summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk8
-rw-r--r--gnu/packages/compression.scm15
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5974.patch28
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5975.patch32
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5976.patch61
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5978.patch37
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5979.patch19
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5981.patch19
8 files changed, 7 insertions, 212 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index d262938103..aaa48ab934 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1180,13 +1180,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/xinetd-CVE-2013-4342.patch		\
   %D%/packages/patches/xmodmap-asprintf.patch 			\
   %D%/packages/patches/libyaml-CVE-2014-9130.patch 		\
-  %D%/packages/patches/zathura-plugindir-environment-variable.patch	\
-  %D%/packages/patches/zziplib-CVE-2017-5974.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5975.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5976.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5978.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5979.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5981.patch
+  %D%/packages/patches/zathura-plugindir-environment-variable.patch
 
 MISC_DISTRO_FILES =				\
   %D%/packages/ld-wrapper.in
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 73f3a4eab7..3a0e27945f 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1772,22 +1772,16 @@ recreates the stored directory structure by default.")
 (define-public zziplib
   (package
     (name "zziplib")
-    (version "0.13.62")
+    (version "0.13.68")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
                            version "/zziplib-"
                            version ".tar.bz2"))
-       (patches (search-patches "zziplib-CVE-2017-5974.patch"
-                                "zziplib-CVE-2017-5975.patch"
-                                "zziplib-CVE-2017-5976.patch"
-                                "zziplib-CVE-2017-5978.patch"
-                                "zziplib-CVE-2017-5979.patch"
-                                "zziplib-CVE-2017-5981.patch"))
        (sha256
         (base32
-         "0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
+         "1s0wz1hf2q4qxcp4lkg4rzpbz2814xagmvlyicqdj0ww0cvxv036"))))
     (build-system gnu-build-system)
     (inputs
      `(("zlib" ,zlib)))
@@ -1798,7 +1792,10 @@ recreates the stored directory structure by default.")
                      ("python" ,python-2)
                      ("zip" ,zip))) ; to create test files
     (arguments
-     `(#:parallel-tests? #f)) ; since test files are created on the fly
+     ;; XXX: "make check" is broken, and the alternative (test/zziptests.py)
+     ;; requires network access.  See <https://github.com/gdraheim/zziplib/issues/20>
+     ;; and <https://github.com/gdraheim/zziplib/issues/24>.
+     `(#:tests? #f))
     (home-page "http://zziplib.sourceforge.net/")
     (synopsis "Library for accessing zip files")
     (description
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
deleted file mode 100644
index 9ae02103e7..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5974.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Fix CVE-2017-5974:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         /* override sizes/offsets with zip64 values for largefile support */
-         zzip_extra_zip64 *block = (zzip_extra_zip64 *)
-             zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
--        if (block)
-+        if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
-         {
--            item->zz_usize = __zzip_get64(block->z_usize);
--            item->zz_csize = __zzip_get64(block->z_csize);
--            item->zz_offset = __zzip_get64(block->z_offset);
--            item->zz_diskstart = __zzip_get32(block->z_diskstart);
-+            item->zz_usize = ZZIP_GET64(block->z_usize);
-+            item->zz_csize = ZZIP_GET64(block->z_csize);
-+            item->zz_offset = ZZIP_GET64(block->z_offset);
-+            item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
-         }
-     }
-     /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
deleted file mode 100644
index fad174b056..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5975.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Fix CVE-2017-5975:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         return 0;               /* errno=ENOMEM; */
-     ___ struct zzip_file_header *header =
-         zzip_disk_entry_to_file_header(disk, entry);
-+    if (!header)
-+	{ free(item); return 0; }
-     /*  there is a number of duplicated information in the file header
-      *  or the disk entry block. Theoretically some part may be missing
-      *  that exists in the other, ... but we will prefer the disk entry.
-Index: zziplib-0.13.62/zzip/mmapped.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/mmapped.c
-+++ zziplib-0.13.62/zzip/mmapped.c
-@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
-         (disk->buffer + zzip_disk_entry_fileoffset(entry));
-     if (disk->buffer > file_header || file_header >= disk->endbuf)
-         return 0;
-+    if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
-+        return 0;
-     return (struct zzip_file_header *) file_header;
- }
- 
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
deleted file mode 100644
index 17fc30e302..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5976.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Fix CVE-2017-5976:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         {
-             void *mem = malloc(ext1 + 2);
-             item->zz_ext[1] = mem;
-+	    item->zz_extlen[1] = ext1 + 2;
-             memcpy(mem, ptr1, ext1);
-             ((char *) (mem))[ext1 + 0] = 0;
-             ((char *) (mem))[ext1 + 1] = 0;
-@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         {
-             void *mem = malloc(ext2 + 2);
-             item->zz_ext[2] = mem;
-+	    item->zz_extlen[2] = ext2 + 2;
-             memcpy(mem, ptr2, ext2);
-             ((char *) (mem))[ext2 + 0] = 0;
-             ((char *) (mem))[ext2 + 1] = 0;
-@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
-     while (1)
-     {
-         ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
--        if (ext)
-+        if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
-         {
-+	    char *endblock = (char *)ext + entry->zz_extlen[i];
-+
-             while (*(short *) (ext->z_datatype))
-             {
-                 if (datatype == zzip_extra_block_get_datatype(ext))
-@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
-                 e += zzip_extra_block_headerlength;
-                 e += zzip_extra_block_get_datasize(ext);
-                 ext = (void *) e;
-+		if (e >= endblock)
-+		{
-+		    break;
-+		}
-                 ____;
-             }
-         }
-Index: zziplib-0.13.62/zzip/memdisk.h
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.h
-+++ zziplib-0.13.62/zzip/memdisk.h
-@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
-     int              zz_filetype;  /* (from "z_filetype") */
-     char*            zz_comment;   /* zero-terminated (from "comment") */
-     ZZIP_EXTRA_BLOCK* zz_ext[3];   /* terminated by null in z_datatype */
-+    int              zz_extlen[3]; /* length of zz_ext[i] in bytes */
- };                                 /* the extra blocks are NOT converted */
- 
- #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
deleted file mode 100644
index 452b14f804..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5978.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2017-5978:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-      *  that exists in the other, ... but we will prefer the disk entry.
-      */
-     item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
--    item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
-+    item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
-     item->zz_data = zzip_file_header_to_data(header);
-     item->zz_flags = zzip_disk_entry_get_flags(entry);
-     item->zz_compr = zzip_disk_entry_get_compr(entry);
-@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         int /*            */ ext2 = zzip_file_header_get_extras(header);
-         char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
- 
--        if (ext1)
-+        if (ext1 && ((ptr1 + ext1) < disk->endbuf))
-         {
-             void *mem = malloc(ext1 + 2);
-             item->zz_ext[1] = mem;
-@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-             ((char *) (mem))[ext1 + 0] = 0;
-             ((char *) (mem))[ext1 + 1] = 0;
-         }
--        if (ext2)
-+        if (ext2 && ((ptr2 + ext2) < disk->endbuf))
-         {
-             void *mem = malloc(ext2 + 2);
-             item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
deleted file mode 100644
index b38f50b172..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5979.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix CVE-2017-5979:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/fseeko.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/fseeko.c
-+++ zziplib-0.13.62/zzip/fseeko.c
-@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
-         return 0;
-     /* we read out chunks of 8 KiB in the hope to match disk granularity */
-     ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
--    ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
-+    ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
-     if (! entry)
-         return 0;
-     ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
deleted file mode 100644
index ed82cb3b91..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5981.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix CVE-2017-5981:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
-
-Patch copied from Debian.
-Index: zziplib-0.13.62/zzip/fseeko.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/fseeko.c
-+++ zziplib-0.13.62/zzip/fseeko.c
-@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
-             } else
-                 continue;
- 
--            assert(0 <= root && root < mapsize);
-+	    if (root < 0 || root >= mapsize)
-+	        goto error;
-             if (fseeko(disk, root, SEEK_SET) == -1)
-                 goto error;
-             if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)