gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.
* gnu/packages/patches/zziplib-CVE-2017-5974.patch, gnu/packages/patches/zziplib-CVE-2017-5975.patch, gnu/packages/patches/zziplib-CVE-2017-5976.patch, gnu/packages/patches/zziplib-CVE-2017-5978.patch, gnu/packages/patches/zziplib-CVE-2017-5979.patch, gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/zip.scm (zziplib)[source]: Use them.
This commit is contained in:
parent
db90eb8c2b
commit
0c5a8007fe
|
@ -1086,7 +1086,13 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
|
||||
%D%/packages/patches/xmodmap-asprintf.patch \
|
||||
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
|
||||
%D%/packages/patches/zathura-plugindir-environment-variable.patch
|
||||
%D%/packages/patches/zathura-plugindir-environment-variable.patch \
|
||||
%D%/packages/patches/zziplib-CVE-2017-5974.patch \
|
||||
%D%/packages/patches/zziplib-CVE-2017-5975.patch \
|
||||
%D%/packages/patches/zziplib-CVE-2017-5976.patch \
|
||||
%D%/packages/patches/zziplib-CVE-2017-5978.patch \
|
||||
%D%/packages/patches/zziplib-CVE-2017-5979.patch \
|
||||
%D%/packages/patches/zziplib-CVE-2017-5981.patch
|
||||
|
||||
MISC_DISTRO_FILES = \
|
||||
%D%/packages/ld-wrapper.in
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
Fix CVE-2017-5974:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
|
||||
|
||||
Patch copied from Debian.
|
||||
|
||||
Index: zziplib-0.13.62/zzip/memdisk.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/memdisk.c
|
||||
+++ zziplib-0.13.62/zzip/memdisk.c
|
||||
@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
/* override sizes/offsets with zip64 values for largefile support */
|
||||
zzip_extra_zip64 *block = (zzip_extra_zip64 *)
|
||||
zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
|
||||
- if (block)
|
||||
+ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
|
||||
{
|
||||
- item->zz_usize = __zzip_get64(block->z_usize);
|
||||
- item->zz_csize = __zzip_get64(block->z_csize);
|
||||
- item->zz_offset = __zzip_get64(block->z_offset);
|
||||
- item->zz_diskstart = __zzip_get32(block->z_diskstart);
|
||||
+ item->zz_usize = ZZIP_GET64(block->z_usize);
|
||||
+ item->zz_csize = ZZIP_GET64(block->z_csize);
|
||||
+ item->zz_offset = ZZIP_GET64(block->z_offset);
|
||||
+ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
|
||||
}
|
||||
}
|
||||
/* NOTE:
|
|
@ -0,0 +1,32 @@
|
|||
Fix CVE-2017-5975:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
|
||||
|
||||
Patch copied from Debian.
|
||||
|
||||
Index: zziplib-0.13.62/zzip/memdisk.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/memdisk.c
|
||||
+++ zziplib-0.13.62/zzip/memdisk.c
|
||||
@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
return 0; /* errno=ENOMEM; */
|
||||
___ struct zzip_file_header *header =
|
||||
zzip_disk_entry_to_file_header(disk, entry);
|
||||
+ if (!header)
|
||||
+ { free(item); return 0; }
|
||||
/* there is a number of duplicated information in the file header
|
||||
* or the disk entry block. Theoretically some part may be missing
|
||||
* that exists in the other, ... but we will prefer the disk entry.
|
||||
Index: zziplib-0.13.62/zzip/mmapped.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/mmapped.c
|
||||
+++ zziplib-0.13.62/zzip/mmapped.c
|
||||
@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
|
||||
(disk->buffer + zzip_disk_entry_fileoffset(entry));
|
||||
if (disk->buffer > file_header || file_header >= disk->endbuf)
|
||||
return 0;
|
||||
+ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
|
||||
+ return 0;
|
||||
return (struct zzip_file_header *) file_header;
|
||||
}
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
Fix CVE-2017-5976:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
|
||||
|
||||
Patch copied from Debian.
|
||||
|
||||
Index: zziplib-0.13.62/zzip/memdisk.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/memdisk.c
|
||||
+++ zziplib-0.13.62/zzip/memdisk.c
|
||||
@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
{
|
||||
void *mem = malloc(ext1 + 2);
|
||||
item->zz_ext[1] = mem;
|
||||
+ item->zz_extlen[1] = ext1 + 2;
|
||||
memcpy(mem, ptr1, ext1);
|
||||
((char *) (mem))[ext1 + 0] = 0;
|
||||
((char *) (mem))[ext1 + 1] = 0;
|
||||
@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
{
|
||||
void *mem = malloc(ext2 + 2);
|
||||
item->zz_ext[2] = mem;
|
||||
+ item->zz_extlen[2] = ext2 + 2;
|
||||
memcpy(mem, ptr2, ext2);
|
||||
((char *) (mem))[ext2 + 0] = 0;
|
||||
((char *) (mem))[ext2 + 1] = 0;
|
||||
@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
|
||||
while (1)
|
||||
{
|
||||
ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
|
||||
- if (ext)
|
||||
+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
|
||||
{
|
||||
+ char *endblock = (char *)ext + entry->zz_extlen[i];
|
||||
+
|
||||
while (*(short *) (ext->z_datatype))
|
||||
{
|
||||
if (datatype == zzip_extra_block_get_datatype(ext))
|
||||
@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
|
||||
e += zzip_extra_block_headerlength;
|
||||
e += zzip_extra_block_get_datasize(ext);
|
||||
ext = (void *) e;
|
||||
+ if (e >= endblock)
|
||||
+ {
|
||||
+ break;
|
||||
+ }
|
||||
____;
|
||||
}
|
||||
}
|
||||
Index: zziplib-0.13.62/zzip/memdisk.h
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/memdisk.h
|
||||
+++ zziplib-0.13.62/zzip/memdisk.h
|
||||
@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
|
||||
int zz_filetype; /* (from "z_filetype") */
|
||||
char* zz_comment; /* zero-terminated (from "comment") */
|
||||
ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
|
||||
+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
|
||||
}; /* the extra blocks are NOT converted */
|
||||
|
||||
#define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
|
|
@ -0,0 +1,37 @@
|
|||
Fix CVE-2017-5978:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
|
||||
|
||||
Patch copied from Debian.
|
||||
|
||||
Index: zziplib-0.13.62/zzip/memdisk.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/memdisk.c
|
||||
+++ zziplib-0.13.62/zzip/memdisk.c
|
||||
@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
* that exists in the other, ... but we will prefer the disk entry.
|
||||
*/
|
||||
item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
|
||||
- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
|
||||
+ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
|
||||
item->zz_data = zzip_file_header_to_data(header);
|
||||
item->zz_flags = zzip_disk_entry_get_flags(entry);
|
||||
item->zz_compr = zzip_disk_entry_get_compr(entry);
|
||||
@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
int /* */ ext2 = zzip_file_header_get_extras(header);
|
||||
char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
|
||||
|
||||
- if (ext1)
|
||||
+ if (ext1 && ((ptr1 + ext1) < disk->endbuf))
|
||||
{
|
||||
void *mem = malloc(ext1 + 2);
|
||||
item->zz_ext[1] = mem;
|
||||
@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||||
((char *) (mem))[ext1 + 0] = 0;
|
||||
((char *) (mem))[ext1 + 1] = 0;
|
||||
}
|
||||
- if (ext2)
|
||||
+ if (ext2 && ((ptr2 + ext2) < disk->endbuf))
|
||||
{
|
||||
void *mem = malloc(ext2 + 2);
|
||||
item->zz_ext[2] = mem;
|
|
@ -0,0 +1,19 @@
|
|||
Fix CVE-2017-5979:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
|
||||
|
||||
Patch copied from Debian.
|
||||
|
||||
Index: zziplib-0.13.62/zzip/fseeko.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/fseeko.c
|
||||
+++ zziplib-0.13.62/zzip/fseeko.c
|
||||
@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
|
||||
return 0;
|
||||
/* we read out chunks of 8 KiB in the hope to match disk granularity */
|
||||
___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
|
||||
- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
|
||||
+ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
|
||||
if (! entry)
|
||||
return 0;
|
||||
___ unsigned char *buffer = malloc(pagesize);
|
|
@ -0,0 +1,19 @@
|
|||
Fix CVE-2017-5981:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
|
||||
|
||||
Patch copied from Debian.
|
||||
Index: zziplib-0.13.62/zzip/fseeko.c
|
||||
===================================================================
|
||||
--- zziplib-0.13.62.orig/zzip/fseeko.c
|
||||
+++ zziplib-0.13.62/zzip/fseeko.c
|
||||
@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
|
||||
} else
|
||||
continue;
|
||||
|
||||
- assert(0 <= root && root < mapsize);
|
||||
+ if (root < 0 || root >= mapsize)
|
||||
+ goto error;
|
||||
if (fseeko(disk, root, SEEK_SET) == -1)
|
||||
goto error;
|
||||
if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
|
|
@ -136,6 +136,12 @@ recreates the stored directory structure by default.")
|
|||
(uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
|
||||
version "/zziplib-"
|
||||
version ".tar.bz2"))
|
||||
(patches (search-patches "zziplib-CVE-2017-5974.patch"
|
||||
"zziplib-CVE-2017-5975.patch"
|
||||
"zziplib-CVE-2017-5976.patch"
|
||||
"zziplib-CVE-2017-5978.patch"
|
||||
"zziplib-CVE-2017-5979.patch"
|
||||
"zziplib-CVE-2017-5981.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
|
||||
|
|
Loading…
Reference in New Issue