[arch-commits] Commit in zziplib/trunk (CVE-2017-5979.patch PKGBUILD)

Fri May 12 19:39:54 UTC 2017

Date: Friday, May 12, 2017 @ 19:39:53
  Author: anthraxx
Revision: 295871

upgpkg: zziplib 0.13.66-2 (fix CVE-2017-5979)

Added:
  zziplib/trunk/CVE-2017-5979.patch
Modified:
  zziplib/trunk/PKGBUILD

---------------------+
 CVE-2017-5979.patch |   13 +++++++++++++
 PKGBUILD            |   18 +++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

Added: CVE-2017-5979.patch
===================================================================

--- CVE-2017-5979.patch	                        (rev 0)
+++ CVE-2017-5979.patch	2017-05-12 19:39:53 UTC (rev 295871)
@@ -0,0 +1,13 @@
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
+         return 0;
+     /* we read out chunks of 8 KiB in the hope to match disk granularity */
+     ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
+-    ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
++    ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
+     if (! entry)
+         return 0;
+     ___ unsigned char *buffer = malloc(pagesize);

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-05-12 18:55:36 UTC (rev 295870)
+++ PKGBUILD	2017-05-12 19:39:53 UTC (rev 295871)
@@ -5,7 +5,7 @@
 
 pkgname=zziplib
 pkgver=0.13.66
-pkgrel=1
+pkgrel=2
 pkgdesc="A lightweight library that offers the ability to easily extract data from files archived in a single zip file"
 arch=('i686' 'x86_64')
 url="http://zziplib.sourceforge.net"
@@ -12,9 +12,19 @@
 license=('LGPL' 'MPL')
 depends=('zlib')
 makedepends=('python2' 'xmlto' 'zip')
-source=($pkgname-$pkgver.tar.gz::"https://github.com/gdraheim/zziplib/archive/v$pkgver.tar.gz")
-md5sums=('0990b8e409834b62475b4de901fe3f6a')
+source=($pkgname-$pkgver.tar.gz::"https://github.com/gdraheim/zziplib/archive/v$pkgver.tar.gz"
+        CVE-2017-5979.patch)
+sha256sums=('59b18c7c4ed348ba8d63fa7e194e6b012cd94197265b7a7b3afb539d8206bd7d'
+            '6c649cc35eb040dc9f667faa1484e61fdb8600eccc293d79dca5a3cd8fdb1ee4')
+sha512sums=('893885d85293269fd8ff14d61eaae5f7d07689a16dd9c07c1ae8d46ea2b2f94a13d6aab19670efa7716cafe5e9f8efb1cbc1254bd9e860c836faa35736bdbe20'
+            'b11e940f6d0d0806e6408a06c465180c5a250449ea837108663049a0f395c2d8b5ff30614fa364a56f2686dd1ee2da120aa47dfb7d80698db43c00ae7a5ebd27')
 
+prepare() {
+  cd ${pkgname}-${pkgver}
+  # extracted from opensuse
+  patch -p1 < "${srcdir}/CVE-2017-5979.patch"
+}
+
 build() {
   cd ${pkgname}-${pkgver}
   export PYTHON=/usr/bin/python2
@@ -31,3 +41,5 @@
 # chmod 644 "${pkgdir}"/usr/share/man/man3/*
   chown -R root:root "${pkgdir}/usr/share/man/man3"
 }
+
+# vim: set ts=2 sw=2 et:

