On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote:
> I was contacted by someone at SUSE that is working on fixing the security
> bugs - but even if successful, I don't know how good the quality will be or
> how much testing will be able to get done before stretch is released.
> Removal might be safest option
Unfortunately removal didn't work our for stretch and will have to wait
for buster.
I'm attaching the patches used by SuSE to address these vulnerabilities
(extracted from their srpm).
Cheers,
Moritz
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
/* override sizes/offsets with zip64 values for largefile support */
zzip_extra_zip64 *block = (zzip_extra_zip64 *)
zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
- if (block)
+ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
{
- item->zz_usize = __zzip_get64(block->z_usize);
- item->zz_csize = __zzip_get64(block->z_csize);
- item->zz_offset = __zzip_get64(block->z_offset);
- item->zz_diskstart = __zzip_get32(block->z_diskstart);
+ item->zz_usize = ZZIP_GET64(block->z_usize);
+ item->zz_csize = ZZIP_GET64(block->z_csize);
+ item->zz_offset = ZZIP_GET64(block->z_offset);
+ item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
}
}
/* NOTE:
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
return 0; /* errno=ENOMEM; */
___ struct zzip_file_header *header =
zzip_disk_entry_to_file_header(disk, entry);
+ if (!header)
+ { free(item); return 0; }
/* there is a number of duplicated information in the file header
* or the disk entry block. Theoretically some part may be missing
* that exists in the other, ... but we will prefer the disk entry.
Index: zziplib-0.13.62/zzip/mmapped.c
===================================================================
--- zziplib-0.13.62.orig/zzip/mmapped.c
+++ zziplib-0.13.62/zzip/mmapped.c
@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
(disk->buffer + zzip_disk_entry_fileoffset(entry));
if (disk->buffer > file_header || file_header >= disk->endbuf)
return 0;
+ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
+ return 0;
return (struct zzip_file_header *) file_header;
}
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
{
void *mem = malloc(ext1 + 2);
item->zz_ext[1] = mem;
+ item->zz_extlen[1] = ext1 + 2;
memcpy(mem, ptr1, ext1);
((char *) (mem))[ext1 + 0] = 0;
((char *) (mem))[ext1 + 1] = 0;
@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
{
void *mem = malloc(ext2 + 2);
item->zz_ext[2] = mem;
+ item->zz_extlen[2] = ext2 + 2;
memcpy(mem, ptr2, ext2);
((char *) (mem))[ext2 + 0] = 0;
((char *) (mem))[ext2 + 1] = 0;
@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
while (1)
{
ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
- if (ext)
+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
{
+ char *endblock = (char *)ext + entry->zz_extlen[i];
+
while (*(short *) (ext->z_datatype))
{
if (datatype == zzip_extra_block_get_datatype(ext))
@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
e += zzip_extra_block_headerlength;
e += zzip_extra_block_get_datasize(ext);
ext = (void *) e;
+ if (e >= endblock)
+ {
+ break;
+ }
____;
}
}
Index: zziplib-0.13.62/zzip/memdisk.h
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.h
+++ zziplib-0.13.62/zzip/memdisk.h
@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
int zz_filetype; /* (from "z_filetype") */
char* zz_comment; /* zero-terminated (from "comment") */
ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
}; /* the extra blocks are NOT converted */
#define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
* that exists in the other, ... but we will prefer the disk entry.
*/
item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
- item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
+ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
item->zz_data = zzip_file_header_to_data(header);
item->zz_flags = zzip_disk_entry_get_flags(entry);
item->zz_compr = zzip_disk_entry_get_compr(entry);
@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
int /* */ ext2 = zzip_file_header_get_extras(header);
char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
- if (ext1)
+ if (ext1 && ((ptr1 + ext1) < disk->endbuf))
{
void *mem = malloc(ext1 + 2);
item->zz_ext[1] = mem;
@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
((char *) (mem))[ext1 + 0] = 0;
((char *) (mem))[ext1 + 1] = 0;
}
- if (ext2)
+ if (ext2 && ((ptr2 + ext2) < disk->endbuf))
{
void *mem = malloc(ext2 + 2);
item->zz_ext[2] = mem;
Index: zziplib-0.13.62/zzip/fseeko.c
===================================================================
--- zziplib-0.13.62.orig/zzip/fseeko.c
+++ zziplib-0.13.62/zzip/fseeko.c
@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
return 0;
/* we read out chunks of 8 KiB in the hope to match disk granularity */
___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
+ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
if (! entry)
return 0;
___ unsigned char *buffer = malloc(pagesize);
Index: zziplib-0.13.62/zzip/fseeko.c
===================================================================
--- zziplib-0.13.62.orig/zzip/fseeko.c
+++ zziplib-0.13.62/zzip/fseeko.c
@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
} else
continue;
- assert(0 <= root && root < mapsize);
+ if (root < 0 || root >= mapsize)
+ goto error;
if (fseeko(disk, root, SEEK_SET) == -1)
goto error;
if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
Index: zziplib-0.13.62/bins/unzzipcat.c
===================================================================
--- zziplib-0.13.62.orig/bins/unzzipcat.c
+++ zziplib-0.13.62/bins/unzzipcat.c
@@ -91,8 +91,11 @@ main (int argc, char ** argv)
for (; entry ; entry = zzip_disk_findnext(disk, entry))
{
char* name = zzip_disk_entry_strdup_name (disk, entry);
- printf ("%s\n", name);
- free (name);
+ if (name)
+ {
+ printf ("%s\n", name);
+ free (name);
+ }
}
return 0;
}
@@ -112,10 +115,13 @@ main (int argc, char ** argv)
for (; entry ; entry = zzip_disk_findnext(disk, entry))
{
char* name = zzip_disk_entry_strdup_name (disk, entry);
- if (! fnmatch (argv[argn], name,
- FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD))
- zzip_disk_cat_file (disk, name, stdout);
- free (name);
+ if (name)
+ {
+ if (! fnmatch (argv[argn], name,
+ FNM_NOESCAPE|FNM_PATHNAME|FNM_PERIOD))
+ zzip_disk_cat_file (disk, name, stdout);
+ free (name);
+ }
}
}
return 0;
Index: zziplib-0.13.62/zzip/fseeko.c
===================================================================
--- zziplib-0.13.62.orig/zzip/fseeko.c
+++ zziplib-0.13.62/zzip/fseeko.c
@@ -300,7 +300,8 @@ zzip_entry_findfirst(FILE * disk)
* central directory was written directly before : */
root = mapoffs - rootsize;
}
- } else if (zzip_disk64_trailer_check_magic(p))
+ } else if ((p + sizeof(struct zzip_disk64_trailer)) <= (buffer + mapsize)
+ && zzip_disk64_trailer_check_magic(p))
{
struct zzip_disk64_trailer *trailer =
(struct zzip_disk64_trailer *) p;
