diff --git a/.gitignore b/.gitignore index e06560b..d01db63 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ zziplib-0.13.49.tar.bz2 /zziplib-0.13.60.tar.bz2 /zziplib-0.13.62.tar.bz2 /v0.13.67.tar.gz +/v0.13.68.tar.gz diff --git a/sources b/sources index 0f2de80..b483c7c 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (v0.13.67.tar.gz) = a34b801a18a2051aa3898a572508ffd327521b69878413af679b10f6a68b37e770651884ae611bf9c01ce14013c6a1e06adeadd3ef6219d4b9278f1b9e7a6459 +SHA512 (v0.13.68.tar.gz) = e8a9976242acc04064ec239b9b929228370a946e5bd37092adcc1bda14605710a3850d39795d1937b609d1ab9a9a1998152f8c88b2dccc387ac6ec774d9cfce9 diff --git a/zziplib-0.13.67-CVE-2018-6381.patch b/zziplib-0.13.67-CVE-2018-6381.patch deleted file mode 100644 index d614558..0000000 --- a/zziplib-0.13.67-CVE-2018-6381.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a803559fa9194be895422ba3684cf6309b6bb598 Mon Sep 17 00:00:00 2001 -From: Guido Draheim -Date: Thu, 1 Feb 2018 12:27:49 +0100 -Subject: [PATCH] merge CVE-2018-6381.patch from @jmoellers #12 - ---- - zzip/memdisk.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/zzip/memdisk.c b/zzip/memdisk.c -index cab883b..a85dab0 100644 ---- a/zzip/memdisk.c -+++ b/zzip/memdisk.c -@@ -210,6 +210,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry) - item->zz_diskstart = zzip_disk_entry_get_diskstart(entry); - item->zz_filetype = zzip_disk_entry_get_filetype(entry); - -+ /* -+ * If the file is uncompressed, zz_csize and zz_usize should be the same -+ * If they are not, we cannot guarantee that either is correct, so ... -+ */ -+ if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize) -+ { -+ goto error; -+ } - /* zz_comment and zz_name are empty strings if not present on disk */ - if (! item->zz_comment || ! item->zz_name) - { diff --git a/zziplib.spec b/zziplib.spec index 73b34f1..dab3b42 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,13 +1,12 @@ Summary: Lightweight library to easily extract data from zip files Name: zziplib -Version: 0.13.67 -Release: 2%{?dist} +Version: 0.13.68 +Release: 1%{?dist} License: LGPLv2+ or MPLv1.1 Group: Applications/Archiving URL: http://zziplib.sourceforge.net/ Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz -Patch0: zziplib-0.13.67-CVE-2018-6381.patch -Patch1: zziplib-0.13.67-multilib.patch +Patch0: zziplib-0.13.67-multilib.patch BuildRequires: perl-interpreter BuildRequires: python BuildRequires: zip @@ -59,7 +58,6 @@ zziplib library. %prep %setup -q -%patch0 -p1 %build export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" @@ -75,7 +73,7 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool # These platforms have a correct _config.h already %ifnarch i686 armv7hl cd _builddir -%apply_patch %{PATCH1} -p2 +%apply_patch %{PATCH0} -p2 cd .. %endif @@ -106,6 +104,10 @@ make install DESTDIR=%{buildroot} %{_mandir}/man3/* %changelog +* Wed Feb 14 2018 Alexander Bokovoy - 0.13.68-1 +- 0.13.68 +- Fixes: #1543942 (CVE-2018-6484) + * Fri Feb 09 2018 Fedora Release Engineering - 0.13.67-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild