Version in base suite: 0.13.62-3.3 Base version: zziplib_0.13.62-3.3 Target version: zziplib_0.13.62-3.3+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/z/zziplib/zziplib_0.13.62-3.3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/z/zziplib/zziplib_0.13.62-3.3+deb11u1.dsc changelog | 9 +++++++++ patches/CVE-2020-18442-2.patch | 28 ++++++++++++++++++++++++++++ patches/CVE-2020-18442-4.patch | 28 ++++++++++++++++++++++++++++ patches/series | 5 +++++ 4 files changed, 70 insertions(+) diff -Nru zziplib-0.13.62/debian/changelog zziplib-0.13.62/debian/changelog --- zziplib-0.13.62/debian/changelog 2021-03-04 08:54:37.000000000 +0000 +++ zziplib-0.13.62/debian/changelog 2021-12-25 23:03:02.000000000 +0000 @@ -1,3 +1,12 @@ +zziplib (0.13.62-3.3+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2020-18442 + Because of mishandling a return value, an attacker might cause a + denial of service due to an infinite loop. + + -- Thorsten Alteholz Sun, 26 Dec 2021 00:03:02 +0100 + zziplib (0.13.62-3.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch --- zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 2021-12-25 23:03:02.000000000 +0000 @@ -0,0 +1,28 @@ +commit 7e786544084548da7fcfcd9090d3c4e7f5777f7e +Author: Guido Draheim +Date: Mon Jan 4 21:50:26 2021 +0100 + + #68 return value of zzip_mem_disk_fread is signed + +Index: zziplib-0.13.62/bins/unzip-mem.c +=================================================================== +--- zziplib-0.13.62.orig/bins/unzip-mem.c 2021-12-26 00:59:28.017867652 +0100 ++++ zziplib-0.13.62/bins/unzip-mem.c 2021-12-26 00:59:28.013867656 +0100 +@@ -90,7 +90,7 @@ + if (file) + { + char buffer[1024]; int len; +- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) ++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) + fwrite (buffer, len, 1, out); + + zzip_mem_disk_fclose (file); +@@ -124,7 +124,7 @@ + { + unsigned long crc = crc32 (0L, NULL, 0); + unsigned char buffer[1024]; int len; +- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) { ++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) { + crc = crc32 (crc, buffer, len); + } + diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch --- zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 2021-12-25 23:03:02.000000000 +0000 @@ -0,0 +1,28 @@ +commit 0a9db9ded9d15fbdb63bf5cf451920d0a368c00e +Author: Guido Draheim +Date: Mon Jan 4 21:51:56 2021 +0100 + + #68 return value of zzip_mem_disk_fread is signed + +Index: zziplib-0.13.62/bins/unzzipcat-mem.c +=================================================================== +--- zziplib-0.13.62.orig/bins/unzzipcat-mem.c 2021-12-26 00:59:59.133843763 +0100 ++++ zziplib-0.13.62/bins/unzzipcat-mem.c 2021-12-26 00:59:59.129843767 +0100 +@@ -40,7 +40,7 @@ + if (file) + { + char buffer[1024]; int len; +- while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) ++ while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) + fwrite (buffer, len, 1, out); + + zzip_mem_disk_fclose (file); +@@ -53,7 +53,7 @@ + if (file) + { + char buffer[1024]; int len; +- while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file))) ++ while (0 < (len = zzip_mem_disk_fread (buffer, 1, 1024, file))) + { + fwrite (buffer, 1, len, out); + } diff -Nru zziplib-0.13.62/debian/patches/series zziplib-0.13.62/debian/patches/series --- zziplib-0.13.62/debian/patches/series 2021-03-04 08:54:37.000000000 +0000 +++ zziplib-0.13.62/debian/patches/series 2021-12-25 23:03:02.000000000 +0000 @@ -18,3 +18,8 @@ Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch One-more-free-to-avoid-memory-leak.patch python2.diff + +# not all of the seven patches mentioned in the security tracker +# for this CVE are needed in every release +CVE-2020-18442-2.patch +CVE-2020-18442-4.patch