11 files changed, 84 insertions, 1 deletions

diff --git a/REUSE.toml b/REUSE.toml
index dafc565..7913335 100644
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -65,6 +65,14 @@ path = [ 'bugs/cve/2016/8691/11.crash',
          'bugs/cve/2017/7599/outside-short.tiff',
          'bugs/cve/2017/7600/outside-unsigned-char.tiff',
          'bugs/cve/2017/7601/shift-long.tiff',
+         'bugs/cve/2017/5974/heap-overflow.zip',
+         'bugs/cve/2017/5975/heap-overflow.zip',
+         'bugs/cve/2017/5976/heap-overflow.zip',
+         'bugs/cve/2017/5977/invalid-read.zip',
+         'bugs/cve/2017/5978/oob-read.zip',
+         'bugs/cve/2017/5979/null-deref.zip',
+         'bugs/cve/2017/5980/null-deref.zip',
+         'bugs/cve/2017/5981/fail-assert.zip',
          'bugs/cve/2017/14939/heapoverflow',
          'bugs/cve/2017/14940/nullderef',
          'bugs/cve/2017/15020/reproducer',
diff --git a/bugs/README.md b/bugs/README.md
index e2adcab..7da7b20 100644
--- a/bugs/README.md
+++ b/bugs/README.md
@@ -283,6 +283,56 @@
       potrace cve/2013/7437/1.bmp
       potrace cve/2013/7437/2.bmp
 
+## ZZIPlib
+
+- CVE-2017-5974: [heap buffer overflow][ago-2017-5974]
+
+      guix shell zziplib-with-asan@0.13.62
+      unzzipcat-mem cve/2017/5974/heap-overflow.zip
+
+- CVE-2017-5975: [heap buffer overflow][ago-2017-5975]
+
+      guix shell zziplib-with-asan@0.13.62
+      unzzipcat-mem cve/2017/5975/heap-overflow.zip
+
+- CVE-2017-5976: [heap buffer overflow][ago-2017-5976]
+
+      guix shell zziplib-with-asan@0.13.62
+      unzzipcat-mem cve/2017/5976/heap-overflow.zip
+
+- CVE-2017-5977: [invalid memory read][ago-2017-5977]
+
+      guix shell zziplib-with-asan@0.13.62
+      unzzipcat-mem cve/2017/5977/invalid-read.zip
+
+- CVE-2017-5978: [out-of-bound read][ago-2017-5978]
+
+      guix shell zziplib@0.13.62
+      unzzipcat-mem cve/2017/5978/oob-read.zip
+
+- CVE-2017-5979: [null pointer derefence][ago-2017-5979]
+
+      guix shell zziplib-with-asan@0.13.62
+      unzzipcat-seeko cve/2017/5979/null-deref.zip
+
+- CVE-2017-5980: [null pointer derefence][ago-2017-5980]
+
+      guix shell zziplib@0.13.62
+      unzzipcat-mem cve/2017/5980/null-deref.zip
+
+- CVE-2017-5981: [null pointer derefence][ago-2017-5981]
+
+      guix shell zziplib@0.13.62
+      unzzipcat-seeko cve/2017/5981/fail-assert.zip
+
+[ago-2017-5974]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c
+[ago-2017-5975]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c
+[ago-2017-5976]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c
+[ago-2017-5977]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c
+[ago-2017-5978]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c
+[ago-2017-5979]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c/https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c
+[ago-2017-5980]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c
+[ago-2017-5981]: https://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c
 [chromium-40058947]: https://issues.chromium.org/issues/40058947
 [chromium-40076524]: https://issues.chromium.org/issues/40076524
 [chromium-42452152]: https://project-zero.issues.chromium.org/issues/42452152
diff --git a/bugs/cve/2017/5974/heap-overflow.zip b/bugs/cve/2017/5974/heap-overflow.zip
new file mode 100644
index 0000000..d55ee15
--- /dev/null
+++ b/bugs/cve/2017/5974/heap-overflow.zip
Binary files differdiff --git a/bugs/cve/2017/5975/heap-overflow.zip b/bugs/cve/2017/5975/heap-overflow.zip
new file mode 100644
index 0000000..1d641dd
--- /dev/null
+++ b/bugs/cve/2017/5975/heap-overflow.zip
Binary files differdiff --git a/bugs/cve/2017/5976/heap-overflow.zip b/bugs/cve/2017/5976/heap-overflow.zip
new file mode 100644
index 0000000..cbb3899
--- /dev/null
+++ b/bugs/cve/2017/5976/heap-overflow.zip
Binary files differdiff --git a/bugs/cve/2017/5977/invalid-read.zip b/bugs/cve/2017/5977/invalid-read.zip
new file mode 100644
index 0000000..803ddac
--- /dev/null
+++ b/bugs/cve/2017/5977/invalid-read.zip
Binary files differdiff --git a/bugs/cve/2017/5978/oob-read.zip b/bugs/cve/2017/5978/oob-read.zip
new file mode 100644
index 0000000..79a1ca2
--- /dev/null
+++ b/bugs/cve/2017/5978/oob-read.zip
Binary files differdiff --git a/bugs/cve/2017/5979/null-deref.zip b/bugs/cve/2017/5979/null-deref.zip
new file mode 100644
index 0000000..41b4ba4
--- /dev/null
+++ b/bugs/cve/2017/5979/null-deref.zip
Binary files differdiff --git a/bugs/cve/2017/5980/null-deref.zip b/bugs/cve/2017/5980/null-deref.zip
new file mode 100644
index 0000000..1b8d2ab
--- /dev/null
+++ b/bugs/cve/2017/5980/null-deref.zip
Binary files differdiff --git a/bugs/cve/2017/5981/fail-assert.zip b/bugs/cve/2017/5981/fail-assert.zip
new file mode 100644
index 0000000..e2e26c6
--- /dev/null
+++ b/bugs/cve/2017/5981/fail-assert.zip
Binary files differdiff --git a/loftix/bugs.scm b/loftix/bugs.scm
index 413e1ee..f46ecfd 100644
--- a/loftix/bugs.scm
+++ b/loftix/bugs.scm
@@ -2,11 +2,12 @@
 ;;;
 ;;; SPDX-FileCopyrightText: 2012, 2014-2015 Ludovic Courtès
 ;;; SPDX-FileCopyrightText: 2013 Andreas Enge
+;;; SPDX-FileCopyrightText: 2013 John Darrington
 ;;; SPDX-FileCopyrightText: 2014 Eric Bavier
 ;;; SPDX-FileCopyrightText: 2014-2015 David Thompson
 ;;; SPDX-FileCopyrightText: 2016 Efraim Flashner
 ;;; SPDX-FileCopyrightText: 2016 Tobias Geerinckx-Rice
-;;; SPDX-FileCopyrightText: 2017, 2019 Marius Bakke
+;;; SPDX-FileCopyrightText: 2017-2019 Marius Bakke
 ;;; SPDX-FileCopyrightText: 2024-2025 Nguyễn Gia Phong
 ;;; SPDX-License-Identifier: GPL-3.0-or-later
 
@@ -16,10 +17,13 @@
   #:use-module (gnu packages backup)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages compression)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages image)
+  #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages swig)
   #:use-module (gnu packages xml)
   #:use-module (guix build-system)
@@ -509,3 +513,24 @@ It can be used from PHP, Perl, Ruby, Python, C, C++ and Java.")
     ;; Tests are failing on newer Ghostscript versions
     (native-inputs '())
     (arguments '(#:tests? #f))))
+
+(define-public zziplib-0.13.62
+  (package
+    (inherit zziplib)
+    (name "zziplib")
+    (version "0.13.62")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
+                           version "/zziplib-" version ".tar.bz2"))
+       (sha256
+        (base32 "0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
+    (build-system gnu-build-system)
+    (inputs (list zlib))
+    (native-inputs (list perl pkg-config python-2.7 zip))
+    ;; Since test files are created on the fly
+    (arguments '(#:parallel-tests? #f))))
+
+(define-public zziplib-with-asan-0.13.62 (with-asan zziplib-0.13.62))
+(define-public zziplib-static-0.13.62 (static zziplib-0.13.62))