Hello community, here is the log from the commit of package zoo checked in at Fri May 11 15:44:11 CEST 2007. -------- --- zoo/zoo.changes 2006-03-06 11:52:39.000000000 +0100 +++ /mounts/work_src_done/STABLE/zoo/zoo.changes 2007-05-09 16:29:17.000000000 +0200 @@ -1,0 +2,6 @@ +Wed May 9 16:22:08 CEST 2007 - lmichnovic@suse.cz + +- fixed possible ZOO file decompression infinite loop DoS attack + CVE-2007-1669 (security-infinite_loop.patch) [#271781] + +------------------------------------------------------------------- New: ---- zoo-2.10-security-infinite_loop.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zoo.spec ++++++ --- /var/tmp/diff_new_pack.p25254/_old 2007-05-11 15:40:50.000000000 +0200 +++ /var/tmp/diff_new_pack.p25254/_new 2007-05-11 15:40:50.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package zoo (Version 2.10) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -11,11 +11,11 @@ # norootforbuild Name: zoo -License: distributable, Other License(s), see package +License: Public Domain, Freeware Group: Productivity/Archiving/Compression Autoreqprov: on Version: 2.10 -Release: 867 +Release: 911 Summary: Pack Program Source: zoo.tar.gz Patch0: zoo.patch @@ -25,6 +25,7 @@ Patch4: zoo-return.patch Patch5: zoo-security_pathsize.patch Patch6: zoo-security_parse.patch +Patch7: zoo-%{version}-security-infinite_loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -52,6 +53,7 @@ %patch4 %patch5 %patch6 +%patch7 -p1 %build make linux OPTIM="$RPM_OPT_FLAGS -fstack-protector" @@ -73,7 +75,10 @@ %doc %{_mandir}/man1/fiz.1.gz %doc %{_mandir}/man1/zoo.1.gz -%changelog -n zoo +%changelog +* Wed May 09 2007 - lmichnovic@suse.cz +- fixed possible ZOO file decompression infinite loop DoS attack + CVE-2007-1669 (security-infinite_loop.patch) [#271781] * Mon Mar 06 2006 - lmichnovic@suse.cz - fixed buffer overflow (security_parse.patch) [155371] * Fri Feb 24 2006 - lmichnovic@suse.cz ++++++ zoo-2.10-security-infinite_loop.patch ++++++ diff -u zoo/zooext.c zoo-patched/zooext.c --- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400 +++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500 @@ -89,6 +89,7 @@ #endif struct direntry direntry; /* directory entry */ int first_dir = 1; /* first dir entry seen? */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n"; static char no_space[] = "Insufficient disk space to extract %s.\n"; @@ -169,6 +170,9 @@ exit_status = 1; } zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data begins */ + + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; } #ifndef PORTABLE @@ -597,6 +601,12 @@ } /* end if */ loop_again: + + /* Make sure we are not seeking to already processed data */ + if (next_ptr <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = next_ptr; + zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */ } /* end while */ diff -u zoo/zoolist.c zoo-patched/zoolist.c --- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400 +++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500 @@ -92,6 +92,7 @@ int show_mode = 0; /* show file protection */ #endif int first_dir = 1; /* if first direntry -- to adjust dat_ofs */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ while (*option) { switch (*option) { @@ -211,6 +212,9 @@ show_acmt (&zoo_header, zoo_file, 0); /* show archive comment */ } + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; + /* Seek to the beginning of the first directory entry */ if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) { ercount++; @@ -437,6 +441,11 @@ if (verb_list && !fast) show_comment (&direntry, zoo_file, 0, (char *) NULL); } /* end if (lots of conditions) */ + + /* Make sure we are not seeking to already processed data */ + if (direntry.next <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = direntry.next; /* ..seek to next dir entry */ zooseek (zoo_file, direntry.next, 0); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org