Hello community, here is the log from the commit of package libzip for openSUSE:Factory checked in at 2017-09-23 21:32:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzip (Old) and /work/SRC/openSUSE:Factory/.libzip.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzip" Sat Sep 23 21:32:09 2017 rev:30 rq:528196 version:1.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libzip/libzip.changes 2017-09-04 12:25:48.924150770 +0200 +++ /work/SRC/openSUSE:Factory/.libzip.new/libzip.changes 2017-09-23 21:32:10.563626439 +0200 @@ -1,0 +2,20 @@ +Fri Sep 22 06:19:34 UTC 2017 - [email protected] + +- reverted version update to 1.3.0 due failing i586 tests +- remove libzip-disable-failing-tests.patch again +- add libzip-CVE-2017-12858.patch again +- add libzip-CVE-2017-14107.patch [bsc#1056996] + +------------------------------------------------------------------- +Wed Sep 6 13:13:05 UTC 2017 - [email protected] + +- update to version 1.3.0: + * Support bzip2 compressed zip archives + * Improve file progress callback code + * Fix zip_fdopen() + * CVE-2017-12858: Fix double free(). + * CVE-2017-14107: Improve EOCD64 parsing. +- remove upstreamed libzip-CVE-2017-12858.patch +- added libzip-disable-failing-tests.patch [bsc#1056996#c12] + +------------------------------------------------------------------- New: ---- libzip-CVE-2017-14107.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzip.spec ++++++ --- /var/tmp/diff_new_pack.AqYdVD/_old 2017-09-23 21:32:11.391509967 +0200 +++ /var/tmp/diff_new_pack.AqYdVD/_new 2017-09-23 21:32:11.395509405 +0200 @@ -29,6 +29,7 @@ # PATCH-FIX-OPENSUSE: close on exec, upstream is aware, will be probably fixes next release Patch1: libzip-ocloexec.patch Patch2: libzip-CVE-2017-12858.patch +Patch3: libzip-CVE-2017-14107.patch BuildRequires: libtool BuildRequires: pkgconfig # for tests @@ -82,6 +83,7 @@ %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %configure \ ++++++ libzip-CVE-2017-14107.patch ++++++ >From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001 From: Thomas Klausner <[email protected]> Date: Tue, 29 Aug 2017 10:25:03 +0200 Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases. --- lib/zip_open.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/zip_open.c b/lib/zip_open.c index 3bd593b..9d3a4cb 100644 --- a/lib/zip_open.c +++ b/lib/zip_open.c @@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse zip_error_set(error, ZIP_ER_SEEK, EFBIG); return NULL; } - if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { + if (offset+size > buf_offset + eocd_offset) { + /* cdir spans past EOCD record */ + zip_error_set(error, ZIP_ER_INCONS, 0); + return NULL; + } + if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { zip_error_set(error, ZIP_ER_INCONS, 0); return NULL; }
