Bug#859764: unblock: libphysfs/2.0.3-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#859764: unblock: libphysfs/2.0.3-5
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Fri, 07 Apr 2017 10:29:00 +0200
Message-id: <[🔎] 20170407082900.22363.28890.reportbug@srv1.linux-dev.org>
Reply-to: Patrick Matthäi <pmatthaei@debian.org>, 859764@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libphysfs

It adds a patch to fix a buffer overflow when using zlib. It is also
required for the manaplus package to work correct again with newer versions.

diff -Nru libphysfs-2.0.3/debian/changelog libphysfs-2.0.3/debian/changelog
--- libphysfs-2.0.3/debian/changelog    2016-12-23 09:24:38.000000000 +0100
+++ libphysfs-2.0.3/debian/changelog    2017-04-03 19:48:25.000000000 +0200
@@ -1,3 +1,10 @@
+libphysfs (2.0.3-5) unstable; urgency=low
+
+  * Add patch 02-zip-seek to fix a buffer overflow in physfs with zlib version
+    >= 1.2.11.
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Mon, 03 Apr 2017 19:48:04 +0200
+
 libphysfs (2.0.3-4) unstable; urgency=medium

   * Enable full hardening.
diff -Nru libphysfs-2.0.3/debian/patches/02-zip-seek.diff libphysfs-2.0.3/debian/patches/02-zip-seek.diff
--- libphysfs-2.0.3/debian/patches/02-zip-seek.diff     1970-01-01 01:00:00.000000000 +0100
+++ libphysfs-2.0.3/debian/patches/02-zip-seek.diff     2017-04-03 19:48:25.000000000 +0200
@@ -0,0 +1,19 @@
+# Fix buffer overflow in physfs if you use zlib >= 1.2.11.
+#
+# zlib link: https://github.com/madler/zlib/issues/206
+# Upstream report: http://icculus.org/pipermail/physfs/2017-January/001215.html
+# Author and patch founder: http://manaplus.org/physfs_bugs
+
+diff -r 34ebe997c5c0 archivers/zip.c
+--- a/archivers/zip.c  Fri Jan 01 12:53:41 2016 -0500
++++ b/archivers/zip.c  Wed Jan 25 20:56:26 2017 +0300
+@@ -327,7 +327,8 @@
+                 return(0);
+
+             inflateEnd(&finfo->stream);
+-            memcpy(&finfo->stream, &str, sizeof (z_stream));
++            inflateCopy(&finfo->stream, &str);
++            inflateEnd(&str);
+             finfo->uncompressed_position = finfo->compressed_position = 0;
+         } /* if */
+
diff -Nru libphysfs-2.0.3/debian/patches/series libphysfs-2.0.3/debian/patches/series
--- libphysfs-2.0.3/debian/patches/series       2016-12-23 09:24:38.000000000 +0100
+++ libphysfs-2.0.3/debian/patches/series       2017-04-03 19:48:25.000000000 +0200
@@ -1 +1,2 @@
 01-do-not-link-against-curses.diff
+02-zip-seek.diff


unblock libphysfs/2.0.3-5

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Follow-Ups:
- Bug#859764: marked as done (unblock: libphysfs/2.0.3-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#859754: unblock: mediawiki/1:1.27.2-1
Next by Date: Bug#859794: unblock: salt/2016.11.2+ds-1
Previous by thread: Bug#859756: marked as done (unblock: xapian-core/1.4.3-2)
Next by thread: Bug#859764: marked as done (unblock: libphysfs/2.0.3-5)
Index(es):
- Date
- Thread