From f8c7076c3d569f540157bf6275f8254060b99ecd Mon Sep 17 00:00:00 2001 From: mobinmob Date: Tue, 14 Apr 2020 20:17:41 +0300 Subject: [PATCH] zziplib: update to 0.13.70. --- .../zziplib/patches/0001-CVE-2018-17828.patch | 91 --------- srcpkgs/zziplib/patches/CVE-2018-16548.patch | 172 ------------------ srcpkgs/zziplib/template | 20 +- 3 files changed, 11 insertions(+), 272 deletions(-) delete mode 100644 srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch delete mode 100644 srcpkgs/zziplib/patches/CVE-2018-16548.patch diff --git a/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch b/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch deleted file mode 100644 index 24ed5125d3a..00000000000 --- a/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 535fa8d4deedc1da59884ce4f2fcc6528bf07251 Mon Sep 17 00:00:00 2001 -From: Nathan Owens -Date: Sat, 12 Jan 2019 22:29:49 -0600 -Subject: [PATCH] CVE-2018-17828 - ---- - bins/unzzipcat-big.c | 57 ++++++++++++++++++++++++++++++++++++++++++- - test/test.zip | Bin 1361 -> 0 bytes - 2 files changed, 56 insertions(+), 1 deletion(-) - delete mode 100644 test/test.zip - -diff --git bins/unzzipcat-big.c bins/unzzipcat-big.c -index 982d262..88c4d65 100644 ---- bins/unzzipcat-big.c -+++ bins/unzzipcat-big.c -@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out) - } - } - -+/* -+ * NAME: remove_dotdotslash -+ * PURPOSE: To remove any "../" components from the given pathname -+ * ARGUMENTS: path: path name with maybe "../" components -+ * RETURNS: Nothing, "path" is modified in-place -+ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it! -+ * Also, "path" is not used after creating it. -+ * So modifying "path" in-place is safe to do. -+ */ -+static inline void -+remove_dotdotslash(char *path) -+{ -+ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ -+ char *dotdotslash; -+ int warned = 0; -+ -+ dotdotslash = path; -+ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) -+ { -+ /* -+ * Remove only if at the beginning of the pathname ("../path/name") -+ * or when preceded by a slash ("path/../name"), -+ * otherwise not ("path../name..")! -+ */ -+ if (dotdotslash == path || dotdotslash[-1] == '/') -+ { -+ char *src, *dst; -+ if (!warned) -+ { -+ /* Note: the first time through the pathname is still intact */ -+ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); -+ warned = 1; -+ } -+ /* We cannot use strcpy(), as there "The strings may not overlap" */ -+ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) -+ ; -+ } -+ else -+ dotdotslash +=3; /* skip this instance to prevent infinite loop */ -+ } -+} -+ - static void makedirs(const char* name) - { - char* p = strrchr(name, '/'); -@@ -70,6 +112,16 @@ static void makedirs(const char* name) - - static FILE* create_fopen(char* name, char* mode, int subdirs) - { -+ char *name_stripped; -+ FILE *fp; -+ int mustfree = 0; -+ -+ if ((name_stripped = strdup(name)) != NULL) -+ { -+ remove_dotdotslash(name_stripped); -+ name = name_stripped; -+ mustfree = 1; -+ } - if (subdirs) - { - char* p = strrchr(name, '/'); -@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs) - free (dir_name); - } - } -- return fopen(name, mode); -+ fp = fopen(name, mode); -+ if (mustfree) -+ free(name_stripped); -+ return fp; - } diff --git a/srcpkgs/zziplib/patches/CVE-2018-16548.patch b/srcpkgs/zziplib/patches/CVE-2018-16548.patch deleted file mode 100644 index 2bdca93ae00..00000000000 --- a/srcpkgs/zziplib/patches/CVE-2018-16548.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 59c36ebe29fddd832c7afecc26dc5fe3e61faf1f Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 13:55:35 +0200 -Subject: [PATCH 1/3] One more free() to avoid memory leak. - ---- - zzip/zip.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git zzip/zip.c zzip/zip.c -index 14e2e06..a28456f 100644 ---- zzip/zip.c -+++ zzip/zip.c -@@ -575,6 +575,8 @@ __zzip_parse_root_directory(int fd, - if (hdr_return) - *hdr_return = hdr0; - } /* else zero (sane) entries */ -+ else -+ free(hdr0); - # ifndef ZZIP_ALLOW_MODULO_ENTRIES - return (entries != zz_entries ? ZZIP_CORRUPTED : 0); - # else --- -2.20.1 - - -From 490d6e72031790da0a4d229d13f7d5a389789977 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 11:49:28 +0200 -Subject: [PATCH 2/3] Avoid memory leak from __zzip_parse_root_directory(). - ---- - zzip/zip.c | 28 ++++++++++++++++++++-------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git zzip/zip.c zzip/zip.c -index a28456f..51a1a4d 100644 ---- zzip/zip.c -+++ zzip/zip.c -@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, - int __zzip_parse_root_directory(int fd, - struct _disk_trailer *trailer, - struct zzip_dir_hdr **hdr_return, -- zzip_plugin_io_t io); -+ zzip_plugin_io_t io, -+ zzip_off_t filesize); - - _zzip_inline static char *__zzip_aligned4(char *p); - -@@ -406,7 +407,8 @@ int - __zzip_parse_root_directory(int fd, - struct _disk_trailer *trailer, - struct zzip_dir_hdr **hdr_return, -- zzip_plugin_io_t io) -+ zzip_plugin_io_t io, -+ zzip_off_t filesize) - { - auto struct zzip_disk_entry dirent; - struct zzip_dir_hdr *hdr; -@@ -421,7 +423,8 @@ __zzip_parse_root_directory(int fd, - zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); - __correct_rootseek(zz_rootseek, zz_rootsize, trailer); - -- if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) -+ if (zz_entries <= 0 || zz_rootsize < 0 || -+ zz_rootseek < 0 || zz_rootseek >= filesize) - return ZZIP_CORRUPTED; - - hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize); -@@ -472,9 +475,15 @@ __zzip_parse_root_directory(int fd, - } else - { - if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) -+ { -+ free(hdr0); - return ZZIP_DIR_SEEK; -+ } - if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) -+ { -+ free(hdr0); - return ZZIP_DIR_READ; -+ } - d = &dirent; - } - -@@ -574,13 +583,16 @@ __zzip_parse_root_directory(int fd, - - if (hdr_return) - *hdr_return = hdr0; -+ else -+ { -+ /* If it is not assigned to *hdr_return, it will never be free()'d */ -+ free(hdr0); -+ } - } /* else zero (sane) entries */ -- else -- free(hdr0); - # ifndef ZZIP_ALLOW_MODULO_ENTRIES -- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); -+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; - # else -- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); -+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; - # endif - } - -@@ -757,7 +769,7 @@ __zzip_dir_parse(ZZIP_DIR * dir) - (long) _disk_trailer_rootseek(&trailer)); - - if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0, -- dir->io)) != 0) -+ dir->io, filesize)) != 0) - { goto error; } - error: - return rv; --- -2.20.1 - - -From aab49d23bc28d13183cb62e71b884e24595cbe65 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 11:32:04 +0200 -Subject: [PATCH 3/3] Avoid memory leak from __zzip_parse_root_directory(). - ---- - zzip/zip.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git zzip/zip.c zzip/zip.c -index 51a1a4d..a685280 100644 ---- zzip/zip.c -+++ zzip/zip.c -@@ -587,13 +587,34 @@ __zzip_parse_root_directory(int fd, - { - /* If it is not assigned to *hdr_return, it will never be free()'d */ - free(hdr0); -+ /* Make sure we don't free it again in case of error */ -+ hdr0 = NULL; - } - } /* else zero (sane) entries */ - # ifndef ZZIP_ALLOW_MODULO_ENTRIES -- return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; -+ if (entries != zz_entries) -+ { -+ /* If it was assigned to *hdr_return, undo assignment */ -+ if (p_reclen && hdr_return) -+ *hdr_return = NULL; -+ /* Free it, if it was not already free()'d */ -+ if (hdr0 != NULL) -+ free(hdr0); -+ return ZZIP_CORRUPTED; -+ } - # else -- return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; -+ if (((entries & (unsigned)0xFFFF) != zz_entries) -+ { -+ /* If it was assigned to *hdr_return, undo assignment */ -+ if (p_reclen && hdr_return) -+ *hdr_return = NULL; -+ /* Free it, if it was not already free()'d */ -+ if (hdr0 != NULL) -+ free(hdr0); -+ return ZZIP_CORRUPTED; -+ } - # endif -+ return 0; - } - - /* ------------------------- high-level interface ------------------------- */ --- -2.20.1 - diff --git a/srcpkgs/zziplib/template b/srcpkgs/zziplib/template index c8d693a9440..2f0fe1e317d 100644 --- a/srcpkgs/zziplib/template +++ b/srcpkgs/zziplib/template @@ -1,20 +1,23 @@ # Template file for 'zziplib' pkgname=zziplib -version=0.13.69 -revision=2 -build_style=gnu-configure -hostmakedepends="pkg-config python" +version=0.13.70 +revision=1 +build_style=cmake +configure_args=" -DZZIPDOCS=OFF" +hostmakedepends="pkg-config python3 tar zip gzip" makedepends="zlib-devel" short_desc="Lightweight library to extract data from zip files" maintainer="Orphaned " license="LGPL-2.1-or-later, MPL-1.1" homepage="https://github.com/gdraheim/zziplib" distfiles="https://github.com/gdraheim/zziplib/archive/v${version}.tar.gz" -checksum=846246d7cdeee405d8d21e2922c6e97f55f24ecbe3b6dcf5778073a88f120544 +checksum=a1457262d7a237dc50ce1f98ca57242bc714055ff81146f419ee53cdea1bf029 + +if [ "$CROSS_BUILD" ]; then + configure_args+=" -DZZIPTEST=OFF" +fi + -pre_configure() { - sed -i '/SUBDIRS/s/docs//' Makefile.in -} post_install() { sed -i "s|\(-specs=.*hardened-ld\)||g" -i ${DESTDIR}/usr/lib/pkgconfig/*.pc } @@ -25,7 +28,6 @@ zziplib-devel_package() { pkg_install() { vmove usr/include vmove usr/lib/pkgconfig - vmove "usr/lib/*.a" vmove "usr/lib/*.so" vmove usr/share }