guix/gnu/packages/patches/zziplib-CVE-2018-16548.patch
Efraim Flashner 790b66e34f
gnu: zziplib: Fix CVE-2018-16548.
* gnu/packages/compression.scm (zziplib)[replacement]: New field.
(zziplib/fixed): New private variable.
* gnu/packages/patches/zziplib-CVE-2018-16548.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
2020-03-04 10:52:52 +02:00

49 lines
1.6 KiB
Diff

The following 3 patches applied to 0.13.69 in this order, combined:
https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb.patch
https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687.patch
https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99.patch
diff --git a/test/test.zip b/test/test.zip
index 2c992ea..952d475 100644
Binary files a/test/test.zip and b/test/test.zip differ
diff --git a/zzip/zip.c b/zzip/zip.c
index 14e2e06..f97a40a 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd,
} else
{
if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+ {
+ free(hdr0);
return ZZIP_DIR_SEEK;
+ }
if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+ {
+ free(hdr0);
return ZZIP_DIR_READ;
+ }
d = &dirent;
}
@@ -574,11 +580,18 @@ __zzip_parse_root_directory(int fd,
if (hdr_return)
*hdr_return = hdr0;
+ else
+ {
+ /* If it is not assigned to *hdr_return, it will never be free()'d */
+ free(hdr0);
+ }
} /* else zero (sane) entries */
+ else
+ free(hdr0);
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
- return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
# else
- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
# endif
}