From 790b66e34fd81cdda246361303072065e6339c97 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 4 Mar 2020 10:15:06 +0200 Subject: gnu: zziplib: Fix CVE-2018-16548. * gnu/packages/compression.scm (zziplib)[replacement]: New field. (zziplib/fixed): New private variable. * gnu/packages/patches/zziplib-CVE-2018-16548.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 3 +- gnu/packages/compression.scm | 8 ++++ gnu/packages/patches/zziplib-CVE-2018-16548.patch | 49 +++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/zziplib-CVE-2018-16548.patch diff --git a/gnu/local.mk b/gnu/local.mk index 359ed4bbbc..cbb7d2b2f0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1513,7 +1513,8 @@ dist_patch_DATA = \ %D%/packages/patches/xsane-fix-pdf-floats.patch \ %D%/packages/patches/xsane-fix-snprintf-buffer-length.patch \ %D%/packages/patches/xsane-support-ipv6.patch \ - %D%/packages/patches/xsane-tighten-default-umask.patch + %D%/packages/patches/xsane-tighten-default-umask.patch \ + %D%/packages/patches/zziplib-CVE-2018-16548.patch MISC_DISTRO_FILES = \ %D%/packages/ld-wrapper.in \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index ee10bd03ce..6463b50735 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1584,6 +1584,7 @@ recreates the stored directory structure by default.") (package (name "zziplib") (version "0.13.69") + (replacement zziplib/fixed) (home-page "https://github.com/gdraheim/zziplib") (source (origin (method git-fetch) @@ -1621,6 +1622,13 @@ recreates the stored directory structure by default.") ;; files carry the Zlib license; see "docs/copying.html" for details. (license (list license:lgpl2.0+ license:mpl1.1)))) +(define zziplib/fixed + (package + (inherit zziplib) + (source (origin + (inherit (package-source zziplib)) + (patches (search-patches "zziplib-CVE-2018-16548.patch")))))) + (define-public libzip (package (name "libzip") diff --git a/gnu/packages/patches/zziplib-CVE-2018-16548.patch b/gnu/packages/patches/zziplib-CVE-2018-16548.patch new file mode 100644 index 0000000000..a17c6a9768 --- /dev/null +++ b/gnu/packages/patches/zziplib-CVE-2018-16548.patch @@ -0,0 +1,49 @@ +The following 3 patches applied to 0.13.69 in this order, combined: +https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb.patch +https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687.patch +https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99.patch + +diff --git a/test/test.zip b/test/test.zip +index 2c992ea..952d475 100644 +Binary files a/test/test.zip and b/test/test.zip differ +diff --git a/zzip/zip.c b/zzip/zip.c +index 14e2e06..f97a40a 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd, + } else + { + if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) ++ { ++ free(hdr0); + return ZZIP_DIR_SEEK; ++ } + if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) ++ { ++ free(hdr0); + return ZZIP_DIR_READ; ++ } + d = &dirent; + } + +@@ -574,11 +580,18 @@ __zzip_parse_root_directory(int fd, + + if (hdr_return) + *hdr_return = hdr0; ++ else ++ { ++ /* If it is not assigned to *hdr_return, it will never be free()'d */ ++ free(hdr0); ++ } + } /* else zero (sane) entries */ ++ else ++ free(hdr0); + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); ++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else +- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); ++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; + # endif + } + -- cgit v1.2.3