Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1

[François Mazen <francois@mzf.fr>]

Please find attached the debdiff.
Best,
François


diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog
--- zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog	2017-05-28 21:20:05.000000000 +0200
+++ zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog	2020-03-15 17:28:33.000000000 +0100
@@ -1,3 +1,9 @@
+zipios++ (0.1.5.9+cvs.2007.04.28-10+deb10u1) buster; urgency=high
+
+  * fix CVE-2019-13453 for Buster (Closes: #932556)
+
+ -- Francois Mazen <francois@mzf.fr>  Sun, 15 Mar 2020 17:28:33 +0100
+
 zipios++ (0.1.5.9+cvs.2007.04.28-10) unstable; urgency=medium
 
   * QA upload.
diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff
--- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff	1970-01-01 01:00:00.000000000 +0100
+++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff	2020-03-15 17:28:33.000000000 +0100
@@ -0,0 +1,50 @@
+Description: Fix CVE-2019-13453
+Author: Francois Mazen <francois@mzf.fr>
+Origin: https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/
+
+--- a/zipios++/zipheadio.h
++++ b/zipios++/zipheadio.h
+@@ -9,6 +9,7 @@
+ 
+ #include "zipios++/ziphead.h"
+ #include "zipios++/zipios_defs.h"
++#include "zipios++/fcollexceptions.h"
+ 
+ namespace zipios {
+ 
+@@ -79,10 +80,16 @@
+   static const int buf_len = sizeof ( uint32 ) ;
+   unsigned char buf [ buf_len ] ;
+   int rsf = 0 ;
+-  while ( rsf < buf_len ) {
++  std::streampos original_pos = is.tellg() ;
++  while ( rsf < buf_len && !is.eof() ) {
+     is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ;
+     rsf += is.gcount () ;
+   }
++  if ( rsf != buf_len ) {
++    is.seekg( original_pos ) ;
++    throw InvalidStateException( "Reached end-of-file while trying to read a"
++                                 "Uint32; the zip archive may be corrupt." ) ;
++  }
+   return  ztohl ( buf ) ;
+ }
+ 
+@@ -95,10 +102,16 @@
+   static const int buf_len = sizeof ( uint16 ) ;
+   unsigned char buf [ buf_len ] ;
+   int rsf = 0 ;
+-  while ( rsf < buf_len ) {
++  std::streampos original_pos = is.tellg() ;
++  while ( rsf < buf_len && !is.eof() ) {
+     is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ;
+     rsf += is.gcount () ;
+   }
++  if ( rsf != buf_len ) {
++    is.seekg( original_pos ) ;
++    throw InvalidStateException( "Reached end-of-file while trying to read a"
++                                 "Uint16; the zip archive may be corrupt." ) ;
++  }
+   return  ztohs ( buf ) ;
+ }
+ 
diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series
--- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series	2017-05-09 00:29:06.000000000 +0200
+++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series	2020-03-15 17:28:33.000000000 +0100
@@ -4,3 +4,4 @@
 gcc43_fix.diff
 amd64_fix.diff
 pkg-config.diff
+fix_CVE-2019-13453.diff

Attachment: signature.asc
Description: This is a digitally signed message part