Hello community, here is the log from the commit of package zziplib for openSUSE:Factory checked in at 2018-02-09 15:45:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zziplib (Old) and /work/SRC/openSUSE:Factory/.zziplib.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zziplib" Fri Feb 9 15:45:22 2018 rev:26 rq:573678 version:0.13.67 Changes: -------- --- /work/SRC/openSUSE:Factory/zziplib/zziplib.changes 2018-01-30 15:38:12.243971109 +0100 +++ /work/SRC/openSUSE:Factory/.zziplib.new/zziplib.changes 2018-02-09 15:45:22.196079635 +0100 @@ -1,0 +2,25 @@ +Tue Feb 6 14:55:03 UTC 2018 - josef.moell...@suse.com + +- If an extension block is too small to hold an extension, + do not use the information therein. +- If the End of central directory record (EOCD) contains an + Offset of start of central directory which is beyond the end of + the file, reject the file. + [CVE-2018-6540, bsc#1079096, CVE-2018-6540.patch] + +------------------------------------------------------------------- +Fri Feb 2 09:31:49 UTC 2018 - josef.moell...@suse.com + +- Reject the ZIP file and report it as corrupt if the size of the + central directory and/or the offset of start of central directory + point beyond the end of the ZIP file. + [CVE-2018-6484, boo#1078701, CVE-2018-6484.patch] + +------------------------------------------------------------------- +Thu Feb 1 10:49:56 UTC 2018 - josef.moell...@suse.com + +- If a file is uncompressed, compressed and uncompressed sizes + should be identical. + [CVE-2018-6381, bsc#1078497, CVE-2018-6381.patch] + +------------------------------------------------------------------- New: ---- CVE-2018-6381.patch CVE-2018-6484.patch CVE-2018-6540.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zziplib.spec ++++++ --- /var/tmp/diff_new_pack.3ajViQ/_old 2018-02-09 15:45:23.312039564 +0100 +++ /var/tmp/diff_new_pack.3ajViQ/_new 2018-02-09 15:45:23.316039421 +0100 @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,9 @@ Patch0: zziplib-0.13.62.patch Patch1: zziplib-0.13.62-wronglinking.patch Patch2: zziplib-largefile.patch +Patch3: CVE-2018-6381.patch +Patch4: CVE-2018-6484.patch +Patch5: CVE-2018-6540.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes @@ -66,6 +69,9 @@ %patch0 %patch1 %patch2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 # do not bother with html docs saving us python2 dependency sed -i -e 's:docs ::g' Makefile.am ++++++ CVE-2018-6381.patch ++++++ Index: zziplib-0.13.67/zzip/memdisk.c =================================================================== --- zziplib-0.13.67.orig/zzip/memdisk.c +++ zziplib-0.13.67/zzip/memdisk.c @@ -209,6 +209,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI item->zz_diskstart = zzip_disk_entry_get_diskstart(entry); item->zz_filetype = zzip_disk_entry_get_filetype(entry); + /* + * If the file is uncompressed, zz_csize and zz_usize should be the same + * If they are not, we cannot guarantee that either is correct, so ... + */ + if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize) + { + goto error; + } /* zz_comment and zz_name are empty strings if not present on disk */ if (! item->zz_comment || ! item->zz_name) { ++++++ CVE-2018-6484.patch ++++++ Index: zziplib-0.13.67/zzip/zip.c =================================================================== --- zziplib-0.13.67.orig/zzip/zip.c +++ zziplib-0.13.67/zzip/zip.c @@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o # endif __fixup_rootseek(offset + tail - mapped, trailer); + /* + * "extract data from files archived in a single zip file." + * So the file offsets must be within the current ZIP archive! + */ + if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) + return(ZZIP_CORRUPTED); { return(0); } } else if ((*tail == 'P') && end - tail >= @@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o zzip_disk64_trailer_finalentries(orig); trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig); trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig); + /* + * "extract data from files archived in a single zip file." + * So the file offsets must be within the current ZIP archive! + */ + if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) + return(ZZIP_CORRUPTED); { return(0); } # endif } Index: zziplib-0.13.67/bins/unzzipcat-zip.c =================================================================== --- zziplib-0.13.67.orig/bins/unzzipcat-zip.c +++ zziplib-0.13.67/bins/unzzipcat-zip.c @@ -78,7 +78,7 @@ static int unzzip_cat (int argc, char ** disk = zzip_dir_open (argv[1], &error); if (! disk) { - perror(argv[1]); + fprintf(stderr, "%s: %s\n", argv[1], zzip_strerror(error)); return -1; } ++++++ CVE-2018-6540.patch ++++++ Index: zziplib-0.13.67/zzip/mmapped.c =================================================================== --- zziplib-0.13.67.orig/zzip/mmapped.c +++ zziplib-0.13.67/zzip/mmapped.c @@ -457,6 +457,12 @@ zzip_disk_findfirst(ZZIP_DISK * disk) errno = EBADMSG; return 0; } + if (root >= disk->endbuf) + { + DBG1("root behind endbuf should be impossible"); + errno = EBADMSG; + return 0; + } if (zzip_disk_entry_check_magic(root)) { DBG1("found the disk root"); Index: zziplib-0.13.67/zzip/memdisk.c =================================================================== --- zziplib-0.13.67.orig/zzip/memdisk.c +++ zziplib-0.13.67/zzip/memdisk.c @@ -305,7 +305,14 @@ zzip_mem_entry_find_extra_block(ZZIP_MEM char* ext_end = ext + entry->zz_extlen[i]; if (ext) { - while (ext + zzip_extra_block_headerlength <= ext_end) + /* + * Make sure that + * 1) the extra block header + * AND + * 2) the block we're looking for + * fit into the extra block! + */ + while (ext + zzip_extra_block_headerlength + blocksize <= ext_end) { if (datatype == zzip_extra_block_get_datatype(ext)) {