Hello community,
here is the log from the commit of package zziplib for openSUSE:Factory checked
in at 2018-02-09 15:45:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/zziplib (Old)
and /work/SRC/openSUSE:Factory/.zziplib.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zziplib"
Fri Feb 9 15:45:22 2018 rev:26 rq:573678 version:0.13.67
Changes:
--------
--- /work/SRC/openSUSE:Factory/zziplib/zziplib.changes 2018-01-30
15:38:12.243971109 +0100
+++ /work/SRC/openSUSE:Factory/.zziplib.new/zziplib.changes 2018-02-09
15:45:22.196079635 +0100
@@ -1,0 +2,25 @@
+Tue Feb 6 14:55:03 UTC 2018 - josef.moell...@suse.com
+
+- If an extension block is too small to hold an extension,
+ do not use the information therein.
+- If the End of central directory record (EOCD) contains an
+ Offset of start of central directory which is beyond the end of
+ the file, reject the file.
+ [CVE-2018-6540, bsc#1079096, CVE-2018-6540.patch]
+
+-------------------------------------------------------------------
+Fri Feb 2 09:31:49 UTC 2018 - josef.moell...@suse.com
+
+- Reject the ZIP file and report it as corrupt if the size of the
+ central directory and/or the offset of start of central directory
+ point beyond the end of the ZIP file.
+ [CVE-2018-6484, boo#1078701, CVE-2018-6484.patch]
+
+-------------------------------------------------------------------
+Thu Feb 1 10:49:56 UTC 2018 - josef.moell...@suse.com
+
+- If a file is uncompressed, compressed and uncompressed sizes
+ should be identical.
+ [CVE-2018-6381, bsc#1078497, CVE-2018-6381.patch]
+
+-------------------------------------------------------------------
New:
----
CVE-2018-6381.patch
CVE-2018-6484.patch
CVE-2018-6540.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ zziplib.spec ++++++
--- /var/tmp/diff_new_pack.3ajViQ/_old 2018-02-09 15:45:23.312039564 +0100
+++ /var/tmp/diff_new_pack.3ajViQ/_new 2018-02-09 15:45:23.316039421 +0100
@@ -1,7 +1,7 @@
#
# spec file for package zziplib
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,6 +29,9 @@
Patch0: zziplib-0.13.62.patch
Patch1: zziplib-0.13.62-wronglinking.patch
Patch2: zziplib-largefile.patch
+Patch3: CVE-2018-6381.patch
+Patch4: CVE-2018-6484.patch
+Patch5: CVE-2018-6540.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: fdupes
@@ -66,6 +69,9 @@
%patch0
%patch1
%patch2
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
# do not bother with html docs saving us python2 dependency
sed -i -e 's:docs ::g' Makefile.am
++++++ CVE-2018-6381.patch ++++++
Index: zziplib-0.13.67/zzip/memdisk.c
===================================================================
--- zziplib-0.13.67.orig/zzip/memdisk.c
+++ zziplib-0.13.67/zzip/memdisk.c
@@ -209,6 +209,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
item->zz_diskstart = zzip_disk_entry_get_diskstart(entry);
item->zz_filetype = zzip_disk_entry_get_filetype(entry);
+ /*
+ * If the file is uncompressed, zz_csize and zz_usize should be the same
+ * If they are not, we cannot guarantee that either is correct, so ...
+ */
+ if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize)
+ {
+ goto error;
+ }
/* zz_comment and zz_name are empty strings if not present on disk */
if (! item->zz_comment || ! item->zz_name)
{
++++++ CVE-2018-6484.patch ++++++
Index: zziplib-0.13.67/zzip/zip.c
===================================================================
--- zziplib-0.13.67.orig/zzip/zip.c
+++ zziplib-0.13.67/zzip/zip.c
@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
# endif
__fixup_rootseek(offset + tail - mapped, trailer);
+ /*
+ * "extract data from files archived in a single zip file."
+ * So the file offsets must be within the current ZIP
archive!
+ */
+ if (trailer->zz_rootseek >= filesize ||
(trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
+ return(ZZIP_CORRUPTED);
{ return(0); }
} else if ((*tail == 'P') &&
end - tail >=
@@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
zzip_disk64_trailer_finalentries(orig);
trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
+ /*
+ * "extract data from files archived in a single zip file."
+ * So the file offsets must be within the current ZIP
archive!
+ */
+ if (trailer->zz_rootseek >= filesize ||
(trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
+ return(ZZIP_CORRUPTED);
{ return(0); }
# endif
}
Index: zziplib-0.13.67/bins/unzzipcat-zip.c
===================================================================
--- zziplib-0.13.67.orig/bins/unzzipcat-zip.c
+++ zziplib-0.13.67/bins/unzzipcat-zip.c
@@ -78,7 +78,7 @@ static int unzzip_cat (int argc, char **
disk = zzip_dir_open (argv[1], &error);
if (! disk) {
- perror(argv[1]);
+ fprintf(stderr, "%s: %s\n", argv[1], zzip_strerror(error));
return -1;
}
++++++ CVE-2018-6540.patch ++++++
Index: zziplib-0.13.67/zzip/mmapped.c
===================================================================
--- zziplib-0.13.67.orig/zzip/mmapped.c
+++ zziplib-0.13.67/zzip/mmapped.c
@@ -457,6 +457,12 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
errno = EBADMSG;
return 0;
}
+ if (root >= disk->endbuf)
+ {
+ DBG1("root behind endbuf should be impossible");
+ errno = EBADMSG;
+ return 0;
+ }
if (zzip_disk_entry_check_magic(root))
{
DBG1("found the disk root");
Index: zziplib-0.13.67/zzip/memdisk.c
===================================================================
--- zziplib-0.13.67.orig/zzip/memdisk.c
+++ zziplib-0.13.67/zzip/memdisk.c
@@ -305,7 +305,14 @@ zzip_mem_entry_find_extra_block(ZZIP_MEM
char* ext_end = ext + entry->zz_extlen[i];
if (ext)
{
- while (ext + zzip_extra_block_headerlength <= ext_end)
+ /*
+ * Make sure that
+ * 1) the extra block header
+ * AND
+ * 2) the block we're looking for
+ * fit into the extra block!
+ */
+ while (ext + zzip_extra_block_headerlength + blocksize <= ext_end)
{
if (datatype == zzip_extra_block_get_datatype(ext))
{
