From 0c5a8007fe3cfc792bf5f692342a84165f706441 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 14 Jun 2017 16:34:10 -0400
Subject: gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.

* gnu/packages/patches/zziplib-CVE-2017-5974.patch,
gnu/packages/patches/zziplib-CVE-2017-5975.patch,
gnu/packages/patches/zziplib-CVE-2017-5976.patch,
gnu/packages/patches/zziplib-CVE-2017-5978.patch,
gnu/packages/patches/zziplib-CVE-2017-5979.patch,
gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (zziplib)[source]: Use them.
---
 gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5981.patch

(limited to 'gnu/packages/patches/zziplib-CVE-2017-5981.patch')

diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
new file mode 100644
index 0000000000..ed82cb3b91
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5981:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
+
+Patch copied from Debian.
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
+             } else
+                 continue;
+ 
+-            assert(0 <= root && root < mapsize);
++	    if (root < 0 || root >= mapsize)
++	        goto error;
+             if (fseeko(disk, root, SEEK_SET) == -1)
+                 goto error;
+             if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
-- 
cgit v1.2.3