Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 14 Jun 2017 20:37:02 UTC
Severity: normal
Tags: fixed, patch
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27365 in the body.
You can then email your comments to 27365 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#27365; Package guix-patches.
(Wed, 14 Jun 2017 20:37:02 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>:guix-patches <at> gnu.org.
(Wed, 14 Jun 2017 20:37:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.
Date: Wed, 14 Jun 2017 16:36:27 -0400
* gnu/packages/patches/zziplib-CVE-2017-5974.patch,
gnu/packages/patches/zziplib-CVE-2017-5975.patch,
gnu/packages/patches/zziplib-CVE-2017-5976.patch,
gnu/packages/patches/zziplib-CVE-2017-5978.patch,
gnu/packages/patches/zziplib-CVE-2017-5979.patch,
gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (zziplib)[source]: Use them.
---
gnu/local.mk | 8 +++-
gnu/packages/patches/zziplib-CVE-2017-5974.patch | 28 +++++++++++
gnu/packages/patches/zziplib-CVE-2017-5975.patch | 32 +++++++++++++
gnu/packages/patches/zziplib-CVE-2017-5976.patch | 61 ++++++++++++++++++++++++
gnu/packages/patches/zziplib-CVE-2017-5978.patch | 37 ++++++++++++++
gnu/packages/patches/zziplib-CVE-2017-5979.patch | 19 ++++++++
gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 ++++++++
gnu/packages/zip.scm | 6 +++
8 files changed, 209 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5974.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5975.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5976.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5978.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5979.patch
create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5981.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..5e2fa7a5e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1085,7 +1085,13 @@ dist_patch_DATA = \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
- %D%/packages/patches/zathura-plugindir-environment-variable.patch
+ %D%/packages/patches/zathura-plugindir-environment-variable.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5974.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5975.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5976.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5978.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5979.patch \
+ %D%/packages/patches/zziplib-CVE-2017-5981.patch
MISC_DISTRO_FILES = \
%D%/packages/ld-wrapper.in
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
new file mode 100644
index 000000000..9ae02103e
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
@@ -0,0 +1,28 @@
+Fix CVE-2017-5974:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ /* override sizes/offsets with zip64 values for largefile support */
+ zzip_extra_zip64 *block = (zzip_extra_zip64 *)
+ zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
+- if (block)
++ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
+ {
+- item->zz_usize = __zzip_get64(block->z_usize);
+- item->zz_csize = __zzip_get64(block->z_csize);
+- item->zz_offset = __zzip_get64(block->z_offset);
+- item->zz_diskstart = __zzip_get32(block->z_diskstart);
++ item->zz_usize = ZZIP_GET64(block->z_usize);
++ item->zz_csize = ZZIP_GET64(block->z_csize);
++ item->zz_offset = ZZIP_GET64(block->z_offset);
++ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
+ }
+ }
+ /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
new file mode 100644
index 000000000..fad174b05
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
@@ -0,0 +1,32 @@
+Fix CVE-2017-5975:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ return 0; /* errno=ENOMEM; */
+ ___ struct zzip_file_header *header =
+ zzip_disk_entry_to_file_header(disk, entry);
++ if (!header)
++ { free(item); return 0; }
+ /* there is a number of duplicated information in the file header
+ * or the disk entry block. Theoretically some part may be missing
+ * that exists in the other, ... but we will prefer the disk entry.
+Index: zziplib-0.13.62/zzip/mmapped.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/mmapped.c
++++ zziplib-0.13.62/zzip/mmapped.c
+@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
+ (disk->buffer + zzip_disk_entry_fileoffset(entry));
+ if (disk->buffer > file_header || file_header >= disk->endbuf)
+ return 0;
++ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
++ return 0;
+ return (struct zzip_file_header *) file_header;
+ }
+
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
new file mode 100644
index 000000000..17fc30e30
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-5976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ {
+ void *mem = malloc(ext1 + 2);
+ item->zz_ext[1] = mem;
++ item->zz_extlen[1] = ext1 + 2;
+ memcpy(mem, ptr1, ext1);
+ ((char *) (mem))[ext1 + 0] = 0;
+ ((char *) (mem))[ext1 + 1] = 0;
+@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ {
+ void *mem = malloc(ext2 + 2);
+ item->zz_ext[2] = mem;
++ item->zz_extlen[2] = ext2 + 2;
+ memcpy(mem, ptr2, ext2);
+ ((char *) (mem))[ext2 + 0] = 0;
+ ((char *) (mem))[ext2 + 1] = 0;
+@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+ while (1)
+ {
+ ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
+- if (ext)
++ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
+ {
++ char *endblock = (char *)ext + entry->zz_extlen[i];
++
+ while (*(short *) (ext->z_datatype))
+ {
+ if (datatype == zzip_extra_block_get_datatype(ext))
+@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+ e += zzip_extra_block_headerlength;
+ e += zzip_extra_block_get_datasize(ext);
+ ext = (void *) e;
++ if (e >= endblock)
++ {
++ break;
++ }
+ ____;
+ }
+ }
+Index: zziplib-0.13.62/zzip/memdisk.h
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.h
++++ zziplib-0.13.62/zzip/memdisk.h
+@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
+ int zz_filetype; /* (from "z_filetype") */
+ char* zz_comment; /* zero-terminated (from "comment") */
+ ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
++ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
+ }; /* the extra blocks are NOT converted */
+
+ #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
new file mode 100644
index 000000000..452b14f80
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-5978:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ * that exists in the other, ... but we will prefer the disk entry.
+ */
+ item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
+- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
++ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
+ item->zz_data = zzip_file_header_to_data(header);
+ item->zz_flags = zzip_disk_entry_get_flags(entry);
+ item->zz_compr = zzip_disk_entry_get_compr(entry);
+@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ int /* */ ext2 = zzip_file_header_get_extras(header);
+ char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
+
+- if (ext1)
++ if (ext1 && ((ptr1 + ext1) < disk->endbuf))
+ {
+ void *mem = malloc(ext1 + 2);
+ item->zz_ext[1] = mem;
+@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ ((char *) (mem))[ext1 + 0] = 0;
+ ((char *) (mem))[ext1 + 1] = 0;
+ }
+- if (ext2)
++ if (ext2 && ((ptr2 + ext2) < disk->endbuf))
+ {
+ void *mem = malloc(ext2 + 2);
+ item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
new file mode 100644
index 000000000..b38f50b17
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5979:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
+ return 0;
+ /* we read out chunks of 8 KiB in the hope to match disk granularity */
+ ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
+- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
++ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
+ if (! entry)
+ return 0;
+ ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
new file mode 100644
index 000000000..ed82cb3b9
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5981:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
+
+Patch copied from Debian.
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
+ } else
+ continue;
+
+- assert(0 <= root && root < mapsize);
++ if (root < 0 || root >= mapsize)
++ goto error;
+ if (fseeko(disk, root, SEEK_SET) == -1)
+ goto error;
+ if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm
index 8feb4fea2..018891359 100644
--- a/gnu/packages/zip.scm
+++ b/gnu/packages/zip.scm
@@ -136,6 +136,12 @@ recreates the stored directory structure by default.")
(uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
version "/zziplib-"
version ".tar.bz2"))
+ (patches (search-patches "zziplib-CVE-2017-5974.patch"
+ "zziplib-CVE-2017-5975.patch"
+ "zziplib-CVE-2017-5976.patch"
+ "zziplib-CVE-2017-5978.patch"
+ "zziplib-CVE-2017-5979.patch"
+ "zziplib-CVE-2017-5981.patch"))
(sha256
(base32
"0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
--
2.13.1
guix-patches <at> gnu.org:bug#27365; Package guix-patches.
(Thu, 15 Jun 2017 08:09:02 GMT) Full text and rfc822 format available.Message #8 received at 27365 <at> debbugs.gnu.org (full text, mbox):
From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 27365 <at> debbugs.gnu.org
Subject: Re: [bug#27365] [PATCH] gnu: zziplib: Fix CVE-2017-{5974, 5975, 5976,
5978, 5979, 5981}.
Date: Thu, 15 Jun 2017 10:08:34 +0200
Leo Famulari <leo <at> famulari.name> skribis: > * gnu/packages/patches/zziplib-CVE-2017-5974.patch, > gnu/packages/patches/zziplib-CVE-2017-5975.patch, > gnu/packages/patches/zziplib-CVE-2017-5976.patch, > gnu/packages/patches/zziplib-CVE-2017-5978.patch, > gnu/packages/patches/zziplib-CVE-2017-5979.patch, > gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/zip.scm (zziplib)[source]: Use them. LGTM. Thanks for taking care of it! Ludo’.
ludo <at> gnu.org (Ludovic Courtès)
to control <at> debbugs.gnu.org.
(Fri, 01 Sep 2017 22:25:02 GMT) Full text and rfc822 format available.ludo <at> gnu.org (Ludovic Courtès)
to control <at> debbugs.gnu.org.
(Fri, 01 Sep 2017 22:25:02 GMT) Full text and rfc822 format available.Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Sat, 30 Sep 2017 11:24:07 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.