Fix: CVE-2018-16548

Related: #1626202
Resolves: CVE-2018-16548

CVE-2018-16548.part1.patch

@@ -0,0 +1,71 @@
+From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:32:04 +0200
+Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ test/test.zip | Bin 1361 -> 1361 bytes
+ zzip/zip.c    |  36 ++++++++++++++++++++++++++++++++++--
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 88b833b..a685280 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd,
+         } else
+         {
+             if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
++	    {
++	    	free(hdr0);
+                 return ZZIP_DIR_SEEK;
++	    }
+             if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
++	    {
++	    	free(hdr0);
+                 return ZZIP_DIR_READ;
++	    }
+             d = &dirent;
+         }
+ 
+@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd,
+ 
+         if (hdr_return)
+             *hdr_return = hdr0;
++	else
++	{
++	    /* If it is not assigned to *hdr_return, it will never be free()'d */
++	    free(hdr0);
++	    /* Make sure we don't free it again in case of error */
++	    hdr0 = NULL;
++	}
+     }                           /* else zero (sane) entries */
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
++    if (entries != zz_entries)
++    {
++	/* If it was assigned to *hdr_return, undo assignment */
++	if (p_reclen && hdr_return)
++	    *hdr_return = NULL;
++	/* Free it, if it was not already free()'d */
++	if (hdr0 != NULL)
++	    free(hdr0);
++	return ZZIP_CORRUPTED;
++    }
+ #  else
+-    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
++    if (((entries & (unsigned)0xFFFF) != zz_entries)
++    {
++	/* If it was assigned to *hdr_return, undo assignment */
++	if (p_reclen && hdr_return)
++	    *hdr_return = NULL;
++	/* Free it, if it was not already free()'d */
++	if (hdr0 != NULL)
++	    free(hdr0);
++	return ZZIP_CORRUPTED;
++    }
+ #  endif
++    return 0;
+ }
+ 
+ /* ------------------------- high-level interface ------------------------- */

CVE-2018-16548.part2.patch

@@ -0,0 +1,50 @@
+From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:49:28 +0200
+Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ zzip/zip.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index a685280..51a1a4d 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd,
+ 	{
+ 	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+ 	    free(hdr0);
+-	    /* Make sure we don't free it again in case of error */
+-	    hdr0 = NULL;
+ 	}
+     }                           /* else zero (sane) entries */
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    if (entries != zz_entries)
+-    {
+-	/* If it was assigned to *hdr_return, undo assignment */
+-	if (p_reclen && hdr_return)
+-	    *hdr_return = NULL;
+-	/* Free it, if it was not already free()'d */
+-	if (hdr0 != NULL)
+-	    free(hdr0);
+-	return ZZIP_CORRUPTED;
+-    }
++    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  else
+-    if (((entries & (unsigned)0xFFFF) != zz_entries)
+-    {
+-	/* If it was assigned to *hdr_return, undo assignment */
+-	if (p_reclen && hdr_return)
+-	    *hdr_return = NULL;
+-	/* Free it, if it was not already free()'d */
+-	if (hdr0 != NULL)
+-	    free(hdr0);
+-	return ZZIP_CORRUPTED;
+-    }
++    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  endif
+-    return 0;
+ }
+ 
+ /* ------------------------- high-level interface ------------------------- */

CVE-2018-16548.part3.patch

@@ -0,0 +1,22 @@
+From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 13:55:35 +0200
+Subject: [PATCH] One more free() to avoid memory leak.
+
+---
+ zzip/zip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 51a1a4d..bc6c080 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd,
+ 	    free(hdr0);
+ 	}
+     }                           /* else zero (sane) entries */
++    else
++        free(hdr0);
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+     return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  else

zziplib.spec

@@ -1,7 +1,7 @@
 Summary: Lightweight library to easily extract data from zip files
 Name: zziplib
 Version: 0.13.69
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+ or MPLv1.1
 Group: Applications/Archiving
 URL: http://zziplib.sourceforge.net/
@@ -10,7 +10,9 @@ Patch0: zziplib-0.13.69-multilib.patch
 
 Patch1: CVE-2018-17828.patch
 Patch2: CVE-2018-17828.part2.patch
-
+Patch3: CVE-2018-16548.part1.patch
+Patch4: CVE-2018-16548.part2.patch
+Patch5: CVE-2018-16548.part3.patch
 
 BuildRequires:  gcc
 BuildRequires: perl-interpreter
@@ -68,6 +70,9 @@ zziplib library.
 
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 # Force py2 for the build
 find . -name '*.py' | xargs sed -i 's@#! /usr/bin/python@#! %__python2@g;s@#! /usr/bin/env python@#! %__python2@g'
@@ -116,6 +121,10 @@ make install DESTDIR=%{buildroot}
 %{_mandir}/man3/*
 
 %changelog
+* Thu Jan 24 2019 Jakub Martisko <jamartis@redhat.com> - 0.13.69-3
+Related: #1626202
+Resolves: CVE-2018-16548
+
 * Thu Jan 24 2019 Jakub Martisko <jamartis@redhat.com> - 0.13.69-2
 Related: 1635890
 Resolves: CVE-2018-17828