From b192da5bda07eca1184e36c0e0f94cef0924a76c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jan 2020 18:23:09 -0500 Subject: [PATCH] import zziplib-0.13.68-8.el8 --- SOURCES/CVE-2018-17828-singlez.patch | 59 ++++++++++++++++++++++++++++ SPECS/zziplib.spec | 8 +++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2018-17828-singlez.patch diff --git a/SOURCES/CVE-2018-17828-singlez.patch b/SOURCES/CVE-2018-17828-singlez.patch new file mode 100644 index 0000000..7343ab1 --- /dev/null +++ b/SOURCES/CVE-2018-17828-singlez.patch @@ -0,0 +1,59 @@ +diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c +index c45cb72..ff564a5 100644 +--- a/bins/unzip-mem.c ++++ b/bins/unzip-mem.c +@@ -88,10 +88,53 @@ static void zzip_mem_entry_pipe(ZZIP_MEM_DISK* disk, + } + } + ++ ++ ++ ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void zzip_mem_entry_make(ZZIP_MEM_DISK* disk, + ZZIP_MEM_ENTRY* entry) + { +- FILE* file = fopen (entry->zz_name, "w"); ++ char name_stripped[PATH_MAX+1]; ++ FILE* file; ++ ++ strncpy(name_stripped, entry->zz_name, PATH_MAX); ++ name_stripped[PATH_MAX]='\0'; ++ remove_dotdotslash(name_stripped); ++ ++ file = fopen (name_stripped, "wb"); + if (file) { zzip_mem_entry_pipe (disk, entry, file); fclose (file); } + perror (entry->zz_name); + if (status < EXIT_WARNINGS) status = EXIT_WARNINGS; diff --git a/SPECS/zziplib.spec b/SPECS/zziplib.spec index 44f8469..f278d72 100644 --- a/SPECS/zziplib.spec +++ b/SPECS/zziplib.spec @@ -1,7 +1,7 @@ Summary: Lightweight library to easily extract data from zip files Name: zziplib Version: 0.13.68 -Release: 7%{?dist} +Release: 8%{?dist} License: LGPLv2+ or MPLv1.1 Group: Applications/Archiving URL: http://zziplib.sourceforge.net/ @@ -23,6 +23,7 @@ Patch8: CVE-2018-16548.part2.patch Patch9: CVE-2018-16548.part3.patch Patch10: CVE-2018-17828.patch +Patch11: CVE-2018-17828-singlez.patch BuildRequires: perl-interpreter BuildRequires: python3-devel @@ -87,6 +88,7 @@ zziplib library. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 pathfix.py -i %{__python3} -pn docs @@ -138,6 +140,10 @@ make install DESTDIR=%{buildroot} %{_mandir}/man3/* %changelog +* Tue Oct 16 2018 Jakub Martisko - 0.13.68-8 +- Fix CVE-2018-17828 in the "single z" binaries +- Resolves: #1772447 + * Tue Oct 16 2018 Jakub Martisko - 0.13.68-7 - Fix CVE-2018-17828 - Resolves: #1635890