--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package zziplib/0.13.62-3.2~deb9u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 31 Mar 2019 22:14:30 +0200
- Message-id: <155406327062.13952.12460694532084693974.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable release managers,
Several CVEs were adressed with the 0.13.62-3.2 to unstable (and
buster) which are CVE-2018-6381, CVE-2018-6484, CVE-2018-6541,
CVE-2018-6869, CVE-2018-6540, CVE-2018-7725, CVE-2018-7726 and
CVE-2018-16548.
Given 0.13.62-3.1 beeing in stable and 0.13.62-3.2 consisted only on
those CVE fixes, I would like to propose a rebuild of 0.13.62-3.2 to
be included in stretch in the upcoming point release and adress those
CVEs.
> zziplib (0.13.62-3.2~deb9u1) stretch; urgency=medium
>
> * Rebuild for stretch-backports.
>
> -- Salvatore Bonaccorso <carnil@debian.org> Sun, 31 Mar 2019 22:02:00 +0200
>
> zziplib (0.13.62-3.2) unstable; urgency=medium
>
> * Non-maintainer upload.
> * Invalid memory access in zzip_disk_fread (CVE-2018-6381) (Closes: #889096)
> * Reject the ZIP file and report it as corrupt if the size of the central
> directory and/or the offset of start of central directory point beyond the
> end of the ZIP file (CVE-2018-6484, CVE-2018-6541, CVE-2018-6869)
> (Closes: #889089)
> * bus error in zzip_disk_findfirst function in zzip/mmapped.c
> (CVE-2018-6540) (Closes: #923659)
> * out of bound read in mmapped.c:zzip_disk_fread() causes crash
> (CVE-2018-7725) (Closes: #913165)
> * Bus error in zip.c:__zzip_parse_root_directory() cause crash via crafted
> zip file (CVE-2018-7726) (Closes: #913165)
> * Memory leak triggered in the function __zzip_parse_root_directory in zip.c
> (CVE-2018-16548) (Closes: #910335)
>
> -- Salvatore Bonaccorso <carnil@debian.org> Mon, 04 Mar 2019 22:43:14 +0100
Attaching the debdiff against 0.13.62-3.1.
AFAICS no regression were reported for 0.13.62-3.2.
Regards,
Salvatore
diff -Nru zziplib-0.13.62/debian/changelog zziplib-0.13.62/debian/changelog
--- zziplib-0.13.62/debian/changelog 2017-06-04 09:03:20.000000000 +0200
+++ zziplib-0.13.62/debian/changelog 2019-03-31 22:02:00.000000000 +0200
@@ -1,3 +1,28 @@
+zziplib (0.13.62-3.2~deb9u1) stretch; urgency=medium
+
+ * Rebuild for stretch-backports.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 31 Mar 2019 22:02:00 +0200
+
+zziplib (0.13.62-3.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Invalid memory access in zzip_disk_fread (CVE-2018-6381) (Closes: #889096)
+ * Reject the ZIP file and report it as corrupt if the size of the central
+ directory and/or the offset of start of central directory point beyond the
+ end of the ZIP file (CVE-2018-6484, CVE-2018-6541, CVE-2018-6869)
+ (Closes: #889089)
+ * bus error in zzip_disk_findfirst function in zzip/mmapped.c
+ (CVE-2018-6540) (Closes: #923659)
+ * out of bound read in mmapped.c:zzip_disk_fread() causes crash
+ (CVE-2018-7725) (Closes: #913165)
+ * Bus error in zip.c:__zzip_parse_root_directory() cause crash via crafted
+ zip file (CVE-2018-7726) (Closes: #913165)
+ * Memory leak triggered in the function __zzip_parse_root_directory in zip.c
+ (CVE-2018-16548) (Closes: #910335)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 04 Mar 2019 22:43:14 +0100
+
zziplib (0.13.62-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch
--- zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,74 @@
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:32:04 +0200
+Subject: Avoid memory leak from __zzip_parse_root_directory().
+Origin: https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16548
+Bug-Debian: https://bugs.debian.org/910335
+Bug: https://github.com/gdraheim/zziplib/issues/58
+
+---
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 88b833b2533d..a6852802f87e 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd,
+ } else
+ {
+ if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
++ {
++ free(hdr0);
+ return ZZIP_DIR_SEEK;
++ }
+ if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
++ {
++ free(hdr0);
+ return ZZIP_DIR_READ;
++ }
+ d = &dirent;
+ }
+
+@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd,
+
+ if (hdr_return)
+ *hdr_return = hdr0;
++ else
++ {
++ /* If it is not assigned to *hdr_return, it will never be free()'d */
++ free(hdr0);
++ /* Make sure we don't free it again in case of error */
++ hdr0 = NULL;
++ }
+ } /* else zero (sane) entries */
+ # ifndef ZZIP_ALLOW_MODULO_ENTRIES
+- return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
++ if (entries != zz_entries)
++ {
++ /* If it was assigned to *hdr_return, undo assignment */
++ if (p_reclen && hdr_return)
++ *hdr_return = NULL;
++ /* Free it, if it was not already free()'d */
++ if (hdr0 != NULL)
++ free(hdr0);
++ return ZZIP_CORRUPTED;
++ }
+ # else
+- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
++ if (((entries & (unsigned)0xFFFF) != zz_entries)
++ {
++ /* If it was assigned to *hdr_return, undo assignment */
++ if (p_reclen && hdr_return)
++ *hdr_return = NULL;
++ /* Free it, if it was not already free()'d */
++ if (hdr0 != NULL)
++ free(hdr0);
++ return ZZIP_CORRUPTED;
++ }
+ # endif
++ return 0;
+ }
+
+ /* ------------------------- high-level interface ------------------------- */
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
--- zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,56 @@
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:49:28 +0200
+Subject: Avoid memory leak from __zzip_parse_root_directory().
+Origin: https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16548
+Bug-Debian: https://bugs.debian.org/910335
+Bug: https://github.com/gdraheim/zziplib/issues/58
+
+---
+ zzip/zip.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index a6852802f87e..51a1a4d93a60 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd,
+ {
+ /* If it is not assigned to *hdr_return, it will never be free()'d */
+ free(hdr0);
+- /* Make sure we don't free it again in case of error */
+- hdr0 = NULL;
+ }
+ } /* else zero (sane) entries */
+ # ifndef ZZIP_ALLOW_MODULO_ENTRIES
+- if (entries != zz_entries)
+- {
+- /* If it was assigned to *hdr_return, undo assignment */
+- if (p_reclen && hdr_return)
+- *hdr_return = NULL;
+- /* Free it, if it was not already free()'d */
+- if (hdr0 != NULL)
+- free(hdr0);
+- return ZZIP_CORRUPTED;
+- }
++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ # else
+- if (((entries & (unsigned)0xFFFF) != zz_entries)
+- {
+- /* If it was assigned to *hdr_return, undo assignment */
+- if (p_reclen && hdr_return)
+- *hdr_return = NULL;
+- /* Free it, if it was not already free()'d */
+- if (hdr0 != NULL)
+- free(hdr0);
+- return ZZIP_CORRUPTED;
+- }
++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+ # endif
+- return 0;
+ }
+
+ /* ------------------------- high-level interface ------------------------- */
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch
--- zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/One-more-free-to-avoid-memory-leak.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,28 @@
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 13:55:35 +0200
+Subject: One more free() to avoid memory leak.
+Origin: https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16548
+Bug-Debian: https://bugs.debian.org/910335
+Bug: https://github.com/gdraheim/zziplib/issues/58
+
+---
+ zzip/zip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 51a1a4d93a60..bc6c0800e085 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd,
+ free(hdr0);
+ }
+ } /* else zero (sane) entries */
++ else
++ free(hdr0);
+ # ifndef ZZIP_ALLOW_MODULO_ENTRIES
+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ # else
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch
--- zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,49 @@
+From: =?UTF-8?q?Josef=20M=C3=B6llers?= <josef@firefly.moellers.local>
+Date: Fri, 2 Feb 2018 14:09:32 +0100
+Subject: Reject the ZIP file and report it as corrupt if the size of the
+ central directory and/or the offset of start of central directory point
+ beyond the end of the ZIP file. [CVE-2018-6484]
+Origin: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6484
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6541
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6869
+Bug-Debian: https://bugs.debian.org/889089
+Bug: https://github.com/gdraheim/zziplib/issues/14
+Bug: https://github.com/gdraheim/zziplib/issues/16
+Bug: https://github.com/gdraheim/zziplib/issues/22
+
+---
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index f0eac2b71501..67e662f59f46 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ # endif
+
+ __fixup_rootseek(offset + tail - mapped, trailer);
++ /*
++ * "extract data from files archived in a single zip file."
++ * So the file offsets must be within the current ZIP archive!
++ */
++ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
++ return(ZZIP_CORRUPTED);
+ { return(0); }
+ } else if ((*tail == 'P') &&
+ end - tail >=
+@@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ zzip_disk64_trailer_finalentries(orig);
+ trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
+ trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
++ /*
++ * "extract data from files archived in a single zip file."
++ * So the file offsets must be within the current ZIP archive!
++ */
++ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
++ return(ZZIP_CORRUPTED);
+ { return(0); }
+ # endif
+ }
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch
--- zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/check-rootseek-after-correction-41.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,47 @@
+From: Guido Draheim <guidod@gmx.de>
+Date: Tue, 13 Mar 2018 01:50:36 +0100
+Subject: check rootseek after correction #41
+Origin: https://github.com/gdraheim/zziplib/commit/19c9e4dc6c5cf92a38d0d23dbccac6993f9c41be
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7726
+Bug-Debian: https://bugs.debian.org/913165
+Bug: https://github.com/gdraheim/zziplib/issues/27
+Bug: https://github.com/gdraheim/zziplib/issues/41
+
+---
+ zzip/zip.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 6be8d7c8f944..0d79d5298860 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -1,4 +1,3 @@
+-
+ /*
+ * Author:
+ * Guido Draheim <guidod@gmx.de>
+@@ -422,6 +421,9 @@ __zzip_parse_root_directory(int fd,
+ zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+ __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+
++ if (zz_entries < 0 || zz_rootseek < 0 || zz_rootseek < 0)
++ return ZZIP_CORRUPTED;
++
+ hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
+ if (! hdr0)
+ return ZZIP_DIRSIZE;
+@@ -465,8 +467,9 @@ __zzip_parse_root_directory(int fd,
+ # endif
+
+ if (fd_map)
+- { d = (void*)(fd_map+zz_fd_gap+zz_offset); } /* fd_map+fd_gap==u_rootseek */
+- else
++ {
++ d = (void*)(fd_map+zz_fd_gap+zz_offset); /* fd_map+fd_gap==u_rootseek */
++ } else
+ {
+ if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+ return ZZIP_DIR_SEEK;
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch
--- zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/check-rootseek-and-rootsize-to-be-positive-27.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,38 @@
+From: Guido Draheim <guidod@gmx.de>
+Date: Tue, 13 Mar 2018 00:23:33 +0100
+Subject: check rootseek and rootsize to be positive #27
+Origin: https://github.com/gdraheim/zziplib/commit/8f48323c181e20b7e527b8be7229d6eb1148ec5f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7726
+Bug-Debian: https://bugs.debian.org/913165
+Bug: https://github.com/gdraheim/zziplib/issues/27
+Bug: https://github.com/gdraheim/zziplib/issues/41
+
+---
+ zzip/zip.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index a5db9d8cf9ce..6be8d7c8f944 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -318,6 +318,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig);
+ trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig);
+ # endif
++ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
++ return(ZZIP_CORRUPTED); // forged value
+
+ __fixup_rootseek(offset + tail - mapped, trailer);
+ /*
+@@ -344,6 +346,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ zzip_disk64_trailer_finalentries(orig);
+ trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
+ trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
++ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
++ return(ZZIP_CORRUPTED); // forged value
+ /*
+ * "extract data from files archived in a single zip file."
+ * So the file offsets must be within the current ZIP archive!
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch
--- zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/check-zlib-space-to-be-within-buffer-39.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,46 @@
+From: Guido Draheim <guidod@gmx.de>
+Date: Tue, 13 Mar 2018 01:29:44 +0100
+Subject: check zlib space to be within buffer #39
+Origin: https://github.com/gdraheim/zziplib/commit/1ba660b3300d67b8ce9f6b96bbae0b36fa2d6b06
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7725
+Bug-Debian: https://bugs.debian.org/913165
+Bug: https://github.com/gdraheim/zziplib/issues/39
+
+---
+ zzip/memdisk.c | 9 +++++++++
+ zzip/mmapped.c | 2 ++
+ 2 files changed, 11 insertions(+)
+
+--- a/zzip/memdisk.c
++++ b/zzip/memdisk.c
+@@ -434,11 +434,19 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir
+ file->zlib.avail_in = zzip_mem_entry_csize(entry);
+ file->zlib.next_in = zzip_mem_entry_to_data(entry);
+
++ if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
++ goto error;
++ if (file->zlib.next_in < file->buffer)
++ goto error;
++
+ if (! zzip_mem_entry_data_deflated(entry) ||
+ inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)
+ { free (file); return 0; }
+
+ return file;
++error:
++ errno = EBADMSG;
++ return NULL;
+ }
+
+ zzip__new__ ZZIP_MEM_DISK_FILE *
+--- a/zzip/mmapped.c
++++ b/zzip/mmapped.c
+@@ -567,6 +567,8 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk,
+
+ if (file->zlib.next_in + file->zlib.avail_in >= disk->endbuf)
+ goto error;
++ if (file->zlib.next_in < disk->buffer)
++ goto error;
+
+ if (! zzip_file_header_data_deflated(header))
+ goto error;
diff -Nru zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch
--- zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/fix-for-zz_rootsize-41.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,29 @@
+From: Guido Draheim <guidod@gmx.de>
+Date: Thu, 15 Mar 2018 23:54:37 +0100
+Subject: fix for zz_rootsize #41
+Origin: https://github.com/gdraheim/zziplib/commit/feae4da1a5c92100c44ebfcbaaa895959cc0829b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7726
+Bug-Debian: https://bugs.debian.org/913165
+Bug: https://github.com/gdraheim/zziplib/issues/27
+Bug: https://github.com/gdraheim/zziplib/issues/41
+
+---
+ zzip/zip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index 0d79d5298860..14e2e06615cd 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -421,7 +421,7 @@ __zzip_parse_root_directory(int fd,
+ zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+ __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+
+- if (zz_entries < 0 || zz_rootseek < 0 || zz_rootseek < 0)
++ if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
+ return ZZIP_CORRUPTED;
+
+ hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
+--
+2.11.0
+
diff -Nru zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch
--- zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/merge-CVE-2018-6381.patch-from-jmoellers-12.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,39 @@
+From: Guido Draheim <guidod@gmx.de>
+Date: Thu, 1 Feb 2018 12:27:49 +0100
+Subject: merge CVE-2018-6381.patch from @jmoellers #12
+Origin: https://github.com/gdraheim/zziplib/commit/a803559fa9194be895422ba3684cf6309b6bb598
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6381
+Bug-Debian: https://bugs.debian.org/889096
+Bug: https://github.com/gdraheim/zziplib/issues/12
+
+---
+ zzip/memdisk.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/zzip/memdisk.c
++++ b/zzip/memdisk.c
+@@ -191,6 +191,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ item->zz_diskstart = zzip_disk_entry_get_diskstart(entry);
+ item->zz_filetype = zzip_disk_entry_get_filetype(entry);
+
++ /*
++ * If the file is uncompressed, zz_csize and zz_usize should be the same
++ * If they are not, we cannot guarantee that either is correct, so ...
++ */
++ if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize)
++ {
++ goto error;
++ }
+ { /* copy the extra blocks to memory as well */
+ int /* */ ext1 = zzip_disk_entry_get_extras(entry);
+ char *_zzip_restrict ptr1 = zzip_disk_entry_to_extras(entry);
+@@ -234,6 +242,9 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+ */
+ return item;
+ ____;
++error:
++ zzip_mem_entry_free(item);
++ return 0;
+ ____;
+ }
+
diff -Nru zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch
--- zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/need-to-check-on-endbuf-for-stored-files-15.patch 2019-03-31 22:02:00.000000000 +0200
@@ -0,0 +1,59 @@
+From: Guido Draheim <guidod@gmx.de>
+Date: Mon, 5 Feb 2018 13:57:49 +0100
+Subject: need to check on endbuf for stored files #15
+Origin: https://github.com/gdraheim/zziplib/commit/72ec933663f738d8e166979aa7fd5590b2104a07
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6540
+Bug-Debian: https://bugs.debian.org/923659
+Bug: https://github.com/gdraheim/zziplib/issues/15
+
+---
+
+--- a/zzip/mmapped.c
++++ b/zzip/mmapped.c
+@@ -551,7 +551,12 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk,
+ file->avail = zzip_file_header_usize(header);
+
+ if (! file->avail || zzip_file_header_data_stored(header))
+- { file->stored = zzip_file_header_to_data (header); return file; }
++ {
++ file->stored = zzip_file_header_to_data (header);
++ if (file->stored + file->avail >= disk->endbuf)
++ goto error;
++ return file;
++ }
+
+ file->stored = 0;
+ file->zlib.opaque = 0;
+@@ -560,11 +565,18 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk,
+ file->zlib.avail_in = zzip_file_header_csize(header);
+ file->zlib.next_in = zzip_file_header_to_data(header);
+
+- if (! zzip_file_header_data_deflated(header) ||
+- inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)
+- { free (file); return 0; }
++ if (file->zlib.next_in + file->zlib.avail_in >= disk->endbuf)
++ goto error;
++
++ if (! zzip_file_header_data_deflated(header))
++ goto error;
++ if (inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)
++ goto error;
+
+ return file;
++error:
++ free (file);
++ return 0;
+ ____;
+ }
+
+@@ -601,6 +613,10 @@ zzip_disk_fread(void *ptr, zzip_size_t s
+ size = file->avail;
+ if (file->stored)
+ {
++ if (file->stored + size >= file->endbuf)
++ {
++ return 0; /* ESPIPE */
++ }
+ memcpy(ptr, file->stored, size);
+ file->stored += size;
+ file->avail -= size;
diff -Nru zziplib-0.13.62/debian/patches/series zziplib-0.13.62/debian/patches/series
--- zziplib-0.13.62/debian/patches/series 2017-06-04 09:03:11.000000000 +0200
+++ zziplib-0.13.62/debian/patches/series 2019-03-31 22:02:00.000000000 +0200
@@ -6,4 +6,14 @@
zziplib-CVE-2017-5978.patch
zziplib-CVE-2017-5979.patch
zziplib-CVE-2017-5981.patch
-zziplib-unzipcat-NULL-name.patch
\ No newline at end of file
+zziplib-unzipcat-NULL-name.patch
+merge-CVE-2018-6381.patch-from-jmoellers-12.patch
+Reject-the-ZIP-file-and-report-it-as-corrupt-if-the-.patch
+need-to-check-on-endbuf-for-stored-files-15.patch
+check-zlib-space-to-be-within-buffer-39.patch
+check-rootseek-and-rootsize-to-be-positive-27.patch
+check-rootseek-after-correction-41.patch
+fix-for-zz_rootsize-41.patch
+Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch
+Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
+One-more-free-to-avoid-memory-leak.patch
--- End Message ---