Control: tags 910335 + patch Dear maintainer,
Updated debdiff to include as well fixes for #910335. Regards, Salvatore
diff -Nru zziplib-0.13.62/debian/changelog zziplib-0.13.62/debian/changelog --- zziplib-0.13.62/debian/changelog 2017-06-04 09:03:20.000000000 +0200 +++ zziplib-0.13.62/debian/changelog 2019-03-04 22:43:14.000000000 +0100 @@ -1,3 +1,22 @@ +zziplib (0.13.62-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Invalid memory access in zzip_disk_fread (CVE-2018-6381) (Closes: #889096) + * Reject the ZIP file and report it as corrupt if the size of the central + directory and/or the offset of start of central directory point beyond the + end of the ZIP file (CVE-2018-6484, CVE-2018-6541, CVE-2018-6869) + (Closes: #889089) + * bus error in zzip_disk_findfirst function in zzip/mmapped.c + (CVE-2018-6540) (Closes: #923659) + * out of bound read in mmapped.c:zzip_disk_fread() causes crash + (CVE-2018-7725) (Closes: #913165) + * Bus error in zip.c:__zzip_parse_root_directory() cause crash via crafted + zip file (CVE-2018-7726) (Closes: #913165) + * Memory leak triggered in the function __zzip_parse_root_directory in zip.c + (CVE-2018-16548) (Closes: #910335) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 04 Mar 2019 22:43:14 +0100 + zziplib (0.13.62-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch --- zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,74 @@ +From: jmoellers <josef.moell...@suse.com> +Date: Fri, 7 Sep 2018 11:32:04 +0200 +Subject: Avoid memory leak from __zzip_parse_root_directory(). +Origin: https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16548 +Bug-Debian: https://bugs.debian.org/910335 +Bug: https://github.com/gdraheim/zziplib/issues/58 + +--- + +diff --git a/zzip/zip.c b/zzip/zip.c +index 88b833b2533d..a6852802f87e 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd, + } else + { + if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) ++ { ++ free(hdr0); + return ZZIP_DIR_SEEK; ++ } + if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) ++ { ++ free(hdr0); + return ZZIP_DIR_READ; ++ } + d = &dirent; + } + +@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd, + + if (hdr_return) + *hdr_return = hdr0; ++ else ++ { ++ /* If it is not assigned to *hdr_return, it will never be free()'d */ ++ free(hdr0); ++ /* Make sure we don't free it again in case of error */ ++ hdr0 = NULL; ++ } + } /* else zero (sane) entries */ + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); ++ if (entries != zz_entries) ++ { ++ /* If it was assigned to *hdr_return, undo assignment */ ++ if (p_reclen && hdr_return) ++ *hdr_return = NULL; ++ /* Free it, if it was not already free()'d */ ++ if (hdr0 != NULL) ++ free(hdr0); ++ return ZZIP_CORRUPTED; ++ } + # else +- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); ++ if (((entries & (unsigned)0xFFFF) != zz_entries) ++ { ++ /* If it was assigned to *hdr_return, undo assignment */ ++ if (p_reclen && hdr_return) ++ *hdr_return = NULL; ++ /* Free it, if it was not already free()'d */ ++ if (hdr0 != NULL) ++ free(hdr0); ++ return ZZIP_CORRUPTED; ++ } + # endif ++ return 0; + } + + /* ------------------------- high-level interface ------------------------- */ +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch --- zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,56 @@ +From: jmoellers <josef.moell...@suse.com> +Date: Fri, 7 Sep 2018 11:49:28 +0200 +Subject: Avoid memory leak from __zzip_parse_root_directory(). +Origin: https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16548 +Bug-Debian: https://bugs.debian.org/910335 +Bug: https://github.com/gdraheim/zziplib/issues/58 + +--- + zzip/zip.c | 25 ++----------------------- + 1 file changed, 2 insertions(+), 23 deletions(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index a6852802f87e..51a1a4d93a60 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd, + { + /* If it is not assigned to *hdr_return, it will never be free()'d */ + free(hdr0); +- /* Make sure we don't free it again in case of error */ +- hdr0 = NULL; + } + } /* else zero (sane) entries */ + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- if (entries != zz_entries) +- { +- /* If it was assigned to *hdr_return, undo assignment */ +- if (p_reclen && hdr_return) +- *hdr_return = NULL; +- /* Free it, if it was not already free()'d */ +- if (hdr0 != NULL) +- free(hdr0); +- return ZZIP_CORRUPTED; +- } ++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else +- if (((entries & (unsigned)0xFFFF) != zz_entries) +- { +- /* If it was assigned to *hdr_return, undo assignment */ +- if (p_reclen && hdr_return) +- *hdr_return = NULL; +- /* Free it, if it was not already free()'d */ +- if (hdr0 != NULL) +- free(hdr0); +- return ZZIP_CORRUPTED; +- } ++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; + # endif +- return 0; + } + + /* ------------------------- high-level interface ------------------------- */ +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch --- zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,28 @@ +From: jmoellers <josef.moell...@suse.com> +Date: Fri, 7 Sep 2018 13:55:35 +0200 +Subject: One more free() to avoid memory leak. +Origin: https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16548 +Bug-Debian: https://bugs.debian.org/910335 +Bug: https://github.com/gdraheim/zziplib/issues/58 + +--- + zzip/zip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 51a1a4d93a60..bc6c0800e085 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd, + free(hdr0); + } + } /* else zero (sane) entries */ ++ else ++ free(hdr0); + # ifndef ZZIP_ALLOW_MODULO_ENTRIES + return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch --- zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,49 @@ +From: =?UTF-8?q?Josef=20M=C3=B6llers?= <josef@firefly.moellers.local> +Date: Fri, 2 Feb 2018 14:09:32 +0100 +Subject: Reject the ZIP file and report it as corrupt if the size of the + central directory and/or the offset of start of central directory point + beyond the end of the ZIP file. [CVE-2018-6484] +Origin: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6484 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6541 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6869 +Bug-Debian: https://bugs.debian.org/889089 +Bug: https://github.com/gdraheim/zziplib/issues/14 +Bug: https://github.com/gdraheim/zziplib/issues/16 +Bug: https://github.com/gdraheim/zziplib/issues/22 + +--- + +diff --git a/zzip/zip.c b/zzip/zip.c +index f0eac2b71501..67e662f59f46 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + # endif + + __fixup_rootseek(offset + tail - mapped, trailer); ++ /* ++ * "extract data from files archived in a single zip file." ++ * So the file offsets must be within the current ZIP archive! ++ */ ++ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) ++ return(ZZIP_CORRUPTED); + { return(0); } + } else if ((*tail == 'P') && + end - tail >= +@@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + zzip_disk64_trailer_finalentries(orig); + trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig); + trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig); ++ /* ++ * "extract data from files archived in a single zip file." ++ * So the file offsets must be within the current ZIP archive! ++ */ ++ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) ++ return(ZZIP_CORRUPTED); + { return(0); } + # endif + } +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch --- zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,47 @@ +From: Guido Draheim <gui...@gmx.de> +Date: Tue, 13 Mar 2018 01:50:36 +0100 +Subject: check rootseek after correction #41 +Origin: https://github.com/gdraheim/zziplib/commit/19c9e4dc6c5cf92a38d0d23dbccac6993f9c41be +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7726 +Bug-Debian: https://bugs.debian.org/913165 +Bug: https://github.com/gdraheim/zziplib/issues/27 +Bug: https://github.com/gdraheim/zziplib/issues/41 + +--- + zzip/zip.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 6be8d7c8f944..0d79d5298860 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -1,4 +1,3 @@ +- + /* + * Author: + * Guido Draheim <gui...@gmx.de> +@@ -422,6 +421,9 @@ __zzip_parse_root_directory(int fd, + zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); + __correct_rootseek(zz_rootseek, zz_rootsize, trailer); + ++ if (zz_entries < 0 || zz_rootseek < 0 || zz_rootseek < 0) ++ return ZZIP_CORRUPTED; ++ + hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize); + if (! hdr0) + return ZZIP_DIRSIZE; +@@ -465,8 +467,9 @@ __zzip_parse_root_directory(int fd, + # endif + + if (fd_map) +- { d = (void*)(fd_map+zz_fd_gap+zz_offset); } /* fd_map+fd_gap==u_rootseek */ +- else ++ { ++ d = (void*)(fd_map+zz_fd_gap+zz_offset); /* fd_map+fd_gap==u_rootseek */ ++ } else + { + if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) + return ZZIP_DIR_SEEK; +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch --- zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,38 @@ +From: Guido Draheim <gui...@gmx.de> +Date: Tue, 13 Mar 2018 00:23:33 +0100 +Subject: check rootseek and rootsize to be positive #27 +Origin: https://github.com/gdraheim/zziplib/commit/8f48323c181e20b7e527b8be7229d6eb1148ec5f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7726 +Bug-Debian: https://bugs.debian.org/913165 +Bug: https://github.com/gdraheim/zziplib/issues/27 +Bug: https://github.com/gdraheim/zziplib/issues/41 + +--- + zzip/zip.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/zzip/zip.c b/zzip/zip.c +index a5db9d8cf9ce..6be8d7c8f944 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -318,6 +318,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig); + trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig); + # endif ++ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0) ++ return(ZZIP_CORRUPTED); // forged value + + __fixup_rootseek(offset + tail - mapped, trailer); + /* +@@ -344,6 +346,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + zzip_disk64_trailer_finalentries(orig); + trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig); + trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig); ++ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0) ++ return(ZZIP_CORRUPTED); // forged value + /* + * "extract data from files archived in a single zip file." + * So the file offsets must be within the current ZIP archive! +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch --- zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,46 @@ +From: Guido Draheim <gui...@gmx.de> +Date: Tue, 13 Mar 2018 01:29:44 +0100 +Subject: check zlib space to be within buffer #39 +Origin: https://github.com/gdraheim/zziplib/commit/1ba660b3300d67b8ce9f6b96bbae0b36fa2d6b06 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7725 +Bug-Debian: https://bugs.debian.org/913165 +Bug: https://github.com/gdraheim/zziplib/issues/39 + +--- + zzip/memdisk.c | 9 +++++++++ + zzip/mmapped.c | 2 ++ + 2 files changed, 11 insertions(+) + +--- a/zzip/memdisk.c ++++ b/zzip/memdisk.c +@@ -434,11 +434,19 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir + file->zlib.avail_in = zzip_mem_entry_csize(entry); + file->zlib.next_in = zzip_mem_entry_to_data(entry); + ++ if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf) ++ goto error; ++ if (file->zlib.next_in < file->buffer) ++ goto error; ++ + if (! zzip_mem_entry_data_deflated(entry) || + inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK) + { free (file); return 0; } + + return file; ++error: ++ errno = EBADMSG; ++ return NULL; + } + + zzip__new__ ZZIP_MEM_DISK_FILE * +--- a/zzip/mmapped.c ++++ b/zzip/mmapped.c +@@ -567,6 +567,8 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, + + if (file->zlib.next_in + file->zlib.avail_in >= disk->endbuf) + goto error; ++ if (file->zlib.next_in < disk->buffer) ++ goto error; + + if (! zzip_file_header_data_deflated(header)) + goto error; diff -Nru zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch --- zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,29 @@ +From: Guido Draheim <gui...@gmx.de> +Date: Thu, 15 Mar 2018 23:54:37 +0100 +Subject: fix for zz_rootsize #41 +Origin: https://github.com/gdraheim/zziplib/commit/feae4da1a5c92100c44ebfcbaaa895959cc0829b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7726 +Bug-Debian: https://bugs.debian.org/913165 +Bug: https://github.com/gdraheim/zziplib/issues/27 +Bug: https://github.com/gdraheim/zziplib/issues/41 + +--- + zzip/zip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 0d79d5298860..14e2e06615cd 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -421,7 +421,7 @@ __zzip_parse_root_directory(int fd, + zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); + __correct_rootseek(zz_rootseek, zz_rootsize, trailer); + +- if (zz_entries < 0 || zz_rootseek < 0 || zz_rootseek < 0) ++ if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) + return ZZIP_CORRUPTED; + + hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize); +-- +2.11.0 + diff -Nru zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch --- zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,39 @@ +From: Guido Draheim <gui...@gmx.de> +Date: Thu, 1 Feb 2018 12:27:49 +0100 +Subject: merge CVE-2018-6381.patch from @jmoellers #12 +Origin: https://github.com/gdraheim/zziplib/commit/a803559fa9194be895422ba3684cf6309b6bb598 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6381 +Bug-Debian: https://bugs.debian.org/889096 +Bug: https://github.com/gdraheim/zziplib/issues/12 + +--- + zzip/memdisk.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/zzip/memdisk.c ++++ b/zzip/memdisk.c +@@ -191,6 +191,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + item->zz_diskstart = zzip_disk_entry_get_diskstart(entry); + item->zz_filetype = zzip_disk_entry_get_filetype(entry); + ++ /* ++ * If the file is uncompressed, zz_csize and zz_usize should be the same ++ * If they are not, we cannot guarantee that either is correct, so ... ++ */ ++ if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize) ++ { ++ goto error; ++ } + { /* copy the extra blocks to memory as well */ + int /* */ ext1 = zzip_disk_entry_get_extras(entry); + char *_zzip_restrict ptr1 = zzip_disk_entry_to_extras(entry); +@@ -234,6 +242,9 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI + */ + return item; + ____; ++error: ++ zzip_mem_entry_free(item); ++ return 0; + ____; + } + diff -Nru zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch --- zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch 1970-01-01 01:00:00.000000000 +0100 +++ zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch 2019-03-04 22:43:14.000000000 +0100 @@ -0,0 +1,59 @@ +From: Guido Draheim <gui...@gmx.de> +Date: Mon, 5 Feb 2018 13:57:49 +0100 +Subject: need to check on endbuf for stored files #15 +Origin: https://github.com/gdraheim/zziplib/commit/72ec933663f738d8e166979aa7fd5590b2104a07 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6540 +Bug-Debian: https://bugs.debian.org/923659 +Bug: https://github.com/gdraheim/zziplib/issues/15 + +--- + +--- a/zzip/mmapped.c ++++ b/zzip/mmapped.c +@@ -551,7 +551,12 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, + file->avail = zzip_file_header_usize(header); + + if (! file->avail || zzip_file_header_data_stored(header)) +- { file->stored = zzip_file_header_to_data (header); return file; } ++ { ++ file->stored = zzip_file_header_to_data (header); ++ if (file->stored + file->avail >= disk->endbuf) ++ goto error; ++ return file; ++ } + + file->stored = 0; + file->zlib.opaque = 0; +@@ -560,11 +565,18 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, + file->zlib.avail_in = zzip_file_header_csize(header); + file->zlib.next_in = zzip_file_header_to_data(header); + +- if (! zzip_file_header_data_deflated(header) || +- inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK) +- { free (file); return 0; } ++ if (file->zlib.next_in + file->zlib.avail_in >= disk->endbuf) ++ goto error; ++ ++ if (! zzip_file_header_data_deflated(header)) ++ goto error; ++ if (inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK) ++ goto error; + + return file; ++error: ++ free (file); ++ return 0; + ____; + } + +@@ -601,6 +613,10 @@ zzip_disk_fread(void *ptr, zzip_size_t s + size = file->avail; + if (file->stored) + { ++ if (file->stored + size >= file->endbuf) ++ { ++ return 0; /* ESPIPE */ ++ } + memcpy(ptr, file->stored, size); + file->stored += size; + file->avail -= size; diff -Nru zziplib-0.13.62/debian/patches/series zziplib-0.13.62/debian/patches/series --- zziplib-0.13.62/debian/patches/series 2017-06-04 09:03:11.000000000 +0200 +++ zziplib-0.13.62/debian/patches/series 2019-03-04 22:43:14.000000000 +0100 @@ -6,4 +6,14 @@ zziplib-CVE-2017-5978.patch zziplib-CVE-2017-5979.patch zziplib-CVE-2017-5981.patch -zziplib-unzipcat-NULL-name.patch \ No newline at end of file +zziplib-unzipcat-NULL-name.patch +merge-CVE-2018-6381.patch-from-jmoellers-12.patch +Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch +need-to-check-on-endbuf-for-stored-files-15.patch +check-zlib-space-to-be-within-buffer-39.patch +check-rootseek-and-rootsize-to-be-positive-27.patch +check-rootseek-after-correction-41.patch +fix-for-zz_rootsize-41.patch +Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch +Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch +One-more-free-to-avoid-memory-leak.patch