Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
After reading the minizip/zip.c code[1], I think that the vulnerable function
is exposed for external linkage by any of the 'zipOpenNewFile*' functions.
Given that, I code-searched[2] for 'zipOpenFile' and collected the resulting
'packages.txt' file list provided under the dropdown menu.
To retrieve the corresponding source packages _for trixie_ I used the command:
$ cat packages.txt | while read line; do apt source $line; done;
...and then to search for possible callsites, and report their filenames and
line numbers:
$ find . -type f -name '*.c*' -exec grep -Hn zipOpenNewFile {} \; | grep -vw
"minizip/minizip.c" | grep -vw "minizip/zip.c"
(note that this also filters out the vendored source files themselves,
because otherwise those would pollute the search results)
I then manually removed 'chromium' from the results because that codebase has
the patch applied[3] already (this is from upstream I believe).
Finally I manually-removed a bunch of callsites that relate to error message
text, #defines, local variables and in the case of Mono, some external
dynamic library references.
It appears to me that 34 packages in Trixie may be affected, with a total
of 59 lines of callsites to 'zipOpenFile' functions. Please find my
assessment attached as 'trixie-callsites.txt'.
[1] -
https://sources.debian.org/src/zlib/1%3A1.2.13.dfsg-1/contrib/minizip/zip.c/
[2] - https://codesearch.debian.net/search?q=zipOpenNewFile&perpkg=1
[3] -
https://sources.debian.org/src/chromium/118.0.5993.70-1/third_party/zlib/contrib/minizip/zip.c/?hl=1327#L1086-L1095
chessx-1.4.6/src/quazip/quazipfile.cpp:366:
p->setZipError(zipOpenNewFileInZip3(p->zip->getZipFile(),
c-munipack-2.1.36/muniwin/src/senddumpfiles.cpp:95: err =
zipOpenNewFileInZip3(zf,lpath,&zi,
collada-dom-2.5.0+ds1/dom/src/modules/LIBXMLPlugin/daeLIBXMLPlugin.cpp:484:
err =
zipOpenNewFileInZip3_64(zfh.zf,savefilenameinzip.c_str(),&zi,NULL,0,NULL,0,"collada
file generated by collada-dom",Z_DEFLATED, opt_compress_level,0,-MAX_WBITS,
DEF_MEM_LEVEL, Z_DEFAULT_STRATEGY,password,crcFile, zip64);
collada-dom-2.5.0+ds1/dom/src/modules/LIBXMLPlugin/daeLIBXMLPlugin.cpp:511:
err =
zipOpenNewFileInZip3_64(zfh.zf,"manifest.xml",&zi,NULL,0,NULL,0,NULL,Z_DEFLATED,
opt_compress_level,0,-MAX_WBITS, DEF_MEM_LEVEL,
Z_DEFAULT_STRATEGY,password,crcFile, zip64);
deepin-log-viewer-5.9.7+ds1/3rdparty/DocxFactory/src/zip/ZipFile.cpp:123:
l_err = zipOpenNewFileInZip(
deepin-log-viewer-5.9.7+ds1/3rdparty/DocxFactory/src/zip/ZipFile.cpp:161:
int l_err = zipOpenNewFileInZip2(
deepin-log-viewer-5.9.7+ds1/3rdparty/DocxFactory/src/zip/ZipFile.cpp:222:
l_err = zipOpenNewFileInZip(
dosbox-x-2023.09.01+dfsg/.pc/system-minizip.patch/src/misc/savestates.cpp:1041:
err = zipOpenNewFileInZip3_64(zf,savefilenameinzip,&zi,
dosbox-x-2023.09.01+dfsg/src/misc/savestates.cpp:1041: err =
zipOpenNewFileInZip3_64(zf,savefilenameinzip,&zi,
fritzing-0.9.6+dfsg/src/lib/quazip/quazipfile.cpp:232:
setZipError(zipOpenNewFileInZip3(zip->getZipFile(),
gdal-3.7.2+dfsg/port/cpl_minizip_zip.cpp:2209: const int nErr =
cpl_zipOpenNewFileInZip3(
gmsh-4.8.4+ds2/contrib/zipper/zipper.cpp:77: int err =
zipOpenNewFileInZip( zipFile_, filename, &zi,
godot-3.5.2-stable/editor/editor_export.cpp:397: zipOpenNewFileInZip(zip,
godot-3.5.2-stable/platform/android/export/export_plugin.cpp:3252:
zipOpenNewFileInZip(unaligned_apk,
godot-3.5.2-stable/platform/android/export/export_plugin.cpp:3308:
zipOpenNewFileInZip(unaligned_apk,
godot-3.5.2-stable/platform/android/export/export_plugin.cpp:3386:
zipOpenNewFileInZip2(final_apk,
godot-3.5.2-stable/platform/android/export/export_plugin.cpp:651:
zipOpenNewFileInZip(ed->apk,
godot-3.5.2-stable/platform/javascript/api/javascript_tools_editor_plugin.cpp:128:
zipOpenNewFileInZip(p_zip,
godot-3.5.2-stable/platform/javascript/api/javascript_tools_editor_plugin.cpp:99:
zipOpenNewFileInZip(p_zip,
godot-3.5.2-stable/platform/osx/export/export.cpp:1348:
zipOpenNewFileInZip4(p_zip,
godot-3.5.2-stable/platform/osx/export/export.cpp:1393:
zipOpenNewFileInZip4(p_zip,
gpsbabel-1.8.0+ds/src/core/ziparchive.cc:65: int err =
zipOpenNewFileInZip64(zipfile_, CSTR(item_to_add), &zi,
httrack-3.49.4/src/htscache.c:341: if ((zErr = zipOpenNewFileInZip((zipFile)
cache->zipOutput, filename, &fi,
httrack-3.49.4/src/htszlib.c:128: if (zipOpenNewFileInZip(zFileOut,
filename, &fi, NULL, 0, NULL, 0, NULL, /* comment */
httrack-3.49.4/src/proxy/store.c:1298: if ((zErr =
zipOpenNewFileInZip(zFileOut, url, &fi,
keepassxc-2.7.4+dfsg.1/src/keeshare/ShareExport.cpp:118:
zipOpenNewFileInZip64(zf,
libkml-1.3.0/src/kml/base/zip_file.cc:234: zipOpenNewFileInZip(zipfile,
path_in_zip.c_str(), 0, 0, 0, 0, 0, 0,
libkml-1.3.0/tests/kml/base/zip_file_test.cc:303: zipOpenNewFileInZip(zipfile,
"doc.kml", 0, 0, 0, 0, 0, 0,
libsbml-5.19.7+dfsg/src/sbml/compress/zipfstream.cpp:547: err =
zipOpenNewFileInZip(zf,filenameinzip,&zi,
libxlsxwriter-1.1.5/src/packager.c:1701: error =
zipOpenNewFileInZip4_64(self->zipfile,
libxlsxwriter-1.1.5/src/packager.c:1755: error =
zipOpenNewFileInZip4_64(self->zipfile,
magics++-4.14.2/src/drivers/GeoJsonDriver.cc:154: err =
zipOpenNewFileInZip(zf, filename, 0, 0, 0, 0, 0, 0, Z_DEFLATED,
Z_DEFAULT_COMPRESSION);
magics++-4.14.2/src/drivers/KMLDriver.cc:216: err =
zipOpenNewFileInZip(zf, filename, 0, 0, 0, 0, 0, 0, Z_DEFLATED,
Z_DEFAULT_COMPRESSION);
mariadb-10.11.4/storage/connect/filamzip.cpp:423: int err =
zipOpenNewFileInZip(zipfile, target, &zi,
metview-5.20.0/metview/src/KML/GeoToKML.cc:254: err =
zipOpenNewFileInZip(zf,filename, 0, 0, 0, 0, 0, 0, Z_DEFLATED,
Z_DEFAULT_COMPRESSION);
mgba-0.10.2+dfsg/src/util/vfs/vfs-zip.c:715: if
(zipOpenNewFileInZip(vdz->z, path, NULL, NULL, 0, NULL, 0, NULL, Z_DEFLATED, 3)
< 0) {
mono-6.8.0.105+dfsg/mcs/class/WindowsBase/ZipSharp/NativeZip.cs:71:
return zipOpenNewFileInZip_64 (handle, filename, ref fileInfo,
IntPtr.Zero, 0, IntPtr.Zero, 0, "", method, compressionLevel);
mupen64plus-core-2.5.9+341+gf82b37bf/src/main/savestates.c:2095: retval =
zipOpenNewFileInZip(zipfile, namefrompath(filepath), NULL, NULL, 0, NULL, 0,
NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION);
nodejs-18.13.0+dfsg1/deps/v8/third_party/zlib/google/zip_internal.cc:363:
const int err = zipOpenNewFileInZip4_64(
nodejs-18.13.0+dfsg1/deps/zlib/google/zip_internal.cc:363: const int err =
zipOpenNewFileInZip4_64(
orthanc-1.12.1+dfsg/OrthancFramework/Sources/Compression/ZipWriter.cpp:616:
result = zipOpenNewFileInZip64(pimpl_->file_, path,
orthanc-1.12.1+dfsg/OrthancFramework/Sources/Compression/ZipWriter.cpp:626:
result = zipOpenNewFileInZip(pimpl_->file_, path,
qt6-webengine-6.4.2-final+dfsg/src/3rdparty/chromium/third_party/zlib/google/zip_internal.cc:363:
const int err = zipOpenNewFileInZip4_64(
qtwebengine-opensource-src-5.15.15+dfsg/src/3rdparty/chromium/third_party/zlib/google/zip_internal.cc:363:
const int err = zipOpenNewFileInZip4_64(
rbdoom3bfg-1.4.0+dfsg/neo/framework/Zip.cpp:354: int errcode =
zipOpenNewFileInZip3( zf, filenameInZip, &zi, NULL, 0, NULL, 0, NULL /*
comment*/,
rbdoom3bfg-1.4.0+dfsg/neo/framework/Zip.cpp:487: int errcode =
zipOpenNewFileInZip3( zf, src->GetName(), &zi, NULL, 0, NULL, 0, NULL /*
comment*/,
rbdoom3bfg-1.4.0+dfsg/neo/framework/Zip.cpp:590: int errcode =
zipOpenNewFileInZip3( zf, src->GetName(), &zi, NULL, 0, NULL, 0, NULL /*
comment*/,
sigil-2.0.1+dfsg1/src/Exporters/ExportEPUB.cpp:148: if
(zipOpenNewFileInZip64(zfile, "mimetype", &fileInfo, NULL, 0, NULL, 0, NULL,
Z_NO_COMPRESSION, 0, 0) != ZIP_OK) {
sigil-2.0.1+dfsg1/src/Exporters/ExportEPUB.cpp:206: if
(zipOpenNewFileInZip4_64(zfile, relpath.toUtf8().constData(), &fileInfo, NULL,
0, NULL, 0, NULL, Z_DEFLATED, 8, 0, 15, 8, Z_DEFAULT_STRATEGY, NULL, 0, 0x0b00,
1<<11, 0) != ZIP_OK) {
swi-prolog-9.0.4+dfsg/src/pl-zip.c:1421: rc =
zipOpenNewFileInZip4_64(z->writer, name,
swi-prolog-9.0.4+dfsg/src/pl-zip.c:930: rc =
zipOpenNewFileInZip4_64(z->writer, fname,
tea-62.0.2/quazipfile.cpp:342:
p->setZipError(zipOpenNewFileInZip3_64(p->zip->getZipFile(),
vcmi-1.1.0+dfsg/lib/filesystem/CZipSaver.cpp:37: int status =
zipOpenNewFileInZip4_64(
widelands-1.1/src/io/filesystem/zip_filesystem.cc:372: switch
(zipOpenNewFileInZip3(zip_file_->write_handle(), complete_filename.c_str(),
&zi, nullptr,
widelands-1.1/src/io/filesystem/zip_filesystem.cc:457: switch
(zipOpenNewFileInZip3(zip_file_->write_handle(), complete_filename.c_str(),
&zi, nullptr,
widelands-1.1/src/io/filesystem/zip_filesystem.cc:509: switch
(zipOpenNewFileInZip3(zip_file_->write_handle(), complete_filename.c_str(),
&zi, nullptr,
wireshark-4.0.10/ui/qt/utils/wireshark_zip_helper.cpp:226: err =
zipOpenNewFileInZip3_64(zf, fileInZip.toUtf8().constData(), &zi,
wordgrinder-0.8/src/c/zip.c:163: int i =
zipOpenNewFileInZip(zf, key, NULL,
xiphos-4.2.1+dfsg1/src/gtk/utilities.c:1432: ret = zipOpenNewFileInZip(zip,
name, &zi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_BEST_SPEED);
