rpms/zziplib
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 0.13.68

Browse Source 
Fixes #1543942
This commit is contained in:
Alexander Bokovoy 2018-02-14 18:36:14 +02:00
parent 1ef47efaab
commit e0dbc893b1
4 changed files with 10 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -3,3 +3,4 @@ zziplib-0.13.49.tar.bz2
/zziplib-0.13.60.tar.bz2 /zziplib-0.13.60.tar.bz2
/zziplib-0.13.62.tar.bz2 /zziplib-0.13.62.tar.bz2
/v0.13.67.tar.gz /v0.13.67.tar.gz
/v0.13.68.tar.gz

1
sources
View File

@ -1 +1,2 @@
SHA512 (v0.13.67.tar.gz) = a34b801a18a2051aa3898a572508ffd327521b69878413af679b10f6a68b37e770651884ae611bf9c01ce14013c6a1e06adeadd3ef6219d4b9278f1b9e7a6459 SHA512 (v0.13.67.tar.gz) = a34b801a18a2051aa3898a572508ffd327521b69878413af679b10f6a68b37e770651884ae611bf9c01ce14013c6a1e06adeadd3ef6219d4b9278f1b9e7a6459
SHA512 (v0.13.68.tar.gz) = e8a9976242acc04064ec239b9b929228370a946e5bd37092adcc1bda14605710a3850d39795d1937b609d1ab9a9a1998152f8c88b2dccc387ac6ec774d9cfce9

28
zziplib-0.13.67-CVE-2018-6381.patch
View File

@ -1,28 +0,0 @@
From a803559fa9194be895422ba3684cf6309b6bb598 Mon Sep 17 00:00:00 2001
From: Guido Draheim <guidod@gmx.de>
Date: Thu, 1 Feb 2018 12:27:49 +0100
Subject: [PATCH] merge CVE-2018-6381.patch from @jmoellers #12
---
zzip/memdisk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/zzip/memdisk.c b/zzip/memdisk.c
index cab883b..a85dab0 100644
--- a/zzip/memdisk.c
+++ b/zzip/memdisk.c
@@ -210,6 +210,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
item->zz_diskstart = zzip_disk_entry_get_diskstart(entry);
item->zz_filetype = zzip_disk_entry_get_filetype(entry);
+ /*
+ * If the file is uncompressed, zz_csize and zz_usize should be the same
+ * If they are not, we cannot guarantee that either is correct, so ...
+ */
+ if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize)
+ {
+ goto error;
+ }
/* zz_comment and zz_name are empty strings if not present on disk */
if (! item->zz_comment || ! item->zz_name)
{

14
zziplib.spec
View File

@ -1,13 +1,12 @@
Summary: Lightweight library to easily extract data from zip files Summary: Lightweight library to easily extract data from zip files
Name: zziplib Name: zziplib
Version: 0.13.67 Version: 0.13.68
Release: 2%{?dist} Release: 1%{?dist}
License: LGPLv2+ or MPLv1.1 License: LGPLv2+ or MPLv1.1
Group: Applications/Archiving Group: Applications/Archiving
URL: http://zziplib.sourceforge.net/ URL: http://zziplib.sourceforge.net/
Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz
Patch0: zziplib-0.13.67-CVE-2018-6381.patch Patch0: zziplib-0.13.67-multilib.patch
Patch1: zziplib-0.13.67-multilib.patch
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python BuildRequires: python
BuildRequires: zip BuildRequires: zip
@ -59,7 +58,6 @@ zziplib library.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%build %build
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
@ -75,7 +73,7 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool
# These platforms have a correct _config.h already # These platforms have a correct _config.h already
%ifnarch i686 armv7hl %ifnarch i686 armv7hl
cd _builddir cd _builddir
%apply_patch %{PATCH1} -p2 %apply_patch %{PATCH0} -p2
cd .. cd ..
%endif %endif
@ -106,6 +104,10 @@ make install DESTDIR=%{buildroot}
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Wed Feb 14 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.13.68-1
- 0.13.68
- Fixes: #1543942 (CVE-2018-6484)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.13.67-2 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.13.67-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild