* [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548
@ 2020-03-03 20:16 Fabrice Fontaine
2020-03-03 20:16 ` [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2020-03-03 20:16 UTC (permalink / raw)
To: buildroot
An issue was discovered in ZZIPlib through 0.13.69. There is a memory
leak triggered in the function __zzip_parse_root_directory in zip.c,
which will lead to a denial of service attack.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...eak-from-__zzip_parse_root_directory.patch | 74 +++++++++++++++++++
...k-from-__zzip_parse_root_directory-2.patch | 53 +++++++++++++
...3-One-more-free-to-avoid-memory-leak.patch | 25 +++++++
package/zziplib/zziplib.mk | 5 ++
4 files changed, 157 insertions(+)
create mode 100644 package/zziplib/0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch
create mode 100644 package/zziplib/0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
create mode 100644 package/zziplib/0003-One-more-free-to-avoid-memory-leak.patch
diff --git a/package/zziplib/0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch b/package/zziplib/0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch
new file mode 100644
index 0000000000..1c352236ab
--- /dev/null
+++ b/package/zziplib/0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch
@@ -0,0 +1,74 @@
+From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:32:04 +0200
+Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().
+
+[Retrieved (and slightly updated to remove test.zip) from:
+https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ test/test.zip | Bin 1361 -> 1361 bytes
+ zzip/zip.c | 36 ++++++++++++++++++++++++++++++++++--
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 88b833b..a685280 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd,
+ } else
+ {
+ if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
++ {
++ free(hdr0);
+ return ZZIP_DIR_SEEK;
++ }
+ if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
++ {
++ free(hdr0);
+ return ZZIP_DIR_READ;
++ }
+ d = &dirent;
+ }
+
+@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd,
+
+ if (hdr_return)
+ *hdr_return = hdr0;
++ else
++ {
++ /* If it is not assigned to *hdr_return, it will never be free()'d */
++ free(hdr0);
++ /* Make sure we don't free it again in case of error */
++ hdr0 = NULL;
++ }
+ } /* else zero (sane) entries */
+ # ifndef ZZIP_ALLOW_MODULO_ENTRIES
+- return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
++ if (entries != zz_entries)
++ {
++ /* If it was assigned to *hdr_return, undo assignment */
++ if (p_reclen && hdr_return)
++ *hdr_return = NULL;
++ /* Free it, if it was not already free()'d */
++ if (hdr0 != NULL)
++ free(hdr0);
++ return ZZIP_CORRUPTED;
++ }
+ # else
+- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
++ if (((entries & (unsigned)0xFFFF) != zz_entries)
++ {
++ /* If it was assigned to *hdr_return, undo assignment */
++ if (p_reclen && hdr_return)
++ *hdr_return = NULL;
++ /* Free it, if it was not already free()'d */
++ if (hdr0 != NULL)
++ free(hdr0);
++ return ZZIP_CORRUPTED;
++ }
+ # endif
++ return 0;
+ }
+
+ /* ------------------------- high-level interface ------------------------- */
diff --git a/package/zziplib/0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch b/package/zziplib/0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
new file mode 100644
index 0000000000..b0e8858f64
--- /dev/null
+++ b/package/zziplib/0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
@@ -0,0 +1,53 @@
+From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:49:28 +0200
+Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().
+
+[Retrieved from:
+https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ zzip/zip.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index a685280..51a1a4d 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd,
+ {
+ /* If it is not assigned to *hdr_return, it will never be free()'d */
+ free(hdr0);
+- /* Make sure we don't free it again in case of error */
+- hdr0 = NULL;
+ }
+ } /* else zero (sane) entries */
+ # ifndef ZZIP_ALLOW_MODULO_ENTRIES
+- if (entries != zz_entries)
+- {
+- /* If it was assigned to *hdr_return, undo assignment */
+- if (p_reclen && hdr_return)
+- *hdr_return = NULL;
+- /* Free it, if it was not already free()'d */
+- if (hdr0 != NULL)
+- free(hdr0);
+- return ZZIP_CORRUPTED;
+- }
++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ # else
+- if (((entries & (unsigned)0xFFFF) != zz_entries)
+- {
+- /* If it was assigned to *hdr_return, undo assignment */
+- if (p_reclen && hdr_return)
+- *hdr_return = NULL;
+- /* Free it, if it was not already free()'d */
+- if (hdr0 != NULL)
+- free(hdr0);
+- return ZZIP_CORRUPTED;
+- }
++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+ # endif
+- return 0;
+ }
+
+ /* ------------------------- high-level interface ------------------------- */
diff --git a/package/zziplib/0003-One-more-free-to-avoid-memory-leak.patch b/package/zziplib/0003-One-more-free-to-avoid-memory-leak.patch
new file mode 100644
index 0000000000..b0506f0cf6
--- /dev/null
+++ b/package/zziplib/0003-One-more-free-to-avoid-memory-leak.patch
@@ -0,0 +1,25 @@
+From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 13:55:35 +0200
+Subject: [PATCH] One more free() to avoid memory leak.
+
+[Retrieved from:
+https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ zzip/zip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 51a1a4d..bc6c080 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd,
+ free(hdr0);
+ }
+ } /* else zero (sane) entries */
++ else
++ free(hdr0);
+ # ifndef ZZIP_ALLOW_MODULO_ENTRIES
+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ # else
diff --git a/package/zziplib/zziplib.mk b/package/zziplib/zziplib.mk
index 90bbaf1a17..ead0158f3d 100644
--- a/package/zziplib/zziplib.mk
+++ b/package/zziplib/zziplib.mk
@@ -10,6 +10,11 @@ ZZIPLIB_LICENSE = LGPL-2.0+ or MPL-1.1
ZZIPLIB_LICENSE_FILES = docs/COPYING.LIB docs/COPYING.MPL docs/copying.htm
ZZIPLIB_INSTALL_STAGING = YES
+# 0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch
+# 0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
+# 0003-One-more-free-to-avoid-memory-leak.patch
+ZZIPLIB_IGNORE_CVES += CVE-2018-16548
+
ZZIPLIB_DEPENDENCIES = host-pkgconf host-python zlib
# zziplib is not python3 friendly, so force the python interpreter
--
2.25.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828
2020-03-03 20:16 [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Fabrice Fontaine
@ 2020-03-03 20:16 ` Fabrice Fontaine
2020-03-15 10:15 ` Peter Korsgaard
2020-03-03 21:54 ` [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Thomas Petazzoni
2020-03-15 10:15 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2020-03-03 20:16 UTC (permalink / raw)
To: buildroot
Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to
overwrite arbitrary files via a .. (dot dot) in a zip file, because of
the function unzzip_cat in the bins/unzzipcat-mem.c file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
| 344 ++++++++++++++++++
package/zziplib/zziplib.mk | 3 +
2 files changed, 347 insertions(+)
create mode 100644 package/zziplib/0004-Fix-issue-62-Remove-any-components-from-pathnames-of-extracte.patch
--git a/package/zziplib/0004-Fix-issue-62-Remove-any-components-from-pathnames-of-extracte.patch b/package/zziplib/0004-Fix-issue-62-Remove-any-components-from-pathnames-of-extracte.patch
new file mode 100644
index 0000000000..1554fff991
--- /dev/null
+++ b/package/zziplib/0004-Fix-issue-62-Remove-any-components-from-pathnames-of-extracte.patch
@@ -0,0 +1,344 @@
+From 81dfa6b3e08f6934885ba5c98939587d6850d08e Mon Sep 17 00:00:00 2001
+From: Josef Moellers <jmoellers@suse.de>
+Date: Thu, 4 Oct 2018 14:21:48 +0200
+Subject: [PATCH] Fix issue #62: Remove any "../" components from pathnames of
+ extracted files. [CVE-2018-17828]
+
+[Retrieved from:
+https://github.com/gdraheim/zziplib/commit/81dfa6b3e08f6934885ba5c98939587d6850d08e]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ bins/unzzipcat-big.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
+ bins/unzzipcat-mem.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
+ bins/unzzipcat-mix.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
+ bins/unzzipcat-zip.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 224 insertions(+), 4 deletions(-)
+
+diff --git a/bins/unzzipcat-big.c b/bins/unzzipcat-big.c
+index 982d262..88c4d65 100644
+--- a/bins/unzzipcat-big.c
++++ b/bins/unzzipcat-big.c
+@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out)
+ }
+ }
+
++/*
++ * NAME: remove_dotdotslash
++ * PURPOSE: To remove any "../" components from the given pathname
++ * ARGUMENTS: path: path name with maybe "../" components
++ * RETURNS: Nothing, "path" is modified in-place
++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
++ * Also, "path" is not used after creating it.
++ * So modifying "path" in-place is safe to do.
++ */
++static inline void
++remove_dotdotslash(char *path)
++{
++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
++ char *dotdotslash;
++ int warned = 0;
++
++ dotdotslash = path;
++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
++ {
++ /*
++ * Remove only if at the beginning of the pathname ("../path/name")
++ * or when preceded by a slash ("path/../name"),
++ * otherwise not ("path../name..")!
++ */
++ if (dotdotslash == path || dotdotslash[-1] == '/')
++ {
++ char *src, *dst;
++ if (!warned)
++ {
++ /* Note: the first time through the pathname is still intact */
++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
++ warned = 1;
++ }
++ /* We cannot use strcpy(), as there "The strings may not overlap" */
++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
++ ;
++ }
++ else
++ dotdotslash +=3; /* skip this instance to prevent infinite loop */
++ }
++}
++
+ static void makedirs(const char* name)
+ {
+ char* p = strrchr(name, '/');
+@@ -70,6 +112,16 @@ static void makedirs(const char* name)
+
+ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ {
++ char *name_stripped;
++ FILE *fp;
++ int mustfree = 0;
++
++ if ((name_stripped = strdup(name)) != NULL)
++ {
++ remove_dotdotslash(name_stripped);
++ name = name_stripped;
++ mustfree = 1;
++ }
+ if (subdirs)
+ {
+ char* p = strrchr(name, '/');
+@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ free (dir_name);
+ }
+ }
+- return fopen(name, mode);
++ fp = fopen(name, mode);
++ if (mustfree)
++ free(name_stripped);
++ return fp;
+ }
+
+
+diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c
+index 9bc966b..793bde8 100644
+--- a/bins/unzzipcat-mem.c
++++ b/bins/unzzipcat-mem.c
+@@ -58,6 +58,48 @@ static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out)
+ }
+ }
+
++/*
++ * NAME: remove_dotdotslash
++ * PURPOSE: To remove any "../" components from the given pathname
++ * ARGUMENTS: path: path name with maybe "../" components
++ * RETURNS: Nothing, "path" is modified in-place
++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
++ * Also, "path" is not used after creating it.
++ * So modifying "path" in-place is safe to do.
++ */
++static inline void
++remove_dotdotslash(char *path)
++{
++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
++ char *dotdotslash;
++ int warned = 0;
++
++ dotdotslash = path;
++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
++ {
++ /*
++ * Remove only if at the beginning of the pathname ("../path/name")
++ * or when preceded by a slash ("path/../name"),
++ * otherwise not ("path../name..")!
++ */
++ if (dotdotslash == path || dotdotslash[-1] == '/')
++ {
++ char *src, *dst;
++ if (!warned)
++ {
++ /* Note: the first time through the pathname is still intact */
++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
++ warned = 1;
++ }
++ /* We cannot use strcpy(), as there "The strings may not overlap" */
++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
++ ;
++ }
++ else
++ dotdotslash +=3; /* skip this instance to prevent infinite loop */
++ }
++}
++
+ static void makedirs(const char* name)
+ {
+ char* p = strrchr(name, '/');
+@@ -75,6 +117,16 @@ static void makedirs(const char* name)
+
+ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ {
++ char *name_stripped;
++ FILE *fp;
++ int mustfree = 0;
++
++ if ((name_stripped = strdup(name)) != NULL)
++ {
++ remove_dotdotslash(name_stripped);
++ name = name_stripped;
++ mustfree = 1;
++ }
+ if (subdirs)
+ {
+ char* p = strrchr(name, '/');
+@@ -84,7 +136,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ free (dir_name);
+ }
+ }
+- return fopen(name, mode);
++ fp = fopen(name, mode);
++ if (mustfree)
++ free(name_stripped);
++ return fp;
+ }
+
+ static int unzzip_cat (int argc, char ** argv, int extract)
+diff --git a/bins/unzzipcat-mix.c b/bins/unzzipcat-mix.c
+index 91c2f00..73b6ed6 100644
+--- a/bins/unzzipcat-mix.c
++++ b/bins/unzzipcat-mix.c
+@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
+ }
+ }
+
++/*
++ * NAME: remove_dotdotslash
++ * PURPOSE: To remove any "../" components from the given pathname
++ * ARGUMENTS: path: path name with maybe "../" components
++ * RETURNS: Nothing, "path" is modified in-place
++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
++ * Also, "path" is not used after creating it.
++ * So modifying "path" in-place is safe to do.
++ */
++static inline void
++remove_dotdotslash(char *path)
++{
++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
++ char *dotdotslash;
++ int warned = 0;
++
++ dotdotslash = path;
++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
++ {
++ /*
++ * Remove only if at the beginning of the pathname ("../path/name")
++ * or when preceded by a slash ("path/../name"),
++ * otherwise not ("path../name..")!
++ */
++ if (dotdotslash == path || dotdotslash[-1] == '/')
++ {
++ char *src, *dst;
++ if (!warned)
++ {
++ /* Note: the first time through the pathname is still intact */
++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
++ warned = 1;
++ }
++ /* We cannot use strcpy(), as there "The strings may not overlap" */
++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
++ ;
++ }
++ else
++ dotdotslash +=3; /* skip this instance to prevent infinite loop */
++ }
++}
++
+ static void makedirs(const char* name)
+ {
+ char* p = strrchr(name, '/');
+@@ -86,6 +128,16 @@ static void makedirs(const char* name)
+
+ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ {
++ char *name_stripped;
++ FILE *fp;
++ int mustfree = 0;
++
++ if ((name_stripped = strdup(name)) != NULL)
++ {
++ remove_dotdotslash(name_stripped);
++ name = name_stripped;
++ mustfree = 1;
++ }
+ if (subdirs)
+ {
+ char* p = strrchr(name, '/');
+@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ free (dir_name);
+ }
+ }
+- return fopen(name, mode);
++ fp = fopen(name, mode);
++ if (mustfree)
++ free(name_stripped);
++ return fp;
+ }
+
+ static int unzzip_cat (int argc, char ** argv, int extract)
+diff --git a/bins/unzzipcat-zip.c b/bins/unzzipcat-zip.c
+index 2810f85..7f7f3fa 100644
+--- a/bins/unzzipcat-zip.c
++++ b/bins/unzzipcat-zip.c
+@@ -69,6 +69,48 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
+ }
+ }
+
++/*
++ * NAME: remove_dotdotslash
++ * PURPOSE: To remove any "../" components from the given pathname
++ * ARGUMENTS: path: path name with maybe "../" components
++ * RETURNS: Nothing, "path" is modified in-place
++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
++ * Also, "path" is not used after creating it.
++ * So modifying "path" in-place is safe to do.
++ */
++static inline void
++remove_dotdotslash(char *path)
++{
++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
++ char *dotdotslash;
++ int warned = 0;
++
++ dotdotslash = path;
++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
++ {
++ /*
++ * Remove only if at the beginning of the pathname ("../path/name")
++ * or when preceded by a slash ("path/../name"),
++ * otherwise not ("path../name..")!
++ */
++ if (dotdotslash == path || dotdotslash[-1] == '/')
++ {
++ char *src, *dst;
++ if (!warned)
++ {
++ /* Note: the first time through the pathname is still intact */
++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
++ warned = 1;
++ }
++ /* We cannot use strcpy(), as there "The strings may not overlap" */
++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
++ ;
++ }
++ else
++ dotdotslash +=3; /* skip this instance to prevent infinite loop */
++ }
++}
++
+ static void makedirs(const char* name)
+ {
+ char* p = strrchr(name, '/');
+@@ -86,6 +128,16 @@ static void makedirs(const char* name)
+
+ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ {
++ char *name_stripped;
++ FILE *fp;
++ int mustfree = 0;
++
++ if ((name_stripped = strdup(name)) != NULL)
++ {
++ remove_dotdotslash(name_stripped);
++ name = name_stripped;
++ mustfree = 1;
++ }
+ if (subdirs)
+ {
+ char* p = strrchr(name, '/');
+@@ -95,7 +147,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ free (dir_name);
+ }
+ }
+- return fopen(name, mode);
++ fp = fopen(name, mode);
++ if (mustfree)
++ free(name_stripped);
++ return fp;
+ }
+
+ static int unzzip_cat (int argc, char ** argv, int extract)
diff --git a/package/zziplib/zziplib.mk b/package/zziplib/zziplib.mk
index ead0158f3d..967cda033d 100644
--- a/package/zziplib/zziplib.mk
+++ b/package/zziplib/zziplib.mk
@@ -15,6 +15,9 @@ ZZIPLIB_INSTALL_STAGING = YES
# 0003-One-more-free-to-avoid-memory-leak.patch
ZZIPLIB_IGNORE_CVES += CVE-2018-16548
+# 0004-Fix-issue-62-Remove-any-components-from-pathnames-of-extracte.patch
+ZZIPLIB_IGNORE_CVES += CVE-2018-17828
+
ZZIPLIB_DEPENDENCIES = host-pkgconf host-python zlib
# zziplib is not python3 friendly, so force the python interpreter
--
2.25.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548
2020-03-03 20:16 [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Fabrice Fontaine
2020-03-03 20:16 ` [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828 Fabrice Fontaine
@ 2020-03-03 21:54 ` Thomas Petazzoni
2020-03-15 10:15 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Thomas Petazzoni @ 2020-03-03 21:54 UTC (permalink / raw)
To: buildroot
On Tue, 3 Mar 2020 21:16:21 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> An issue was discovered in ZZIPlib through 0.13.69. There is a memory
> leak triggered in the function __zzip_parse_root_directory in zip.c,
> which will lead to a denial of service attack.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...eak-from-__zzip_parse_root_directory.patch | 74 +++++++++++++++++++
> ...k-from-__zzip_parse_root_directory-2.patch | 53 +++++++++++++
> ...3-One-more-free-to-avoid-memory-leak.patch | 25 +++++++
> package/zziplib/zziplib.mk | 5 ++
> 4 files changed, 157 insertions(+)
> create mode 100644 package/zziplib/0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch
> create mode 100644 package/zziplib/0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
> create mode 100644 package/zziplib/0003-One-more-free-to-avoid-memory-leak.patch
Both applied to master. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548
2020-03-03 20:16 [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Fabrice Fontaine
2020-03-03 20:16 ` [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828 Fabrice Fontaine
2020-03-03 21:54 ` [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Thomas Petazzoni
@ 2020-03-15 10:15 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-03-15 10:15 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> An issue was discovered in ZZIPlib through 0.13.69. There is a memory
> leak triggered in the function __zzip_parse_root_directory in zip.c,
> which will lead to a denial of service attack.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.11.x (not in 2019.02.x), thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828
2020-03-03 20:16 ` [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828 Fabrice Fontaine
@ 2020-03-15 10:15 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-03-15 10:15 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to
> overwrite arbitrary files via a .. (dot dot) in a zip file, because of
> the function unzzip_cat in the bins/unzzipcat-mem.c file.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.11.x (not in 2019.02.x), thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-15 10:15 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-03 20:16 [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Fabrice Fontaine
2020-03-03 20:16 ` [Buildroot] [PATCH 2/2] package/zziplib: fix CVE-2018-17828 Fabrice Fontaine
2020-03-15 10:15 ` Peter Korsgaard
2020-03-03 21:54 ` [Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548 Thomas Petazzoni
2020-03-15 10:15 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.