From ead5c75dc1ab4c6a3681cde33f3b22589b2ab7cf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 04:50:44 +0000 Subject: import zziplib-0.13.62-9.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..836fe72 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/zziplib-0.13.62.tar.bz2 diff --git a/.zziplib.metadata b/.zziplib.metadata new file mode 100644 index 0000000..5a70f40 --- /dev/null +++ b/.zziplib.metadata @@ -0,0 +1 @@ +cf8b642abd9db618324a1b98cc71492a007cd687 SOURCES/zziplib-0.13.62.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-fix-CVE-2018-7725.patch b/SOURCES/0001-fix-CVE-2018-7725.patch new file mode 100644 index 0000000..f9e266b --- /dev/null +++ b/SOURCES/0001-fix-CVE-2018-7725.patch @@ -0,0 +1,68 @@ +From 13f4d47275aca28de7b117359da79f1000e9bcb7 Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Wed, 23 May 2018 09:59:18 +0200 +Subject: [PATCH] fix: CVE-2018-7725 + +--- + zzip/memdisk.c | 9 +++++++++ + zzip/mmapped.c | 11 ++++++++++- + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/zzip/memdisk.c b/zzip/memdisk.c +index dc00ea8..043893e 100644 +--- a/zzip/memdisk.c ++++ b/zzip/memdisk.c +@@ -413,11 +413,21 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir, ZZIP_MEM_ENTRY * entry) + file->zlib.avail_in = zzip_mem_entry_csize(entry); + file->zlib.next_in = zzip_mem_entry_to_data(entry); + ++ if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf) ++ goto error; ++ if (file->zlib.next_in < file->buffer) ++ goto error; ++ + if (! zzip_mem_entry_data_deflated(entry) || + inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK) + { free (file); return 0; } + + return file; ++ ++error: ++ errno = EBADMSG; ++ free (file); ++ return NULL; + } + + zzip__new__ ZZIP_MEM_DISK_FILE * +diff --git a/zzip/mmapped.c b/zzip/mmapped.c +index 6fafc11..ed3a6cc 100644 +--- a/zzip/mmapped.c ++++ b/zzip/mmapped.c +@@ -549,7 +549,12 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry) + file->avail = zzip_file_header_usize(header); + + if (! file->avail || zzip_file_header_data_stored(header)) +- { file->stored = zzip_file_header_to_data (header); return file; } ++ { ++ file->stored = zzip_file_header_to_data (header); ++ if (file->stored + file->avail >= disk->endbuf) ++ goto error; ++ return file; ++ } + + file->stored = 0; + file->zlib.opaque = 0; +@@ -563,6 +568,10 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry) + { free (file); return 0; } + + return file; ++error: ++ free (file); ++ errno = EBADMSG; ++ return 0; + ____; + } + +-- +2.14.3 + diff --git a/SOURCES/0001-fix-CVE-2018-7726.patch b/SOURCES/0001-fix-CVE-2018-7726.patch new file mode 100644 index 0000000..7c13c13 --- /dev/null +++ b/SOURCES/0001-fix-CVE-2018-7726.patch @@ -0,0 +1,49 @@ +From 7eec5e4b9a4b6efea5ef5f6b793a6cbef40e980d Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Wed, 23 May 2018 10:15:07 +0200 +Subject: [PATCH] fix: CVE-2018-7726 + +--- + zzip/zip.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/zzip/zip.c b/zzip/zip.c +index a574b24..a6c7ced 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -323,6 +323,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig); + trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig); + # endif ++ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0) ++ return(ZZIP_CORRUPTED); // forged value + + __fixup_rootseek(offset + tail - mapped, trailer); + { return(0); } +@@ -343,6 +345,14 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + zzip_disk64_trailer_finalentries(orig); + trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig); + trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig); ++ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0) ++ return(ZZIP_CORRUPTED); // forged value ++ /* ++ * "extract data from files archived in a single zip file." ++ * So the file offsets must be within the current ZIP archive! ++ */ ++ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) ++ return(ZZIP_CORRUPTED); + { return(0); } + # endif + } +@@ -410,6 +420,8 @@ __zzip_parse_root_directory(int fd, + zzip_off64_t zz_rootsize = _disk_trailer_rootsize(trailer); + zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); + __correct_rootseek(zz_rootseek, zz_rootsize, trailer); ++ if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) ++ return ZZIP_CORRUPTED; + + hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize); + if (! hdr0) +-- +2.14.3 + diff --git a/SOURCES/0001-fix-CVE-2018-7727.patch b/SOURCES/0001-fix-CVE-2018-7727.patch new file mode 100644 index 0000000..746c1ce --- /dev/null +++ b/SOURCES/0001-fix-CVE-2018-7727.patch @@ -0,0 +1,101 @@ +From 81da2f651b65dbd2f387625d304ab14ed8b2ca29 Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Thu, 14 Jun 2018 09:19:41 +0200 +Subject: [PATCH] fix: CVE-2018-7727 + +--- + bins/unzip-mem.c | 2 +- + bins/unzzipcat-mem.c | 7 +++---- + bins/unzzipdir-mem.c | 8 ++++---- + 3 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c +index 3f7d7f0..0b28b9b 100644 +--- a/bins/unzip-mem.c ++++ b/bins/unzip-mem.c +@@ -409,7 +409,7 @@ main (int argc, char ** argv) + } + } + } +- ++ zzip_mem_disk_close(disk); + return status; + } + +diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c +index 7474854..6f16989 100644 +--- a/bins/unzzipcat-mem.c ++++ b/bins/unzzipcat-mem.c +@@ -93,10 +93,9 @@ main (int argc, char ** argv) + char* name = zzip_mem_entry_to_name (entry); + printf ("%s\n", name); + } +- return 0; + } + +- if (argc == 3) ++ else if (argc == 3) + { /* list from one spec */ + ZZIP_MEM_ENTRY* entry = 0; + while ((entry = zzip_mem_disk_findmatch(disk, argv[2], entry, 0, 0))) +@@ -104,10 +103,9 @@ main (int argc, char ** argv) + zzip_mem_entry_fprint (disk, entry, stdout); + } + +- return 0; + } + +- for (argn=1; argn < argc; argn++) ++ else for (argn=1; argn < argc; argn++) + { /* list only the matching entries - each in order of commandline */ + ZZIP_MEM_ENTRY* entry = zzip_mem_disk_findfirst(disk); + for (; entry ; entry = zzip_mem_disk_findnext(disk, entry)) +@@ -118,6 +116,7 @@ main (int argc, char ** argv) + zzip_mem_disk_cat_file (disk, name, stdout); + } + } ++ zzip_mem_disk_close(disk); + return 0; + } + +diff --git a/bins/unzzipdir-mem.c b/bins/unzzipdir-mem.c +index dc02077..9ebdb6d 100644 +--- a/bins/unzzipdir-mem.c ++++ b/bins/unzzipdir-mem.c +@@ -64,10 +64,9 @@ main (int argc, char ** argv) + char* name = zzip_mem_entry_to_name (entry); + printf ("%s\n", name); + } +- return 0; + } + +- if (argc == 3) ++ else if (argc == 3) + { /* list from one spec */ + ZZIP_MEM_ENTRY* entry = 0; + while ((entry = zzip_mem_disk_findmatch(disk, argv[2], entry, 0, 0))) +@@ -75,9 +74,9 @@ main (int argc, char ** argv) + char* name = zzip_mem_entry_to_name (entry); + printf ("%s\n", name); + } +- return 0; + } + ++ else + { /* list only the matching entries - in order of zip directory */ + ZZIP_MEM_ENTRY* entry = zzip_mem_disk_findfirst(disk); + for (; entry ; entry = zzip_mem_disk_findnext(disk, entry)) +@@ -90,8 +89,9 @@ main (int argc, char ** argv) + printf ("%s\n", name); + } + } +- return 0; + } ++ zzip_mem_disk_close(disk); ++ return 0; + } + + /* +-- +2.14.4 + diff --git a/SOURCES/zziplib-0.13.59-multilib.patch b/SOURCES/zziplib-0.13.59-multilib.patch new file mode 100644 index 0000000..f4b7a98 --- /dev/null +++ b/SOURCES/zziplib-0.13.59-multilib.patch @@ -0,0 +1,42 @@ +diff -Naupr zziplib-0.13.59.orig/zzip/_config.h zziplib-0.13.59/zzip/_config.h +--- zziplib-0.13.59.orig/zzip/_config.h 2010-02-14 22:29:34.000000000 +0100 ++++ zziplib-0.13.59/zzip/_config.h 2010-12-04 16:22:19.809534085 +0100 +@@ -133,7 +133,11 @@ + + /* whether the system defaults to 32bit off_t but can do 64bit when requested + */ +-/* #undef LARGEFILE_SENSITIVE */ ++#if __WORDSIZE == 32 ++#ifndef ZZIP_LARGEFILE_SENSITIVE ++#define ZZIP_LARGEFILE_SENSITIVE 1 ++#endif ++#endif + + /* Define to the sub-directory in which libtool stores uninstalled libraries. + */ +@@ -178,8 +181,12 @@ + + /* The number of bytes in type long */ + #ifndef ZZIP_SIZEOF_LONG ++#if __WORDSIZE == 32 ++#define ZZIP_SIZEOF_LONG 4 ++#elif __WORDSIZE == 64 + #define ZZIP_SIZEOF_LONG 8 + #endif ++#endif + + /* The number of bytes in type short */ + #ifndef ZZIP_SIZEOF_SHORT +@@ -209,7 +216,11 @@ + #endif + + /* Number of bits in a file offset, on hosts where this is settable. */ +-/* #undef _FILE_OFFSET_BITS */ ++#if __WORDSIZE == 32 ++#ifndef ZZIP__FILE_OFFSET_BITS ++#define ZZIP__FILE_OFFSET_BITS 64 ++#endif ++#endif + + /* Define for large files, on AIX-style hosts. */ + /* #undef _LARGE_FILES */ diff --git a/SPECS/zziplib.spec b/SPECS/zziplib.spec new file mode 100644 index 0000000..6b05ecb --- /dev/null +++ b/SPECS/zziplib.spec @@ -0,0 +1,221 @@ +Summary: Lightweight library to easily extract data from zip files +Name: zziplib +Version: 0.13.62 +Release: 9%{?dist} +License: LGPLv2+ or MPLv1.1 +Group: Applications/Archiving +URL: http://zziplib.sourceforge.net/ +Source: http://switch.dl.sourceforge.net/project/zziplib/zziplib13/%{version}/zziplib-%{version}.tar.bz2 +Patch0: zziplib-0.13.59-multilib.patch +Patch1: 0001-fix-CVE-2018-7725.patch +Patch2: 0001-fix-CVE-2018-7726.patch +Patch3: 0001-fix-CVE-2018-7727.patch + +BuildRequires: perl +BuildRequires: python +BuildRequires: zip +BuildRequires: xmlto +BuildRequires: zlib-devel +BuildRequires: SDL-devel +BuildRequires: pkgconfig +#BuildRequires: autoconf +#BuildRequires: automake + +%description +The zziplib library is intentionally lightweight, it offers the ability to +easily extract data from files archived in a single zip file. Applications +can bundle files into a single zip archive and access them. The implementation +is based only on the (free) subset of compression with the zlib algorithm +which is actually used by the zip/unzip tools. + +%package utils +Summary: Utilities for the zziplib library +Group: Applications/Archiving +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description utils +The zziplib library is intentionally lightweight, it offers the ability to +easily extract data from files archived in a single zip file. Applications +can bundle files into a single zip archive and access them. The implementation +is based only on the (free) subset of compression with the zlib algorithm +which is actually used by the zip/unzip tools. + +This packages contains all the utilities that come with the zziplib library. + +%package devel +Summary: Development files for the zziplib library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig +Requires: zlib-devel +Requires: SDL-devel + +%description devel +The zziplib library is intentionally lightweight, it offers the ability to +easily extract data from files archived in a single zip file. Applications +can bundle files into a single zip archive and access them. The implementation +is based only on the (free) subset of compression with the zlib algorithm +which is actually used by the zip/unzip tools. + +This package contains files required to build applications that will use the +zziplib library. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +# Save the common patched _config.h file to overwrite the generated one +cp -a zzip/_config.h _config.h + +%build +export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" +%configure \ + --disable-static \ + --enable-sdl \ + --enable-frame-pointer +# Remove rpath on 64bit archs +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' */libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool +%{__make} %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +# Overwrite the platform specific _config.h with our own modified common one +rm -f %{buildroot}%{_includedir}/zzip/_config.h +install -p -m 0644 _config.h %{buildroot}%{_includedir}/zzip/_config.h + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%doc docs/COPYING* ChangeLog README TODO +%{_libdir}/*.so.* + +%files utils +%{_bindir}/* + +%files devel +%doc docs/README.SDL docs/*.htm +%{_includedir}/* +%exclude %{_libdir}/*.la +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_datadir}/aclocal/*.m4 +%{_mandir}/man3/* + +%changelog +* Wed Jun 20 2018 Jakub Martisko - 0.13.62-9 +- Fix covscan warning +- "Variable "file" going out of scope leaks the storage it points to." + has been introduced by the original version of 0001-fix-CVE-2018-7725.patch +- Related: 1558596 + +* Thu Jun 14 2018 Jakub Martisko - 0.13.62-8 +- Fix CVE-2018-7727 +- Resolves: 1558891 + +* Wed Jun 13 2018 Jakub Martisko - 0.13.62-7 +- Fix CVE-2018-7726 +- Resolves: 1558623 + +* Wed Jun 13 2018 Jakub Martisko - 0.13.62-6 +- Fix CVE-2018-7725 +- Resolves: 1558596 + +* Fri Jan 24 2014 Daniel Mach - 0.13.62-5 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.13.62-4 +- Mass rebuild 2013-12-27 + +* Thu Jul 4 2013 Michal Luscon 0.13.62-3 +- Fix source address + +* Wed Jan 30 2013 Jindrich Novy 0.13.62-2 +- rebuild with -fno-strict-aliasing + +* Wed Oct 10 2012 Matthias Saou 0.13.62-1 +- Update to 0.13.62. +- Remove no longer needed -Wl patch. + +* Sun Jul 22 2012 Fedora Release Engineering - 0.13.60-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Mar 8 2012 Tom Callaway - 0.13.60-1 +- update to 0.13.60 + +* Sat Jan 14 2012 Fedora Release Engineering - 0.13.59-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.13.59-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Dec 9 2010 Hans de Goede 0.13.59-2 +- Fix broken zzip/_config.h which causes apps using zziplib to fail to compile + +* Sat Dec 4 2010 Matthias Saou 0.13.59-1 +- Update to 0.13.59. +- Remove no longer needed 'open' patch. +- Rebase the multilib patch, still required. +- Re-enable _smp_mflags, build works again with it apparently. + +* Mon Jul 27 2009 Fedora Release Engineering - 0.13.49-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 0.13.49-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 22 2008 Matthias Saou 0.13.49-6 +- Patch _config.h to make it identical for 32bit and 64bit archs (#343521). + +* Tue Feb 19 2008 Fedora Release Engineering +- Autorebuild for GCC 4.3 + +* Wed Aug 8 2007 Matthias Saou 0.13.49-4 +- Include patch to fix fd.open calls with recent glibc. +- Disable _smp_mflags since the docs fail to build. + +* Fri Aug 3 2007 Matthias Saou 0.13.49-3 +- Update License field. + +* Tue Jun 19 2007 Matthias Saou 0.13.49-2 +- Disable static lib build instead of excluding it later. +- Remove rpath on 64bit archs. +- Switch to using DESTDIR install method. + +* Mon Mar 26 2007 Matthias Saou 0.13.49-1 +- Update to 0.13.49 to fix CVE-2007-1614 (rhbz #233700). +- Include new man3 pages to the devel sub-package. + +* Mon Aug 28 2006 Matthias Saou 0.13.47-1 +- Update to 0.13.47. +- FC6 rebuild. + +* Mon Jul 24 2006 Matthias Saou 0.13.45-3 +- Split off -utils sub-package (#199467). Could have been plain "zzip"? +- Have sub-packages require exact release too. +- Build require automake to make the aclocal-1.9 check happy. +- Use --enable-frame-pointer otherwise -g gets removed from the CFLAGS. + +* Mon Mar 6 2006 Matthias Saou 0.13.45-2 +- FC5 rebuild. + +* Thu Feb 9 2006 Matthias Saou 0.13.45-1 +- Update to 0.13.45. +- Exclude static library. + +* Sun May 22 2005 Jeremy Katz - 0.13.38-2 +- rebuild on all arches + +* Tue Apr 5 2005 Matthias Saou 0.13.38-1 +- Update to 0.13.38, fixes gcc4 compile issues (Adrian Reber). + +* Tue Nov 16 2004 Matthias Saou 0.13.36-2 +- Bump release to provide Extras upgrade path. + +* Tue Jun 8 2004 Matthias Saou 0.13.36-1 +- Initial RPM release. +