From e5f153c01b61c677505b3f7dd3f4d0b7855fa1e5 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 30 2018 04:51:07 +0000
Subject: import zziplib-0.13.62-9.el7


---

diff --git a/SOURCES/0001-fix-CVE-2018-7725.patch b/SOURCES/0001-fix-CVE-2018-7725.patch
new file mode 100644
index 0000000..f9e266b
--- /dev/null
+++ b/SOURCES/0001-fix-CVE-2018-7725.patch
@@ -0,0 +1,68 @@
+From 13f4d47275aca28de7b117359da79f1000e9bcb7 Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis@redhat.com>
+Date: Wed, 23 May 2018 09:59:18 +0200
+Subject: [PATCH] fix: CVE-2018-7725
+
+---
+ zzip/memdisk.c |  9 +++++++++
+ zzip/mmapped.c | 11 ++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/zzip/memdisk.c b/zzip/memdisk.c
+index dc00ea8..043893e 100644
+--- a/zzip/memdisk.c
++++ b/zzip/memdisk.c
+@@ -413,11 +413,21 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir, ZZIP_MEM_ENTRY * entry)
+     file->zlib.avail_in = zzip_mem_entry_csize(entry);
+     file->zlib.next_in = zzip_mem_entry_to_data(entry);
+ 
++    if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
++         goto error;
++    if (file->zlib.next_in < file->buffer)
++         goto error;
++
+     if (! zzip_mem_entry_data_deflated(entry) ||
+         inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)
+         { free (file); return 0; }
+ 
+     return file;
++
++error:
++    errno = EBADMSG;
++    free (file);
++    return NULL;
+ }
+ 
+ zzip__new__ ZZIP_MEM_DISK_FILE *
+diff --git a/zzip/mmapped.c b/zzip/mmapped.c
+index 6fafc11..ed3a6cc 100644
+--- a/zzip/mmapped.c
++++ b/zzip/mmapped.c
+@@ -549,7 +549,12 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
+     file->avail = zzip_file_header_usize(header);
+ 
+     if (! file->avail || zzip_file_header_data_stored(header))
+-        { file->stored = zzip_file_header_to_data (header); return file; }
++    { 
++        file->stored = zzip_file_header_to_data (header); 
++        if (file->stored + file->avail >= disk->endbuf)
++            goto error;
++        return file; 
++    }
+ 
+     file->stored = 0;
+     file->zlib.opaque = 0;
+@@ -563,6 +568,10 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
+         { free (file); return 0; }
+ 
+     return file;
++error:
++    free (file);
++    errno = EBADMSG;
++    return 0; 
+     ____;
+ }
+ 
+-- 
+2.14.3
+
diff --git a/SOURCES/0001-fix-CVE-2018-7726.patch b/SOURCES/0001-fix-CVE-2018-7726.patch
new file mode 100644
index 0000000..7c13c13
--- /dev/null
+++ b/SOURCES/0001-fix-CVE-2018-7726.patch
@@ -0,0 +1,49 @@
+From 7eec5e4b9a4b6efea5ef5f6b793a6cbef40e980d Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis@redhat.com>
+Date: Wed, 23 May 2018 10:15:07 +0200
+Subject: [PATCH] fix: CVE-2018-7726
+
+---
+ zzip/zip.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index a574b24..a6c7ced 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -323,6 +323,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+                     trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig);
+                     trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig);
+ #                  endif
++                    if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
++                       return(ZZIP_CORRUPTED); // forged value
+ 
+                     __fixup_rootseek(offset + tail - mapped, trailer);
+                     { return(0); }
+@@ -343,6 +345,14 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+                         zzip_disk64_trailer_finalentries(orig);
+                     trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
+                     trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
++                    if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
++                       return(ZZIP_CORRUPTED); // forged value
++                    /*
++ 		     * "extract data from files archived in a single zip file."
++ 		     * So the file offsets must be within the current ZIP archive!
++		     */
++                    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
++                        return(ZZIP_CORRUPTED);
+                     { return(0); }
+ #                  endif
+                 }
+@@ -410,6 +420,8 @@ __zzip_parse_root_directory(int fd,
+     zzip_off64_t zz_rootsize = _disk_trailer_rootsize(trailer);
+     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
++    if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) 
++        return ZZIP_CORRUPTED;    
+ 
+     hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
+     if (! hdr0)
+-- 
+2.14.3
+
diff --git a/SOURCES/0001-fix-CVE-2018-7727.patch b/SOURCES/0001-fix-CVE-2018-7727.patch
new file mode 100644
index 0000000..746c1ce
--- /dev/null
+++ b/SOURCES/0001-fix-CVE-2018-7727.patch
@@ -0,0 +1,101 @@
+From 81da2f651b65dbd2f387625d304ab14ed8b2ca29 Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis@redhat.com>
+Date: Thu, 14 Jun 2018 09:19:41 +0200
+Subject: [PATCH] fix: CVE-2018-7727
+
+---
+ bins/unzip-mem.c     | 2 +-
+ bins/unzzipcat-mem.c | 7 +++----
+ bins/unzzipdir-mem.c | 8 ++++----
+ 3 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c
+index 3f7d7f0..0b28b9b 100644
+--- a/bins/unzip-mem.c
++++ b/bins/unzip-mem.c
+@@ -409,7 +409,7 @@ main (int argc, char ** argv)
+ 	    }
+ 	}
+     }
+-
++    zzip_mem_disk_close(disk);
+     return status;
+ } 
+ 
+diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c
+index 7474854..6f16989 100644
+--- a/bins/unzzipcat-mem.c
++++ b/bins/unzzipcat-mem.c
+@@ -93,10 +93,9 @@ main (int argc, char ** argv)
+ 	    char* name = zzip_mem_entry_to_name (entry);
+ 	    printf ("%s\n", name);
+ 	}
+-	return 0;
+     }
+ 
+-    if (argc == 3)
++    else if (argc == 3)
+     {  /* list from one spec */
+ 	ZZIP_MEM_ENTRY* entry = 0;
+ 	while ((entry = zzip_mem_disk_findmatch(disk, argv[2], entry, 0, 0)))
+@@ -104,10 +103,9 @@ main (int argc, char ** argv)
+ 	     zzip_mem_entry_fprint (disk, entry, stdout);
+ 	}
+ 
+-	return 0;
+     }
+ 
+-    for (argn=1; argn < argc; argn++)
++    else for (argn=1; argn < argc; argn++)
+     {   /* list only the matching entries - each in order of commandline */
+ 	ZZIP_MEM_ENTRY* entry = zzip_mem_disk_findfirst(disk);
+ 	for (; entry ; entry = zzip_mem_disk_findnext(disk, entry))
+@@ -118,6 +116,7 @@ main (int argc, char ** argv)
+ 		zzip_mem_disk_cat_file (disk, name, stdout);
+ 	}
+     }
++    zzip_mem_disk_close(disk);
+     return 0;
+ } 
+ 
+diff --git a/bins/unzzipdir-mem.c b/bins/unzzipdir-mem.c
+index dc02077..9ebdb6d 100644
+--- a/bins/unzzipdir-mem.c
++++ b/bins/unzzipdir-mem.c
+@@ -64,10 +64,9 @@ main (int argc, char ** argv)
+ 	    char* name = zzip_mem_entry_to_name (entry);
+ 	    printf ("%s\n", name);
+ 	}
+-	return 0;
+     }
+ 
+-    if (argc == 3)
++    else if (argc == 3)
+     {  /* list from one spec */
+ 	ZZIP_MEM_ENTRY* entry = 0;
+ 	while ((entry = zzip_mem_disk_findmatch(disk, argv[2], entry, 0, 0)))
+@@ -75,9 +74,9 @@ main (int argc, char ** argv)
+ 	    char* name = zzip_mem_entry_to_name (entry);
+ 	    printf ("%s\n", name);
+ 	}
+-	return 0;
+     }
+ 
++    else
+     {   /* list only the matching entries - in order of zip directory */
+ 	ZZIP_MEM_ENTRY* entry = zzip_mem_disk_findfirst(disk);
+ 	for (; entry ; entry = zzip_mem_disk_findnext(disk, entry))
+@@ -90,8 +89,9 @@ main (int argc, char ** argv)
+ 		    printf ("%s\n", name);
+ 	    }
+ 	}
+-	return 0;
+     }
++    zzip_mem_disk_close(disk);
++    return 0;
+ } 
+ 
+ /* 
+-- 
+2.14.4
+
diff --git a/SPECS/zziplib.spec b/SPECS/zziplib.spec
index 57f2e2d..6b05ecb 100644
--- a/SPECS/zziplib.spec
+++ b/SPECS/zziplib.spec
@@ -1,12 +1,16 @@
 Summary: Lightweight library to easily extract data from zip files
 Name: zziplib
 Version: 0.13.62
-Release: 5%{?dist}
+Release: 9%{?dist}
 License: LGPLv2+ or MPLv1.1
 Group: Applications/Archiving
 URL: http://zziplib.sourceforge.net/
 Source: http://switch.dl.sourceforge.net/project/zziplib/zziplib13/%{version}/zziplib-%{version}.tar.bz2
 Patch0: zziplib-0.13.59-multilib.patch
+Patch1: 0001-fix-CVE-2018-7725.patch
+Patch2: 0001-fix-CVE-2018-7726.patch
+Patch3: 0001-fix-CVE-2018-7727.patch
+
 BuildRequires: perl
 BuildRequires: python
 BuildRequires: zip
@@ -59,6 +63,9 @@ zziplib library.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 # Save the common patched _config.h file to overwrite the generated one
 cp -a zzip/_config.h _config.h
 
@@ -100,6 +107,24 @@ install -p -m 0644 _config.h %{buildroot}%{_includedir}/zzip/_config.h
 %{_mandir}/man3/*
 
 %changelog
+* Wed Jun 20 2018 Jakub Martisko <jamartis@redhat.com> - 0.13.62-9
+- Fix covscan warning
+- "Variable "file" going out of scope leaks the storage it points to."
+  has been introduced by the original version of 0001-fix-CVE-2018-7725.patch
+- Related: 1558596
+
+* Thu Jun 14 2018 Jakub Martisko <jamartis@redhat.com> - 0.13.62-8
+- Fix CVE-2018-7727
+- Resolves: 1558891
+
+* Wed Jun 13 2018 Jakub Martisko <jamartis@redhat.com> - 0.13.62-7
+- Fix CVE-2018-7726
+- Resolves: 1558623
+
+* Wed Jun 13 2018 Jakub Martisko <jamartis@redhat.com> - 0.13.62-6
+- Fix CVE-2018-7725
+- Resolves: 1558596
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.13.62-5
 - Mass rebuild 2014-01-24