gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.

* gnu/packages/patches/zziplib-CVE-2017-5974.patch,
gnu/packages/patches/zziplib-CVE-2017-5975.patch,
gnu/packages/patches/zziplib-CVE-2017-5976.patch,
gnu/packages/patches/zziplib-CVE-2017-5978.patch,
gnu/packages/patches/zziplib-CVE-2017-5979.patch,
gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (zziplib)[source]: Use them.

1 files changed, 19 insertions, 0 deletions

diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
new file mode 100644
index 0000000000..b38f50b172
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5979:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
+         return 0;
+     /* we read out chunks of 8 KiB in the hope to match disk granularity */
+     ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
+-    ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
++    ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
+     if (! entry)
+         return 0;
+     ___ unsigned char *buffer = malloc(pagesize);