[PATCH] gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 14 Jun 2017 22:36
(address . guix-patches@gnu.org)
c742c0c091fc61c8497bb7471bb642d145c15f16.1497472587.git.leo@famulari.name
* gnu/packages/patches/zziplib-CVE-2017-5974.patch,gnu/packages/patches/zziplib-CVE-2017-5975.patch,gnu/packages/patches/zziplib-CVE-2017-5976.patch,gnu/packages/patches/zziplib-CVE-2017-5978.patch,gnu/packages/patches/zziplib-CVE-2017-5979.patch,gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/zip.scm (zziplib)[source]: Use them.--- gnu/local.mk | 8 +++- gnu/packages/patches/zziplib-CVE-2017-5974.patch | 28 +++++++++++ gnu/packages/patches/zziplib-CVE-2017-5975.patch | 32 +++++++++++++ gnu/packages/patches/zziplib-CVE-2017-5976.patch | 61 ++++++++++++++++++++++++ gnu/packages/patches/zziplib-CVE-2017-5978.patch | 37 ++++++++++++++ gnu/packages/patches/zziplib-CVE-2017-5979.patch | 19 ++++++++ gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 ++++++++ gnu/packages/zip.scm | 6 +++ 8 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5974.patch create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5975.patch create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5976.patch create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5978.patch create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5979.patch create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5981.patch
Toggle diff (270 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 8fcd2cab2..5e2fa7a5e 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1085,7 +1085,13 @@ dist_patch_DATA = \ %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \- %D%/packages/patches/zathura-plugindir-environment-variable.patch+ %D%/packages/patches/zathura-plugindir-environment-variable.patch \+ %D%/packages/patches/zziplib-CVE-2017-5974.patch \+ %D%/packages/patches/zziplib-CVE-2017-5975.patch \+ %D%/packages/patches/zziplib-CVE-2017-5976.patch \+ %D%/packages/patches/zziplib-CVE-2017-5978.patch \+ %D%/packages/patches/zziplib-CVE-2017-5979.patch \+ %D%/packages/patches/zziplib-CVE-2017-5981.patch MISC_DISTRO_FILES = \ %D%/packages/ld-wrapper.indiff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patchnew file mode 100644index 000000000..9ae02103e--- /dev/null+++ b/gnu/packages/patches/zziplib-CVE-2017-5974.patch@@ -0,0 +1,28 @@+Fix CVE-2017-5974:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974++Patch copied from Debian.++Index: zziplib-0.13.62/zzip/memdisk.c+===================================================================+--- zziplib-0.13.62.orig/zzip/memdisk.c++++ zziplib-0.13.62/zzip/memdisk.c+@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ /* override sizes/offsets with zip64 values for largefile support */+ zzip_extra_zip64 *block = (zzip_extra_zip64 *)+ zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);+- if (block)++ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))+ {+- item->zz_usize = __zzip_get64(block->z_usize);+- item->zz_csize = __zzip_get64(block->z_csize);+- item->zz_offset = __zzip_get64(block->z_offset);+- item->zz_diskstart = __zzip_get32(block->z_diskstart);++ item->zz_usize = ZZIP_GET64(block->z_usize);++ item->zz_csize = ZZIP_GET64(block->z_csize);++ item->zz_offset = ZZIP_GET64(block->z_offset);++ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);+ }+ }+ /* NOTE:diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patchnew file mode 100644index 000000000..fad174b05--- /dev/null+++ b/gnu/packages/patches/zziplib-CVE-2017-5975.patch@@ -0,0 +1,32 @@+Fix CVE-2017-5975:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975++Patch copied from Debian.++Index: zziplib-0.13.62/zzip/memdisk.c+===================================================================+--- zziplib-0.13.62.orig/zzip/memdisk.c++++ zziplib-0.13.62/zzip/memdisk.c+@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ return 0; /* errno=ENOMEM; */+ ___ struct zzip_file_header *header =+ zzip_disk_entry_to_file_header(disk, entry);++ if (!header)++ { free(item); return 0; }+ /* there is a number of duplicated information in the file header+ * or the disk entry block. Theoretically some part may be missing+ * that exists in the other, ... but we will prefer the disk entry.+Index: zziplib-0.13.62/zzip/mmapped.c+===================================================================+--- zziplib-0.13.62.orig/zzip/mmapped.c++++ zziplib-0.13.62/zzip/mmapped.c+@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK+ (disk->buffer + zzip_disk_entry_fileoffset(entry));+ if (disk->buffer > file_header || file_header >= disk->endbuf)+ return 0;++ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)++ return 0;+ return (struct zzip_file_header *) file_header;+ }+ diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patchnew file mode 100644index 000000000..17fc30e30--- /dev/null+++ b/gnu/packages/patches/zziplib-CVE-2017-5976.patch@@ -0,0 +1,61 @@+Fix CVE-2017-5976:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976++Patch copied from Debian.++Index: zziplib-0.13.62/zzip/memdisk.c+===================================================================+--- zziplib-0.13.62.orig/zzip/memdisk.c++++ zziplib-0.13.62/zzip/memdisk.c+@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ {+ void *mem = malloc(ext1 + 2);+ item->zz_ext[1] = mem;++ item->zz_extlen[1] = ext1 + 2;+ memcpy(mem, ptr1, ext1);+ ((char *) (mem))[ext1 + 0] = 0;+ ((char *) (mem))[ext1 + 1] = 0;+@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ {+ void *mem = malloc(ext2 + 2);+ item->zz_ext[2] = mem;++ item->zz_extlen[2] = ext2 + 2;+ memcpy(mem, ptr2, ext2);+ ((char *) (mem))[ext2 + 0] = 0;+ ((char *) (mem))[ext2 + 1] = 0;+@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR+ while (1)+ {+ ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];+- if (ext)++ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))+ {++ char *endblock = (char *)ext + entry->zz_extlen[i];+++ while (*(short *) (ext->z_datatype))+ {+ if (datatype == zzip_extra_block_get_datatype(ext))+@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR+ e += zzip_extra_block_headerlength;+ e += zzip_extra_block_get_datasize(ext);+ ext = (void *) e;++ if (e >= endblock)++ {++ break;++ }+ ____;+ }+ }+Index: zziplib-0.13.62/zzip/memdisk.h+===================================================================+--- zziplib-0.13.62.orig/zzip/memdisk.h++++ zziplib-0.13.62/zzip/memdisk.h+@@ -66,6 +66,7 @@ struct _zzip_mem_entry {+ int zz_filetype; /* (from "z_filetype") */+ char* zz_comment; /* zero-terminated (from "comment") */+ ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */++ int zz_extlen[3]; /* length of zz_ext[i] in bytes */+ }; /* the extra blocks are NOT converted */+ + #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patchnew file mode 100644index 000000000..452b14f80--- /dev/null+++ b/gnu/packages/patches/zziplib-CVE-2017-5978.patch@@ -0,0 +1,37 @@+Fix CVE-2017-5978:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978++Patch copied from Debian.++Index: zziplib-0.13.62/zzip/memdisk.c+===================================================================+--- zziplib-0.13.62.orig/zzip/memdisk.c++++ zziplib-0.13.62/zzip/memdisk.c+@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ * that exists in the other, ... but we will prefer the disk entry.+ */+ item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);+- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);++ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");+ item->zz_data = zzip_file_header_to_data(header);+ item->zz_flags = zzip_disk_entry_get_flags(entry);+ item->zz_compr = zzip_disk_entry_get_compr(entry);+@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ int /* */ ext2 = zzip_file_header_get_extras(header);+ char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);+ +- if (ext1)++ if (ext1 && ((ptr1 + ext1) < disk->endbuf))+ {+ void *mem = malloc(ext1 + 2);+ item->zz_ext[1] = mem;+@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI+ ((char *) (mem))[ext1 + 0] = 0;+ ((char *) (mem))[ext1 + 1] = 0;+ }+- if (ext2)++ if (ext2 && ((ptr2 + ext2) < disk->endbuf))+ {+ void *mem = malloc(ext2 + 2);+ item->zz_ext[2] = mem;diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patchnew file mode 100644index 000000000..b38f50b17--- /dev/null+++ b/gnu/packages/patches/zziplib-CVE-2017-5979.patch@@ -0,0 +1,19 @@+Fix CVE-2017-5979:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979++Patch copied from Debian.++Index: zziplib-0.13.62/zzip/fseeko.c+===================================================================+--- zziplib-0.13.62.orig/zzip/fseeko.c++++ zziplib-0.13.62/zzip/fseeko.c+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)+ return 0;+ /* we read out chunks of 8 KiB in the hope to match disk granularity */+ ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */+- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));++ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));+ if (! entry)+ return 0;+ ___ unsigned char *buffer = malloc(pagesize);diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patchnew file mode 100644index 000000000..ed82cb3b9--- /dev/null+++ b/gnu/packages/patches/zziplib-CVE-2017-5981.patch@@ -0,0 +1,19 @@+Fix CVE-2017-5981:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981++Patch copied from Debian.+Index: zziplib-0.13.62/zzip/fseeko.c+===================================================================+--- zziplib-0.13.62.orig/zzip/fseeko.c++++ zziplib-0.13.62/zzip/fseeko.c+@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)+ } else+ continue;+ +- assert(0 <= root && root < mapsize);++ if (root < 0 || root >= mapsize)++ goto error;+ if (fseeko(disk, root, SEEK_SET) == -1)+ goto error;+ if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scmindex 8feb4fea2..018891359 100644--- a/gnu/packages/zip.scm+++ b/gnu/packages/zip.scm@@ -136,6 +136,12 @@ recreates the stored directory structure by default.") (uri (string-append "mirror://sourceforge/zziplib/zziplib13/" version "/zziplib-" version ".tar.bz2"))+ (patches (search-patches "zziplib-CVE-2017-5974.patch"+ "zziplib-CVE-2017-5975.patch"+ "zziplib-CVE-2017-5976.patch"+ "zziplib-CVE-2017-5978.patch"+ "zziplib-CVE-2017-5979.patch"+ "zziplib-CVE-2017-5981.patch")) (sha256 (base32 "0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))-- 2.13.1
L
L
Ludovic Courtès wrote on 15 Jun 2017 10:08
Re: [bug#27365] [PATCH] gnu: zziplib: Fix CVE-2017-{5974, 5975, 5976, 5978, 5979, 5981}.
(name . Leo Famulari)(address . leo@famulari.name)(address . 27365@debbugs.gnu.org)
87shj14qrh.fsf@gnu.org
Leo Famulari <leo@famulari.name> skribis:
Toggle quote (9 lines)> * gnu/packages/patches/zziplib-CVE-2017-5974.patch,> gnu/packages/patches/zziplib-CVE-2017-5975.patch,> gnu/packages/patches/zziplib-CVE-2017-5976.patch,> gnu/packages/patches/zziplib-CVE-2017-5978.patch,> gnu/packages/patches/zziplib-CVE-2017-5979.patch,> gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.> * gnu/local.mk (dist_patch_DATA): Add them.> * gnu/packages/zip.scm (zziplib)[source]: Use them.
LGTM. Thanks for taking care of it!
Ludo’.
L
L
Ludovic Courtès wrote on 2 Sep 2017 00:24
control message for bug #27365
(address . control@debbugs.gnu.org)
87ziaexdkv.fsf@gnu.org
tags 27365 fixedclose 27365
?
Your comment

This issue is archived.

To comment on this conversation send email to 27365@debbugs.gnu.org