Bug#1004049: buster-pu: package zziplib/0.13.62-3.2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for zziplib fixes CVE-2020-18442 in Buster. This CVE
is marked as no-dsa by the security team.
The same patch is uploaded to Stretch already and nobody complained yet.
Thorsten
diff -Nru zziplib-0.13.62/debian/changelog zziplib-0.13.62/debian/changelog
--- zziplib-0.13.62/debian/changelog 2019-03-04 22:43:14.000000000 +0100
+++ zziplib-0.13.62/debian/changelog 2021-12-26 00:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+zziplib (0.13.62-3.2+deb10u1) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2020-18442
+ Because of mishandling a return value, an attacker might cause a
+ denial of service due to an infinite loop.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sun, 26 Dec 2021 00:03:02 +0100
+
zziplib (0.13.62-3.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch
--- zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 2021-12-26 00:03:02.000000000 +0100
@@ -0,0 +1,28 @@
+commit 7e786544084548da7fcfcd9090d3c4e7f5777f7e
+Author: Guido Draheim <guidod@gmx.de>
+Date: Mon Jan 4 21:50:26 2021 +0100
+
+ #68 return value of zzip_mem_disk_fread is signed
+
+Index: zziplib-0.13.62/bins/unzip-mem.c
+===================================================================
+--- zziplib-0.13.62.orig/bins/unzip-mem.c 2021-12-26 00:59:28.017867652 +0100
++++ zziplib-0.13.62/bins/unzip-mem.c 2021-12-26 00:59:28.013867656 +0100
+@@ -90,7 +90,7 @@
+ if (file)
+ {
+ char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+ fwrite (buffer, len, 1, out);
+
+ zzip_mem_disk_fclose (file);
+@@ -124,7 +124,7 @@
+ {
+ unsigned long crc = crc32 (0L, NULL, 0);
+ unsigned char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
+ crc = crc32 (crc, buffer, len);
+ }
+
diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch
--- zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 1970-01-01 01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 2021-12-26 00:03:02.000000000 +0100
@@ -0,0 +1,28 @@
+commit 0a9db9ded9d15fbdb63bf5cf451920d0a368c00e
+Author: Guido Draheim <guidod@gmx.de>
+Date: Mon Jan 4 21:51:56 2021 +0100
+
+ #68 return value of zzip_mem_disk_fread is signed
+
+Index: zziplib-0.13.62/bins/unzzipcat-mem.c
+===================================================================
+--- zziplib-0.13.62.orig/bins/unzzipcat-mem.c 2021-12-26 00:59:59.133843763 +0100
++++ zziplib-0.13.62/bins/unzzipcat-mem.c 2021-12-26 00:59:59.129843767 +0100
+@@ -40,7 +40,7 @@
+ if (file)
+ {
+ char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+ fwrite (buffer, len, 1, out);
+
+ zzip_mem_disk_fclose (file);
+@@ -53,7 +53,7 @@
+ if (file)
+ {
+ char buffer[1024]; int len;
+- while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
++ while (0 < (len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
+ {
+ fwrite (buffer, 1, len, out);
+ }
diff -Nru zziplib-0.13.62/debian/patches/series zziplib-0.13.62/debian/patches/series
--- zziplib-0.13.62/debian/patches/series 2019-03-04 22:43:14.000000000 +0100
+++ zziplib-0.13.62/debian/patches/series 2021-12-26 00:03:02.000000000 +0100
@@ -17,3 +17,8 @@
Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch
Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
One-more-free-to-avoid-memory-leak.patch
+
+# not all of the seven patches mentioned in the security tracker
+# for this CVE are needed in every release
+CVE-2020-18442-2.patch
+CVE-2020-18442-4.patch
Reply to: