[PATCH] gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 14 Jun 2017 22:36
(address . guix-patches@gnu.org)
c742c0c091fc61c8497bb7471bb642d145c15f16.1497472587.git.leo@famulari.name
* gnu/packages/patches/zziplib-CVE-2017-5974.patch,
gnu/packages/patches/zziplib-CVE-2017-5975.patch,
gnu/packages/patches/zziplib-CVE-2017-5976.patch,
gnu/packages/patches/zziplib-CVE-2017-5978.patch,
gnu/packages/patches/zziplib-CVE-2017-5979.patch,
gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (zziplib)[source]: Use them.
---
gnu/local.mk | 8 +++-
gnu/packages/patches/zziplib-CVE-2017-5974.patch | 28 +++++++++++
gnu/packages/patches/zziplib-CVE-2017-5975.patch | 32 +++++++++++++
gnu/packages/patches/zziplib-CVE-2017-5976.patch | 61 ++++++++++++++++++++++++
gnu/packages/patches/zziplib-CVE-2017-5978.patch | 37 ++++++++++++++
gnu/packages/patches/zziplib-CVE-2017-5979.patch | 19 ++++++++
gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 ++++++++
gnu/packages/zip.scm | 6 +++
8 files changed, 209 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5974.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5975.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5976.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5978.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5979.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5981.patch

Toggle diff (270 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..5e2fa7a5e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1085,7 +1085,13 @@ dist_patch_DATA = \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
- %D%/packages/patches/zathura-plugindir-environment-variable.patch
+ %D%/packages/patches/zathura-plugindir-environment-variable.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5974.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5975.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5976.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5978.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5979.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5981.patch
MISC_DISTRO_FILES = \
%D%/packages/ld-wrapper.in
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
new file mode 100644
index 000000000..9ae02103e
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
@@ -0,0 +1,28 @@
+Fix CVE-2017-5974:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ /* override sizes/offsets with zip64 values for largefile support */
+ zzip_extra_zip64 *block = (zzip_extra_zip64 *)
+ zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
+- if (block)
++ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
+ {
+- item->zz_usize = __zzip_get64(block->z_usize);
+- item->zz_csize = __zzip_get64(block->z_csize);
+- item->zz_offset = __zzip_get64(block->z_offset);
+- item->zz_diskstart = __zzip_get32(block->z_diskstart);
++ item->zz_usize = ZZIP_GET64(block->z_usize);
++ item->zz_csize = ZZIP_GET64(block->z_csize);
++ item->zz_offset = ZZIP_GET64(block->z_offset);
++ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
+ }
+ }
+ /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
new file mode 100644
index 000000000..fad174b05
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
@@ -0,0 +1,32 @@
+Fix CVE-2017-5975:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ return 0; /* errno=ENOMEM; */
+ ___ struct zzip_file_header *header =
+ zzip_disk_entry_to_file_header(disk, entry);
++ if (!header)
++ { free(item); return 0; }
+ /* there is a number of duplicated information in the file header
+ * or the disk entry block. Theoretically some part may be missing
+ * that exists in the other, ... but we will prefer the disk entry.
+Index: zziplib-0.13.62/zzip/mmapped.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/mmapped.c
++++ zziplib-0.13.62/zzip/mmapped.c
+@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
+ (disk->buffer + zzip_disk_entry_fileoffset(entry));
+ if (disk->buffer > file_header || file_header >= disk->endbuf)
+ return 0;
++ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
++ return 0;
+ return (struct zzip_file_header *) file_header;
+ }
+
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
new file mode 100644
index 000000000..17fc30e30
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-5976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ {
+ void *mem = malloc(ext1 + 2);
+ item->zz_ext[1] = mem;
++ item->zz_extlen[1] = ext1 + 2;
+ memcpy(mem, ptr1, ext1);
+ ((char *) (mem))[ext1 + 0] = 0;
+ ((char *) (mem))[ext1 + 1] = 0;
+@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ {
+ void *mem = malloc(ext2 + 2);
+ item->zz_ext[2] = mem;
++ item->zz_extlen[2] = ext2 + 2;
+ memcpy(mem, ptr2, ext2);
+ ((char *) (mem))[ext2 + 0] = 0;
+ ((char *) (mem))[ext2 + 1] = 0;
+@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+ while (1)
+ {
+ ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
+- if (ext)
++ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
+ {
++ char *endblock = (char *)ext + entry->zz_extlen[i];
++
+ while (*(short *) (ext->z_datatype))
+ {
+ if (datatype == zzip_extra_block_get_datatype(ext))
+@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+ e += zzip_extra_block_headerlength;
+ e += zzip_extra_block_get_datasize(ext);
+ ext = (void *) e;
++ if (e >= endblock)
++ {
++ break;
++ }
+ ____;
+ }
+ }
+Index: zziplib-0.13.62/zzip/memdisk.h
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.h
++++ zziplib-0.13.62/zzip/memdisk.h
+@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
+ int zz_filetype; /* (from "z_filetype") */
+ char* zz_comment; /* zero-terminated (from "comment") */
+ ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
++ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
+ }; /* the extra blocks are NOT converted */
+
+ #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
new file mode 100644
index 000000000..452b14f80
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-5978:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ * that exists in the other, ... but we will prefer the disk entry.
+ */
+ item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
+- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
++ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
+ item->zz_data = zzip_file_header_to_data(header);
+ item->zz_flags = zzip_disk_entry_get_flags(entry);
+ item->zz_compr = zzip_disk_entry_get_compr(entry);
+@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ int /* */ ext2 = zzip_file_header_get_extras(header);
+ char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
+
+- if (ext1)
++ if (ext1 && ((ptr1 + ext1) < disk->endbuf))
+ {
+ void *mem = malloc(ext1 + 2);
+ item->zz_ext[1] = mem;
+@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ ((char *) (mem))[ext1 + 0] = 0;
+ ((char *) (mem))[ext1 + 1] = 0;
+ }
+- if (ext2)
++ if (ext2 && ((ptr2 + ext2) < disk->endbuf))
+ {
+ void *mem = malloc(ext2 + 2);
+ item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
new file mode 100644
index 000000000..b38f50b17
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5979:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
+ return 0;
+ /* we read out chunks of 8 KiB in the hope to match disk granularity */
+ ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
+- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
++ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
+ if (! entry)
+ return 0;
+ ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
new file mode 100644
index 000000000..ed82cb3b9
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5981:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
+
+Patch copied from Debian.
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
+ } else
+ continue;
+
+- assert(0 <= root && root < mapsize);
++ if (root < 0 || root >= mapsize)
++ goto error;
+ if (fseeko(disk, root, SEEK_SET) == -1)
+ goto error;
+ if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm
index 8feb4fea2..018891359 100644
--- a/gnu/packages/zip.scm
+++ b/gnu/packages/zip.scm
@@ -136,6 +136,12 @@ recreates the stored directory structure by default.")
(uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
version "/zziplib-"
version ".tar.bz2"))
+ (patches (search-patches "zziplib-CVE-2017-5974.patch"
+ "zziplib-CVE-2017-5975.patch"
+ "zziplib-CVE-2017-5976.patch"
+ "zziplib-CVE-2017-5978.patch"
+ "zziplib-CVE-2017-5979.patch"
+ "zziplib-CVE-2017-5981.patch"))
(sha256
(base32
"0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
--
2.13.1
L
L
Ludovic Courtès wrote on 15 Jun 2017 10:08
Re: [bug#27365] [PATCH] gnu: zziplib: Fix CVE-2017-{5974, 5975, 5976, 5978, 5979, 5981}.
(name . Leo Famulari)(address . leo@famulari.name)(address . 27365@debbugs.gnu.org)
87shj14qrh.fsf@gnu.org
Leo Famulari <leo@famulari.name> skribis:

Toggle quote (9 lines)
> * gnu/packages/patches/zziplib-CVE-2017-5974.patch,
> gnu/packages/patches/zziplib-CVE-2017-5975.patch,
> gnu/packages/patches/zziplib-CVE-2017-5976.patch,
> gnu/packages/patches/zziplib-CVE-2017-5978.patch,
> gnu/packages/patches/zziplib-CVE-2017-5979.patch,
> gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/zip.scm (zziplib)[source]: Use them.

LGTM. Thanks for taking care of it!

Ludo’.
L
L
Ludovic Courtès wrote on 2 Sep 2017 00:24
control message for bug #27365
(address . control@debbugs.gnu.org)
87ziaexdkv.fsf@gnu.org
tags 27365 fixed
close 27365
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27365@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27365
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch