summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk8
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5974.patch28
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5975.patch32
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5976.patch61
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5978.patch37
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5979.patch19
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5981.patch19
-rw-r--r--gnu/packages/zip.scm6
8 files changed, 209 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 37a4fa5baa..1fa952b294 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1086,7 +1086,13 @@ dist_patch_DATA = \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
- %D%/packages/patches/zathura-plugindir-environment-variable.patch
+ %D%/packages/patches/zathura-plugindir-environment-variable.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5974.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5975.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5976.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5978.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5979.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5981.patch
MISC_DISTRO_FILES = \
%D%/packages/ld-wrapper.in
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
new file mode 100644
index 0000000000..9ae02103e7
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
@@ -0,0 +1,28 @@
+Fix CVE-2017-5974:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ /* override sizes/offsets with zip64 values for largefile support */
+ zzip_extra_zip64 *block = (zzip_extra_zip64 *)
+ zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
+- if (block)
++ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
+ {
+- item->zz_usize = __zzip_get64(block->z_usize);
+- item->zz_csize = __zzip_get64(block->z_csize);
+- item->zz_offset = __zzip_get64(block->z_offset);
+- item->zz_diskstart = __zzip_get32(block->z_diskstart);
++ item->zz_usize = ZZIP_GET64(block->z_usize);
++ item->zz_csize = ZZIP_GET64(block->z_csize);
++ item->zz_offset = ZZIP_GET64(block->z_offset);
++ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
+ }
+ }
+ /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
new file mode 100644
index 0000000000..fad174b056
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
@@ -0,0 +1,32 @@
+Fix CVE-2017-5975:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ return 0; /* errno=ENOMEM; */
+ ___ struct zzip_file_header *header =
+ zzip_disk_entry_to_file_header(disk, entry);
++ if (!header)
++ { free(item); return 0; }
+ /* there is a number of duplicated information in the file header
+ * or the disk entry block. Theoretically some part may be missing
+ * that exists in the other, ... but we will prefer the disk entry.
+Index: zziplib-0.13.62/zzip/mmapped.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/mmapped.c
++++ zziplib-0.13.62/zzip/mmapped.c
+@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
+ (disk->buffer + zzip_disk_entry_fileoffset(entry));
+ if (disk->buffer > file_header || file_header >= disk->endbuf)
+ return 0;
++ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
++ return 0;
+ return (struct zzip_file_header *) file_header;
+ }
+
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
new file mode 100644
index 0000000000..17fc30e302
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-5976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ {
+ void *mem = malloc(ext1 + 2);
+ item->zz_ext[1] = mem;
++ item->zz_extlen[1] = ext1 + 2;
+ memcpy(mem, ptr1, ext1);
+ ((char *) (mem))[ext1 + 0] = 0;
+ ((char *) (mem))[ext1 + 1] = 0;
+@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ {
+ void *mem = malloc(ext2 + 2);
+ item->zz_ext[2] = mem;
++ item->zz_extlen[2] = ext2 + 2;
+ memcpy(mem, ptr2, ext2);
+ ((char *) (mem))[ext2 + 0] = 0;
+ ((char *) (mem))[ext2 + 1] = 0;
+@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+ while (1)
+ {
+ ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
+- if (ext)
++ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
+ {
++ char *endblock = (char *)ext + entry->zz_extlen[i];
++
+ while (*(short *) (ext->z_datatype))
+ {
+ if (datatype == zzip_extra_block_get_datatype(ext))
+@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+ e += zzip_extra_block_headerlength;
+ e += zzip_extra_block_get_datasize(ext);
+ ext = (void *) e;
++ if (e >= endblock)
++ {
++ break;
++ }
+ ____;
+ }
+ }
+Index: zziplib-0.13.62/zzip/memdisk.h
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.h
++++ zziplib-0.13.62/zzip/memdisk.h
+@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
+ int zz_filetype; /* (from "z_filetype") */
+ char* zz_comment; /* zero-terminated (from "comment") */
+ ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
++ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
+ }; /* the extra blocks are NOT converted */
+
+ #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
new file mode 100644
index 0000000000..452b14f804
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-5978:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ * that exists in the other, ... but we will prefer the disk entry.
+ */
+ item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
+- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
++ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
+ item->zz_data = zzip_file_header_to_data(header);
+ item->zz_flags = zzip_disk_entry_get_flags(entry);
+ item->zz_compr = zzip_disk_entry_get_compr(entry);
+@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ int /* */ ext2 = zzip_file_header_get_extras(header);
+ char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
+
+- if (ext1)
++ if (ext1 && ((ptr1 + ext1) < disk->endbuf))
+ {
+ void *mem = malloc(ext1 + 2);
+ item->zz_ext[1] = mem;
+@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ ((char *) (mem))[ext1 + 0] = 0;
+ ((char *) (mem))[ext1 + 1] = 0;
+ }
+- if (ext2)
++ if (ext2 && ((ptr2 + ext2) < disk->endbuf))
+ {
+ void *mem = malloc(ext2 + 2);
+ item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
new file mode 100644
index 0000000000..b38f50b172
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5979:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
+ return 0;
+ /* we read out chunks of 8 KiB in the hope to match disk granularity */
+ ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
+- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
++ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
+ if (! entry)
+ return 0;
+ ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
new file mode 100644
index 0000000000..ed82cb3b91
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5981:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
+
+Patch copied from Debian.
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
+ } else
+ continue;
+
+- assert(0 <= root && root < mapsize);
++ if (root < 0 || root >= mapsize)
++ goto error;
+ if (fseeko(disk, root, SEEK_SET) == -1)
+ goto error;
+ if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm
index 8feb4fea21..018891359b 100644
--- a/gnu/packages/zip.scm
+++ b/gnu/packages/zip.scm
@@ -136,6 +136,12 @@ recreates the stored directory structure by default.")
(uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
version "/zziplib-"
version ".tar.bz2"))
+ (patches (search-patches "zziplib-CVE-2017-5974.patch"
+ "zziplib-CVE-2017-5975.patch"
+ "zziplib-CVE-2017-5976.patch"
+ "zziplib-CVE-2017-5978.patch"
+ "zziplib-CVE-2017-5979.patch"
+ "zziplib-CVE-2017-5981.patch"))
(sha256
(base32
"0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))