diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/compression.scm | 15 | ||||
-rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5974.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5975.patch | 32 | ||||
-rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5976.patch | 61 | ||||
-rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5978.patch | 37 | ||||
-rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5979.patch | 19 | ||||
-rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 |
7 files changed, 6 insertions, 205 deletions
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 73f3a4eab7..3a0e27945f 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1772,22 +1772,16 @@ recreates the stored directory structure by default.") (define-public zziplib (package (name "zziplib") - (version "0.13.62") + (version "0.13.68") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/zziplib/zziplib13/" version "/zziplib-" version ".tar.bz2")) - (patches (search-patches "zziplib-CVE-2017-5974.patch" - "zziplib-CVE-2017-5975.patch" - "zziplib-CVE-2017-5976.patch" - "zziplib-CVE-2017-5978.patch" - "zziplib-CVE-2017-5979.patch" - "zziplib-CVE-2017-5981.patch")) (sha256 (base32 - "0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51")))) + "1s0wz1hf2q4qxcp4lkg4rzpbz2814xagmvlyicqdj0ww0cvxv036")))) (build-system gnu-build-system) (inputs `(("zlib" ,zlib))) @@ -1798,7 +1792,10 @@ recreates the stored directory structure by default.") ("python" ,python-2) ("zip" ,zip))) ; to create test files (arguments - `(#:parallel-tests? #f)) ; since test files are created on the fly + ;; XXX: "make check" is broken, and the alternative (test/zziptests.py) + ;; requires network access. See <https://github.com/gdraheim/zziplib/issues/20> + ;; and <https://github.com/gdraheim/zziplib/issues/24>. + `(#:tests? #f)) (home-page "http://zziplib.sourceforge.net/") (synopsis "Library for accessing zip files") (description diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch deleted file mode 100644 index 9ae02103e7..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5974.patch +++ /dev/null @@ -1,28 +0,0 @@ -Fix CVE-2017-5974: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - /* override sizes/offsets with zip64 values for largefile support */ - zzip_extra_zip64 *block = (zzip_extra_zip64 *) - zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64); -- if (block) -+ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4)) - { -- item->zz_usize = __zzip_get64(block->z_usize); -- item->zz_csize = __zzip_get64(block->z_csize); -- item->zz_offset = __zzip_get64(block->z_offset); -- item->zz_diskstart = __zzip_get32(block->z_diskstart); -+ item->zz_usize = ZZIP_GET64(block->z_usize); -+ item->zz_csize = ZZIP_GET64(block->z_csize); -+ item->zz_offset = ZZIP_GET64(block->z_offset); -+ item->zz_diskstart = ZZIP_GET32(block->z_diskstart); - } - } - /* NOTE: diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch deleted file mode 100644 index fad174b056..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5975.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fix CVE-2017-5975: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - return 0; /* errno=ENOMEM; */ - ___ struct zzip_file_header *header = - zzip_disk_entry_to_file_header(disk, entry); -+ if (!header) -+ { free(item); return 0; } - /* there is a number of duplicated information in the file header - * or the disk entry block. Theoretically some part may be missing - * that exists in the other, ... but we will prefer the disk entry. -Index: zziplib-0.13.62/zzip/mmapped.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/mmapped.c -+++ zziplib-0.13.62/zzip/mmapped.c -@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK - (disk->buffer + zzip_disk_entry_fileoffset(entry)); - if (disk->buffer > file_header || file_header >= disk->endbuf) - return 0; -+ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC) -+ return 0; - return (struct zzip_file_header *) file_header; - } - diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch deleted file mode 100644 index 17fc30e302..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5976.patch +++ /dev/null @@ -1,61 +0,0 @@ -Fix CVE-2017-5976: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - { - void *mem = malloc(ext1 + 2); - item->zz_ext[1] = mem; -+ item->zz_extlen[1] = ext1 + 2; - memcpy(mem, ptr1, ext1); - ((char *) (mem))[ext1 + 0] = 0; - ((char *) (mem))[ext1 + 1] = 0; -@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - { - void *mem = malloc(ext2 + 2); - item->zz_ext[2] = mem; -+ item->zz_extlen[2] = ext2 + 2; - memcpy(mem, ptr2, ext2); - ((char *) (mem))[ext2 + 0] = 0; - ((char *) (mem))[ext2 + 1] = 0; -@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR - while (1) - { - ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i]; -- if (ext) -+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength)) - { -+ char *endblock = (char *)ext + entry->zz_extlen[i]; -+ - while (*(short *) (ext->z_datatype)) - { - if (datatype == zzip_extra_block_get_datatype(ext)) -@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR - e += zzip_extra_block_headerlength; - e += zzip_extra_block_get_datasize(ext); - ext = (void *) e; -+ if (e >= endblock) -+ { -+ break; -+ } - ____; - } - } -Index: zziplib-0.13.62/zzip/memdisk.h -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.h -+++ zziplib-0.13.62/zzip/memdisk.h -@@ -66,6 +66,7 @@ struct _zzip_mem_entry { - int zz_filetype; /* (from "z_filetype") */ - char* zz_comment; /* zero-terminated (from "comment") */ - ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */ -+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */ - }; /* the extra blocks are NOT converted */ - - #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list) diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch deleted file mode 100644 index 452b14f804..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5978.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2017-5978: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - * that exists in the other, ... but we will prefer the disk entry. - */ - item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry); -- item->zz_name = zzip_disk_entry_strdup_name(disk, entry); -+ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup(""); - item->zz_data = zzip_file_header_to_data(header); - item->zz_flags = zzip_disk_entry_get_flags(entry); - item->zz_compr = zzip_disk_entry_get_compr(entry); -@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - int /* */ ext2 = zzip_file_header_get_extras(header); - char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header); - -- if (ext1) -+ if (ext1 && ((ptr1 + ext1) < disk->endbuf)) - { - void *mem = malloc(ext1 + 2); - item->zz_ext[1] = mem; -@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - ((char *) (mem))[ext1 + 0] = 0; - ((char *) (mem))[ext1 + 1] = 0; - } -- if (ext2) -+ if (ext2 && ((ptr2 + ext2) < disk->endbuf)) - { - void *mem = malloc(ext2 + 2); - item->zz_ext[2] = mem; diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch deleted file mode 100644 index b38f50b172..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5979.patch +++ /dev/null @@ -1,19 +0,0 @@ -Fix CVE-2017-5979: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk) - return 0; - /* we read out chunks of 8 KiB in the hope to match disk granularity */ - ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */ -- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry)); -+ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry)); - if (! entry) - return 0; - ___ unsigned char *buffer = malloc(pagesize); diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch deleted file mode 100644 index ed82cb3b91..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5981.patch +++ /dev/null @@ -1,19 +0,0 @@ -Fix CVE-2017-5981: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981 - -Patch copied from Debian. -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk) - } else - continue; - -- assert(0 <= root && root < mapsize); -+ if (root < 0 || root >= mapsize) -+ goto error; - if (fseeko(disk, root, SEEK_SET) == -1) - goto error; - if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk) |