calls with recent glibc. +- Disable _smp_mflags since the docs fail to build. + +* Fri Aug 3 2007 Matthias Saou 0.13.49-3 +- Update License field. + +* Tue Jun 19 2007 Matthias Saou 0.13.49-2 +- Disable static lib build instead of excluding it later. +- Remove rpath on 64bit archs. +- Switch to using DESTDIR install method. + +* Mon Mar 26 2007 Matthias Saou 0.13.49-1 +- Update to 0.13.49 to fix CVE-2007-1614 (rhbz #233700). +- Include new man3 pages to the devel sub-package. + +* Mon Aug 28 2006 Matthias Saou 0.13.47-1 +- Update to 0.13.47. +- FC6 rebuild. + +* Mon Jul 24 2006 Matthias Saou 0.13.45-3 +- Split off -utils sub-package (#199467). Could have been plain "zzip"? +- Have sub-packages require exact release too. +- Build require automake to make the aclocal-1.9 check happy. +- Use --enable-frame-pointer otherwise -g gets removed from the CFLAGS. + +* Mon Mar 6 2006 Matthias Saou 0.13.45-2 +- FC5 rebuild. + +* Thu Feb 9 2006 Matthias Saou 0.13.45-1 +- Update to 0.13.45. +- Exclude static library. + +* Sun May 22 2005 Jeremy Katz - 0.13.38-2 +- rebuild on all arches + +* Tue Apr 5 2005 Matthias Saou 0.13.38-1 +- Update to 0.13.38, fixes gcc4 compile issues (Adrian Reber). + +* Tue Nov 16 2004 Matthias Saou 0.13.36-2 +- Bump release to provide Extras upgrade path. + +* Tue Jun 8 2004 Matthias Saou 0.13.36-1 +- Initial RPM release. +