Hello community, here is the log from the commit of package zziplib for openSUSE:Factory checked in at 2017-03-31 15:04:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zziplib (Old) and /work/SRC/openSUSE:Factory/.zziplib.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "zziplib" Fri Mar 31 15:04:40 2017 rev:23 rq:482259 version:0.13.62 Changes: -------- --- /work/SRC/openSUSE:Factory/zziplib/zziplib.changes 2013-03-22 13:07:21.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.zziplib.new/zziplib.changes 2017-03-31 15:04:43.292811777 +0200 @@ -1,0 +2,26 @@ +Thu Mar 23 13:32:03 UTC 2017 - josef.moellers@suse.com + +- Several bugs fixed: + * heap-based buffer overflows + (bsc#1024517, CVE-2017-5974, zziplib-CVE-2017-5974.patch) + * check if "relative offset of local header" in "central + directory header" really points to a local header + (ZZIP_FILE_HEADER_MAGIC) + (bsc#1024528, CVE-2017-5975, zziplib-CVE-2017-5975.patch) + * protect against bad formatted data in extra blocks + (bsc#1024531, CVE-2017-5976, zziplib-CVE-2017-5976.patch) + * NULL pointer dereference in main (unzzipcat-mem.c) + (bsc#1024532, bsc#1024536, CVE-2017-5975, + zziplib-CVE-2017-5975.patch) + * protect against huge values of "extra field length" + in local file header and central file header + (bsc#1024533, CVE-2017-5978, zziplib-CVE-2017-5978.patch) + * clear ZZIP_ENTRY record before use. + (bsc#1024534, bsc#1024535, CVE-2017-5979, CVE-2017-5977, + zziplib-CVE-2017-5979.patch) + * prevent unzzipcat.c from trying to print a NULL name + (bsc#1024537, zziplib-unzipcat-NULL-name.patch) + * Replace assert() by going to error exit. + (bsc#1034539, CVE-2017-5981, zziplib-CVE-2017-5981.patch) + +------------------------------------------------------------------- New: ---- zziplib-CVE-2017-5974.patch zziplib-CVE-2017-5975.patch zziplib-CVE-2017-5976.patch zziplib-CVE-2017-5978.patch zziplib-CVE-2017-5979.patch zziplib-CVE-2017-5981.patch zziplib-unzipcat-NULL-name.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zziplib.spec ++++++ --- /var/tmp/diff_new_pack.KZVsC5/_old 2017-03-31 15:04:44.212681735 +0200 +++ /var/tmp/diff_new_pack.KZVsC5/_new 2017-03-31 15:04:44.216681170 +0200 @@ -1,7 +1,7 @@ # # spec file for package zziplib # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,13 @@ Patch: zziplib-0.13.62.patch Patch1: zziplib-0.13.62-wronglinking.patch Patch2: zziplib-largefile.patch +Patch3: zziplib-CVE-2017-5974.patch +Patch4: zziplib-CVE-2017-5975.patch +Patch5: zziplib-CVE-2017-5976.patch +Patch6: zziplib-CVE-2017-5978.patch +Patch7: zziplib-CVE-2017-5979.patch +Patch8: zziplib-unzipcat-NULL-name.patch +Patch9: zziplib-CVE-2017-5981.patch BuildRequires: dos2unix BuildRequires: fdupes BuildRequires: libtool @@ -66,6 +73,14 @@ %patch %patch1 %patch2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 + # Fix wrong encoding dos2unix docs/README.MSVC6 dos2unix docs/sdocbook.css ++++++ zziplib-CVE-2017-5974.patch ++++++ Index: zziplib-0.13.62/zzip/memdisk.c =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.c +++ zziplib-0.13.62/zzip/memdisk.c @@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI /* override sizes/offsets with zip64 values for largefile support */ zzip_extra_zip64 *block = (zzip_extra_zip64 *) zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64); - if (block) + if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4)) { - item->zz_usize = __zzip_get64(block->z_usize); - item->zz_csize = __zzip_get64(block->z_csize); - item->zz_offset = __zzip_get64(block->z_offset); - item->zz_diskstart = __zzip_get32(block->z_diskstart); + item->zz_usize = ZZIP_GET64(block->z_usize); + item->zz_csize = ZZIP_GET64(block->z_csize); + item->zz_offset = ZZIP_GET64(block->z_offset); + item->zz_diskstart = ZZIP_GET32(block->z_diskstart); } } /* NOTE: ++++++ zziplib-CVE-2017-5975.patch ++++++ Index: zziplib-0.13.62/zzip/memdisk.c =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.c +++ zziplib-0.13.62/zzip/memdisk.c @@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI return 0; /* errno=ENOMEM; */ ___ struct zzip_file_header *header = zzip_disk_entry_to_file_header(disk, entry); + if (!header) + { free(item); return 0; } /* there is a number of duplicated information in the file header * or the disk entry block. Theoretically some part may be missing * that exists in the other, ... but we will prefer the disk entry. Index: zziplib-0.13.62/zzip/mmapped.c =================================================================== --- zziplib-0.13.62.orig/zzip/mmapped.c +++ zziplib-0.13.62/zzip/mmapped.c @@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK (disk->buffer + zzip_disk_entry_fileoffset(entry)); if (disk->buffer > file_header || file_header >= disk->endbuf) return 0; + if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC) + return 0; return (struct zzip_file_header *) file_header; } ++++++ zziplib-CVE-2017-5976.patch ++++++ Index: zziplib-0.13.62/zzip/memdisk.c =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.c +++ zziplib-0.13.62/zzip/memdisk.c @@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI { void *mem = malloc(ext1 + 2); item->zz_ext[1] = mem; + item->zz_extlen[1] = ext1 + 2; memcpy(mem, ptr1, ext1); ((char *) (mem))[ext1 + 0] = 0; ((char *) (mem))[ext1 + 1] = 0; @@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI { void *mem = malloc(ext2 + 2); item->zz_ext[2] = mem; + item->zz_extlen[2] = ext2 + 2; memcpy(mem, ptr2, ext2); ((char *) (mem))[ext2 + 0] = 0; ((char *) (mem))[ext2 + 1] = 0; @@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR while (1) { ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i]; - if (ext) + if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength)) { + char *endblock = (char *)ext + entry->zz_extlen[i]; + while (*(short *) (ext->z_datatype)) { if (datatype == zzip_extra_block_get_datatype(ext)) @@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR e += zzip_extra_block_headerlength; e += zzip_extra_block_get_datasize(ext); ext = (void *) e; + if (e >= endblock) + { + break; + } ____; } } Index: zziplib-0.13.62/zzip/memdisk.h =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.h +++ zziplib-0.13.62/zzip/memdisk.h @@ -66,6 +66,7 @@ struct _zzip_mem_entry { int zz_filetype; /* (from "z_filetype") */ char* zz_comment; /* zero-terminated (from "comment") */ ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */ + int zz_extlen[3]; /* length of zz_ext[i] in bytes */ }; /* the extra blocks are NOT converted */ #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list) ++++++ zziplib-CVE-2017-5978.patch ++++++ Index: zziplib-0.13.62/zzip/memdisk.c =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.c +++ zziplib-0.13.62/zzip/memdisk.c @@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI * that exists in the other, ... but we will prefer the disk entry. */ item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry); - item->zz_name = zzip_disk_entry_strdup_name(disk, entry); + item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup(""); item->zz_data = zzip_file_header_to_data(header); item->zz_flags = zzip_disk_entry_get_flags(entry); item->zz_compr = zzip_disk_entry_get_compr(entry); @@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI int /* */ ext2 = zzip_file_header_get_extras(header); char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header); - if (ext1) + if (ext1 && ((ptr1 + ext1) < disk->endbuf)) { void *mem = malloc(ext1 + 2); item->zz_ext[1] = mem; @@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI ((char *) (mem))[ext1 + 0] = 0; ((char *) (mem))[ext1 + 1] = 0; } - if (ext2) + if (ext2 && ((ptr2 + ext2) < disk->endbuf)) { void *mem = malloc(ext2 + 2); item->zz_ext[2] = mem; ++++++ zziplib-CVE-2017-5979.patch ++++++ Index: zziplib-0.13.62/zzip/fseeko.c =================================================================== --- zziplib-0.13.62.orig/zzip/fseeko.c +++ zziplib-0.13.62/zzip/fseeko.c @@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk) return 0; /* we read out chunks of 8 KiB in the hope to match disk granularity */ ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */ - ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry)); + ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry)); if (! entry) return 0; ___ unsigned char *buffer = malloc(pagesize); ++++++ zziplib-CVE-2017-5981.patch ++++++ Index: zziplib-0.13.62/zzip/fseeko.c =================================================================== --- zziplib-0.13.62.orig/zzip/fseeko.c +++ zziplib-0.13.62/zzip/fseeko.c @@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk) } else continue; - assert(0 <= root && root < mapsize); + if (root < 0 || root >= mapsize) + goto error; if (fseeko(disk, root, SEEK_SET) == -1) goto error; if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk) ++++++ zziplib-unzipcat-NULL-name.patch ++++++ Index: zziplib-0.13.62/bins/unzzipcat.c =================================================================== --- zziplib-0.13.62.orig/bins/unzzipcat.c +++ zziplib-0.13.62/bins/unzzipcat.c @@ -91,8 +91,11 @@ main (int argc, char ** argv) for (; entry ; entry = zzip_disk_findnext(disk, entry)) { char* name = zzip_disk_entry_strdup_name (disk, entry); - printf ("%s\n", name); - free (name); + if (name) + { + printf ("%s\n", name); + free (name); + } } return 0; } @@ -112,10 +115,13 @@ main (int argc, char ** argv) for (; entry ; entry = zzip_disk_findnext(disk, entry)) { char* name = zzip_disk_entry_strdup_name (disk, entry); - if (! fnmatch (argv[argn], name, - FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD)) - zzip_disk_cat_file (disk, name, stdout); - free (name); + if (name) + { + if (! fnmatch (argv[argn], name, + FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD)) + zzip_disk_cat_file (disk, name, stdout); + free (name); + } } } return 0; Index: zziplib-0.13.62/zzip/fseeko.c =================================================================== --- zziplib-0.13.62.orig/zzip/fseeko.c +++ zziplib-0.13.62/zzip/fseeko.c @@ -300,7 +300,8 @@ zzip_entry_findfirst(FILE * disk) * central directory was written directly before : */ root = mapoffs - rootsize; } - } else if (zzip_disk64_trailer_check_magic(p)) + } else if ((p + sizeof(struct zzip_disk64_trailer)) <= (buffer + mapsize) + && zzip_disk64_trailer_check_magic(p)) { struct zzip_disk64_trailer *trailer = (struct zzip_disk64_trailer *) p;