diff --git a/SOURCES/CVE-2018-16548.part1.patch b/SOURCES/CVE-2018-16548.part1.patch new file mode 100644 index 0000000..893180e --- /dev/null +++ b/SOURCES/CVE-2018-16548.part1.patch @@ -0,0 +1,71 @@ +From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001 +From: jmoellers +Date: Fri, 7 Sep 2018 11:32:04 +0200 +Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory(). + +--- + test/test.zip | Bin 1361 -> 1361 bytes + zzip/zip.c | 36 ++++++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 88b833b..a685280 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd, + else + { + if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) ++ { ++ free(hdr0); + return ZZIP_DIR_SEEK; ++ } + if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) ++ { ++ free(hdr0); + return ZZIP_DIR_READ; ++ } + d = &dirent; + } + +@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd, + + if (hdr_return) + *hdr_return = hdr0; ++ else ++ { ++ /* If it is not assigned to *hdr_return, it will never be free()'d */ ++ free(hdr0); ++ /* Make sure we don't free it again in case of error */ ++ hdr0 = NULL; ++ } + } /* else zero (sane) entries */ + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); ++ if (entries != zz_entries) ++ { ++ /* If it was assigned to *hdr_return, undo assignment */ ++ if (p_reclen && hdr_return) ++ *hdr_return = NULL; ++ /* Free it, if it was not already free()'d */ ++ if (hdr0 != NULL) ++ free(hdr0); ++ return ZZIP_CORRUPTED; ++ } + # else +- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); ++ if (((entries & (unsigned)0xFFFF) != zz_entries) ++ { ++ /* If it was assigned to *hdr_return, undo assignment */ ++ if (p_reclen && hdr_return) ++ *hdr_return = NULL; ++ /* Free it, if it was not already free()'d */ ++ if (hdr0 != NULL) ++ free(hdr0); ++ return ZZIP_CORRUPTED; ++ } + # endif ++ return 0; + } + + /* ------------------------- high-level interface ------------------------- */ diff --git a/SOURCES/CVE-2018-16548.part2.patch b/SOURCES/CVE-2018-16548.part2.patch new file mode 100644 index 0000000..b9bea26 --- /dev/null +++ b/SOURCES/CVE-2018-16548.part2.patch @@ -0,0 +1,50 @@ +From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001 +From: jmoellers +Date: Fri, 7 Sep 2018 11:49:28 +0200 +Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory(). + +--- + zzip/zip.c | 25 ++----------------------- + 1 file changed, 2 insertions(+), 23 deletions(-) + +diff --git a/zzip/zip.c b/zzip/zip.c +index a685280..51a1a4d 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd, + { + /* If it is not assigned to *hdr_return, it will never be free()'d */ + free(hdr0); +- /* Make sure we don't free it again in case of error */ +- hdr0 = NULL; + } + } /* else zero (sane) entries */ + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- if (entries != zz_entries) +- { +- /* If it was assigned to *hdr_return, undo assignment */ +- if (p_reclen && hdr_return) +- *hdr_return = NULL; +- /* Free it, if it was not already free()'d */ +- if (hdr0 != NULL) +- free(hdr0); +- return ZZIP_CORRUPTED; +- } ++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else +- if (((entries & (unsigned)0xFFFF) != zz_entries) +- { +- /* If it was assigned to *hdr_return, undo assignment */ +- if (p_reclen && hdr_return) +- *hdr_return = NULL; +- /* Free it, if it was not already free()'d */ +- if (hdr0 != NULL) +- free(hdr0); +- return ZZIP_CORRUPTED; +- } ++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; + # endif +- return 0; + } + + /* ------------------------- high-level interface ------------------------- */ diff --git a/SOURCES/CVE-2018-16548.part3.patch b/SOURCES/CVE-2018-16548.part3.patch new file mode 100644 index 0000000..f2f8214 --- /dev/null +++ b/SOURCES/CVE-2018-16548.part3.patch @@ -0,0 +1,22 @@ +From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001 +From: jmoellers +Date: Fri, 7 Sep 2018 13:55:35 +0200 +Subject: [PATCH] One more free() to avoid memory leak. + +--- + zzip/zip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/zzip/zip.c b/zzip/zip.c +index 51a1a4d..bc6c080 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd, + free(hdr0); + } + } /* else zero (sane) entries */ ++ else ++ free(hdr0); + # ifndef ZZIP_ALLOW_MODULO_ENTRIES + return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else diff --git a/SOURCES/CVE-2018-6541.patch b/SOURCES/CVE-2018-6541.patch new file mode 100644 index 0000000..0f471db --- /dev/null +++ b/SOURCES/CVE-2018-6541.patch @@ -0,0 +1,23 @@ +From 0c0c9256b0903f664bca25dd8d924211f81e01d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Josef=20M=C3=B6llers?= +Date: Fri, 2 Feb 2018 14:09:32 +0100 +Subject: [PATCH] Reject the ZIP file and report it as corrupt if the size of + the central directory and/or the offset of start of central directory point + beyond the end of the ZIP file. [CVE-2018-6484] +diff --git a/zzip/zip.c b/zzip/zip.c +index f0eac2b..67e662f 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, + return(ZZIP_CORRUPTED); // forged value + + __fixup_rootseek(offset + tail - mapped, trailer); ++ /* ++ * "extract data from files archived in a single zip file." ++ * So the file offsets must be within the current ZIP archive! ++ */ ++ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) ++ return(ZZIP_CORRUPTED); + { return(0); } + } else if ((*tail == 'P') && + end - tail >= diff --git a/SPECS/zziplib.spec b/SPECS/zziplib.spec index 6b05ecb..efc0633 100644 --- a/SPECS/zziplib.spec +++ b/SPECS/zziplib.spec @@ -1,7 +1,7 @@ Summary: Lightweight library to easily extract data from zip files Name: zziplib Version: 0.13.62 -Release: 9%{?dist} +Release: 11%{?dist} License: LGPLv2+ or MPLv1.1 Group: Applications/Archiving URL: http://zziplib.sourceforge.net/ @@ -11,6 +11,12 @@ Patch1: 0001-fix-CVE-2018-7725.patch Patch2: 0001-fix-CVE-2018-7726.patch Patch3: 0001-fix-CVE-2018-7727.patch +Patch4: CVE-2018-16548.part1.patch +Patch5: CVE-2018-16548.part2.patch +Patch6: CVE-2018-16548.part3.patch + +Patch7: CVE-2018-6541.patch + BuildRequires: perl BuildRequires: python BuildRequires: zip @@ -66,6 +72,12 @@ zziplib library. %patch1 -p1 %patch2 -p1 %patch3 -p1 + +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 + +%patch7 -p1 # Save the common patched _config.h file to overwrite the generated one cp -a zzip/_config.h _config.h @@ -107,6 +119,18 @@ install -p -m 0644 _config.h %{buildroot}%{_includedir}/zzip/_config.h %{_mandir}/man3/* %changelog +* Thu Feb 28 2019 Jakub Martisko - 0.13.62-11 +- Fix CVE-2018-6541 +- Part of the original patch has already been applied in the past (CVE-2018-7726), + so the bug should not be reproducible in a way described in the github + issue, even without this commit. Applying the rest of the original patch anyway. +- https://github.com/gdraheim/zziplib/issues/16 +- Related: CVE-2018-6541 + +* Thu Feb 28 2019 Jakub Martisko - 0.13.62-10 +- Fix CVE-2018-16548 +- Resolves: CVE-2018-16548 + * Wed Jun 20 2018 Jakub Martisko - 0.13.62-9 - Fix covscan warning - "Variable "file" going out of scope leaks the storage it points to."