Hello community, here is the log from the commit of package libzip for openSUSE:Factory checked in at 2017-09-04 12:25:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzip (Old) and /work/SRC/openSUSE:Factory/.libzip.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libzip" Mon Sep 4 12:25:44 2017 rev:29 rq:519094 version:1.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libzip/libzip.changes 2017-06-30 18:38:03.366470801 +0200 +++ /work/SRC/openSUSE:Factory/.libzip.new/libzip.changes 2017-09-04 12:25:48.924150770 +0200 @@ -1,0 +2,7 @@ +Mon Aug 28 10:38:05 UTC 2017 - pgajdos@suse.com + +- security update: + * CVE-2017-12858 [bsc#1055377] + + libzip-CVE-2017-12858.patch + +------------------------------------------------------------------- New: ---- libzip-CVE-2017-12858.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzip.spec ++++++ --- /var/tmp/diff_new_pack.pVNFpO/_old 2017-09-04 12:25:50.203970837 +0200 +++ /var/tmp/diff_new_pack.pVNFpO/_new 2017-09-04 12:25:50.207970274 +0200 @@ -28,6 +28,7 @@ Source1: baselibs.conf # PATCH-FIX-OPENSUSE: close on exec, upstream is aware, will be probably fixes next release Patch1: libzip-ocloexec.patch +Patch2: libzip-CVE-2017-12858.patch BuildRequires: libtool BuildRequires: pkgconfig # for tests @@ -80,6 +81,7 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 %build %configure \ ++++++ libzip-CVE-2017-12858.patch ++++++ --- a/lib/zip_dirent.c +++ b/lib/zip_dirent.c @@ -579,9 +579,6 @@ _zip_dirent_read(zip_dirent_t *zde, zip_source_t *src, zip_buffer_t *buffer, boo } if (!_zip_dirent_process_winzip_aes(zde, error)) { - if (!from_buffer) { - _zip_buffer_free(buffer); - } return -1; }