diff --git a/CVE-2018-17828-singlez.patch b/CVE-2018-17828-singlez.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff0c8f4b8bb30d7ff651386c462ad343e1423d2c --- /dev/null +++ b/CVE-2018-17828-singlez.patch @@ -0,0 +1,76 @@ +From f65fecf5373d1053dd4d57e87433fd4697203450 Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Tue, 29 Jul 2025 16:02:29 +0200 +Subject: [PATCH] new + +--- + bins/unzip-mem.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) + +diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c +index afd546d..6285b8b 100644 +--- a/bins/unzip-mem.c ++++ b/bins/unzip-mem.c +@@ -85,16 +85,57 @@ zzip_mem_entry_pipe(ZZIP_MEM_DISK* disk, ZZIP_MEM_ENTRY* entry, FILE* out) + } + } + ++#include /*PATH_MAX*/ ++static inline void ++remove_dotdotslash(char *path) ++{ ++ /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */ ++ char *dotdotslash; ++ int warned = 0; ++ ++ dotdotslash = path; ++ while ((dotdotslash = strstr(dotdotslash, "../")) != NULL) ++ { ++ /* ++ * Remove only if at the beginning of the pathname ("../path/name") ++ * or when preceded by a slash ("path/../name"), ++ * otherwise not ("path../name..")! ++ */ ++ if (dotdotslash == path || dotdotslash[-1] == '/') ++ { ++ char *src, *dst; ++ if (!warned) ++ { ++ /* Note: the first time through the pathname is still intact */ ++ fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path); ++ warned = 1; ++ } ++ /* We cannot use strcpy(), as there "The strings may not overlap" */ ++ for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++) ++ ; ++ } ++ else ++ dotdotslash +=3; /* skip this instance to prevent infinite loop */ ++ } ++} ++ + static void + zzip_mem_entry_make(ZZIP_MEM_DISK* disk, ZZIP_MEM_ENTRY* entry) + { +- FILE* file = fopen(entry->zz_name, "wb"); ++ char name_sanitized[PATH_MAX+1]; ++ ++ strncpy(name_sanitized, entry->zz_name, PATH_MAX); ++ name_sanitized[PATH_MAX]='\0'; ++ remove_dotdotslash(name_sanitized); ++ ++ ++ FILE* file = fopen (name_sanitized, "wb"); + if (file) { + zzip_mem_entry_pipe(disk, entry, file); + fclose(file); + return; + } +- perror(entry->zz_name); ++ perror(name_sanitized); + if (status < EXIT_WARNINGS) + status = EXIT_WARNINGS; + } +-- +2.50.0 + diff --git a/zziplib-0.13.78.tar.gz b/zziplib-0.13.78.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1a6a2d5abebea1885c0c94fe73f4334771770e38 Binary files /dev/null and b/zziplib-0.13.78.tar.gz differ diff --git a/zziplib.spec b/zziplib.spec index e33abdcaa8682687f52c3351b8c35a6489c47c93..75cb20ac4434e45274f5457464eaa25349e58c7f 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -1,17 +1,19 @@ -%define anolis_release 1 +%define anolis_release 2 Name: zziplib -Version: 0.13.78 +Version: 0.13.78 Release: %{anolis_release}%{?dist} Summary: Lightweight library to easily extract data from zip files License: LGPLv2+ or MPLv1.1 URL: http://zziplib.sourceforge.net/ -Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz +Source0: https://github.com/gdraheim/zziplib/archive/v0.13.78.tar.gz +Patch1: CVE-2018-17828-singlez.patch BuildRequires: make gcc cmake perl-interpreter python3-rpm-macros BuildRequires: zip xmlto zlib-devel BuildRequires: SDL-devel BuildRequires: pkgconfig +BuildRequires: python3 %description The %{name} library is intentionally lightweight, it offers the ability to @@ -92,6 +94,8 @@ Documentation files for %{name}. %doc README TODO ChangeLog %changelog +* Mon Sep 29 2025 wenyuzifang - 0.13.78-2 +- Prevent directory traversal by sanitizing paths to stop malicious ZIP entries from overwriting files outside the target directory * Fri Feb 28 2025 Chang Gao - 0.13.78-1 - Update to 0.13.78 - Update build params