Fix: CVE-2018-16548

Related: #1626202 Resolves: CVE-2018-16548
2019-01-24 14:14:10 +01:00 · 2019-01-24 14:14:10 +01:00 · ff7beb94fb
commit ff7beb94fb
parent d2c611006e
4 changed files with 154 additions and 2 deletions
--- a/CVE-2018-16548.part1.patch
+++ b/CVE-2018-16548.part1.patch
@ -0,0 +1,71 @@
+From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:32:04 +0200
+Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ test/test.zip | Bin 1361 -> 1361 bytes
+ zzip/zip.c    |  36 ++++++++++++++++++++++++++++++++++--
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 88b833b..a685280 100644
+--- a/zzip/zip.c
+++ b/zzip/zip.c
+@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd,
+         } else
+         {
+             if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+	    {
+	    	free(hdr0);
+                 return ZZIP_DIR_SEEK;
+	    }
+             if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+	    {
+	    	free(hdr0);
+                 return ZZIP_DIR_READ;
+	    }
+             d = &dirent;
+         }
+ 
+@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd,
+ 
+         if (hdr_return)
+             *hdr_return = hdr0;
+	else
+	{
+	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+	    free(hdr0);
+	    /* Make sure we don't free it again in case of error */
+	    hdr0 = NULL;
+	}
+     }                           /* else zero (sane) entries */
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+    if (entries != zz_entries)
+    {
+	/* If it was assigned to *hdr_return, undo assignment */
+	if (p_reclen && hdr_return)
+	    *hdr_return = NULL;
+	/* Free it, if it was not already free()'d */
+	if (hdr0 != NULL)
+	    free(hdr0);
+	return ZZIP_CORRUPTED;
+    }
+ #  else
+-    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+    if (((entries & (unsigned)0xFFFF) != zz_entries)
+    {
+	/* If it was assigned to *hdr_return, undo assignment */
+	if (p_reclen && hdr_return)
+	    *hdr_return = NULL;
+	/* Free it, if it was not already free()'d */
+	if (hdr0 != NULL)
+	    free(hdr0);
+	return ZZIP_CORRUPTED;
+    }
+ #  endif
+    return 0;
+ }
+ 
+ /* ------------------------- high-level interface ------------------------- */
--- a/CVE-2018-16548.part2.patch
+++ b/CVE-2018-16548.part2.patch
@ -0,0 +1,50 @@
+From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:49:28 +0200
+Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ zzip/zip.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index a685280..51a1a4d 100644
+--- a/zzip/zip.c
+++ b/zzip/zip.c
+@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd,
+ 	{
+ 	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+ 	    free(hdr0);
+-	    /* Make sure we don't free it again in case of error */
+-	    hdr0 = NULL;
+ 	}
+     }                           /* else zero (sane) entries */
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    if (entries != zz_entries)
+-    {
+-	/* If it was assigned to *hdr_return, undo assignment */
+-	if (p_reclen && hdr_return)
+-	    *hdr_return = NULL;
+-	/* Free it, if it was not already free()'d */
+-	if (hdr0 != NULL)
+-	    free(hdr0);
+-	return ZZIP_CORRUPTED;
+-    }
+    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  else
+-    if (((entries & (unsigned)0xFFFF) != zz_entries)
+-    {
+-	/* If it was assigned to *hdr_return, undo assignment */
+-	if (p_reclen && hdr_return)
+-	    *hdr_return = NULL;
+-	/* Free it, if it was not already free()'d */
+-	if (hdr0 != NULL)
+-	    free(hdr0);
+-	return ZZIP_CORRUPTED;
+-    }
+    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  endif
+-    return 0;
+ }
+ 
+ /* ------------------------- high-level interface ------------------------- */
--- a/CVE-2018-16548.part3.patch
+++ b/CVE-2018-16548.part3.patch
@ -0,0 +1,22 @@
+From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 13:55:35 +0200
+Subject: [PATCH] One more free() to avoid memory leak.
+
+---
+ zzip/zip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 51a1a4d..bc6c080 100644
+--- a/zzip/zip.c
+++ b/zzip/zip.c
+@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd,
+ 	    free(hdr0);
+ 	}
+     }                           /* else zero (sane) entries */
+    else
+        free(hdr0);
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+     return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  else
--- a/zziplib.spec
+++ b/zziplib.spec
@ -1,7 +1,7 @@
 Summary: Lightweight library to easily extract data from zip files
 Name: zziplib
 Version: 0.13.69
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+ or MPLv1.1
 Group: Applications/Archiving
 URL: http://zziplib.sourceforge.net/
@ -10,7 +10,9 @@ Patch0: zziplib-0.13.69-multilib.patch

 Patch1: CVE-2018-17828.patch
 Patch2: CVE-2018-17828.part2.patch
-
+Patch3: CVE-2018-16548.part1.patch
+Patch4: CVE-2018-16548.part2.patch
+Patch5: CVE-2018-16548.part3.patch

 BuildRequires:  gcc
 BuildRequires: perl-interpreter
@ -68,6 +70,9 @@ zziplib library.

 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1

 # Force py2 for the build
 find . -name '*.py' | xargs sed -i 's@#! /usr/bin/python@#! %__python2@g;s@#! /usr/bin/env python@#! %__python2@g'
@ -116,6 +121,10 @@ make install DESTDIR=%{buildroot}
 %{_mandir}/man3/*

 %changelog
+* Thu Jan 24 2019 Jakub Martisko <jamartis@redhat.com> - 0.13.69-3
+Related: #1626202
+Resolves: CVE-2018-16548
+
 * Thu Jan 24 2019 Jakub Martisko <jamartis@redhat.com> - 0.13.69-2
 Related: 1635890
 Resolves: CVE-2018-17828