From c5d0017ab89af802348e88fa69a734ca4cd6c94d Mon Sep 17 00:00:00 2001 From: Jakub Martisko Date: Fri, 26 Jan 2024 12:42:00 +0100 Subject: [PATCH] Fix: CVE-2020-18770 Resolves: RHEL-14966 --- CVE-2020-18770.patch | 30 ++++++++++++++++++++++++++++++ zziplib.spec | 8 +++++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-18770.patch diff --git a/CVE-2020-18770.patch b/CVE-2020-18770.patch new file mode 100644 index 0000000..e4c7880 --- /dev/null +++ b/CVE-2020-18770.patch @@ -0,0 +1,30 @@ +From 18c6c043bd7d8f139f30e9c7749013115d5fc5b7 Mon Sep 17 00:00:00 2001 +From: Valentin Lefebvre +Date: Wed, 20 Sep 2023 12:04:56 +0200 +Subject: [PATCH] mmappend.c: Avoid invalid access for header entry + +* zzip_disk_entry_to_file_header checking the pointer by substraction + instead of addition where it could lead to an invalid access memory. +* CVE-2020-18770 + +Signed-off-by: Valentin Lefebvre +--- + zzip/mmapped.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/zzip/mmapped.c b/zzip/mmapped.c +index 2071882..beb094d 100644 +--- a/zzip/mmapped.c ++++ b/zzip/mmapped.c +@@ -275,8 +275,9 @@ zzip_disk_entry_to_data(ZZIP_DISK * disk, struct zzip_disk_entry * entry) + struct zzip_file_header * + zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry) + { +- zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry); +- if (disk->buffer > ptr || ptr >= disk->endbuf) ++ zzip_off_t off = zzip_disk_entry_fileoffset(entry); ++ zzip_byte_t *const ptr = disk->buffer + off; ++ if (disk->buffer > ptr || disk->buffer >= disk->endbuf - off) + { + errno = EBADMSG; + return 0; diff --git a/zziplib.spec b/zziplib.spec index 29ce6fc..9179199 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,7 +1,7 @@ Summary: Lightweight library to easily extract data from zip files Name: zziplib Version: 0.13.68 -Release: 9%{?dist} +Release: 10%{?dist} License: LGPLv2+ or MPLv1.1 Group: Applications/Archiving URL: http://zziplib.sourceforge.net/ @@ -26,6 +26,7 @@ Patch10: CVE-2018-17828.patch Patch11: CVE-2018-17828-singlez.patch Patch12: CVE-2020-18442.patch +Patch13: CVE-2020-18770.patch BuildRequires: perl-interpreter BuildRequires: python3-devel @@ -92,6 +93,7 @@ zziplib library. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 pathfix.py -i %{__python3} -pn docs @@ -143,6 +145,10 @@ make install DESTDIR=%{buildroot} %{_mandir}/man3/* %changelog +* Wed Jan 24 2024 Jakub Martisko - 0.13.68-10 +- Fix CVE-2020-18770 + Resolves: RHEL-14966 + * Mon Aug 02 2021 Jakub Martisko - 0.13.68-9 - Fix CVE-2020-18442 - Resolves: CVE-2020-18442