diff --git a/CVE-2018-16548-1.patch b/CVE-2018-16548-1.patch deleted file mode 100644 index b4c63014220a46141143abd6ffee740f4eba23f8..0000000000000000000000000000000000000000 --- a/CVE-2018-16548-1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From b6ce8a1ca9442f89fae3482921fadc928ecbbb05 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 11:32:04 +0200 -Subject: [PATCH 1/3] Avoid memory leak from __zzip_parse_root_directory(). - -(cherry picked from commit 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb) -https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb -Signed-off-by: Yufa Fang ---- - zzip/zip.c | 36 ++++++++++++++++++++++++++++++++++-- - 1 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/zzip/zip.c b/zzip/zip.c -index 14e2e06..8318463 100644 ---- a/zzip/zip.c -+++ b/zzip/zip.c -@@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd, - } else - { - if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) -+ { -+ free(hdr0); - return ZZIP_DIR_SEEK; -+ } - if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) -+ { -+ free(hdr0); - return ZZIP_DIR_READ; -+ } - d = &dirent; - } - -@@ -574,12 +580,38 @@ __zzip_parse_root_directory(int fd, - - if (hdr_return) - *hdr_return = hdr0; -+ else -+ { -+ /* If it is not assigned to *hdr_return, it will never be free()'d */ -+ free(hdr0); -+ /* Make sure we don't free it again in case of error */ -+ hdr0 = NULL; -+ } - } /* else zero (sane) entries */ - # ifndef ZZIP_ALLOW_MODULO_ENTRIES -- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); -+ if (entries != zz_entries) -+ { -+ /* If it was assigned to *hdr_return, undo assignment */ -+ if (p_reclen && hdr_return) -+ *hdr_return = NULL; -+ /* Free it, if it was not already free()'d */ -+ if (hdr0 != NULL) -+ free(hdr0); -+ return ZZIP_CORRUPTED; -+ } - # else -- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); -+ if (((entries & (unsigned)0xFFFF) != zz_entries) -+ { -+ /* If it was assigned to *hdr_return, undo assignment */ -+ if (p_reclen && hdr_return) -+ *hdr_return = NULL; -+ /* Free it, if it was not already free()'d */ -+ if (hdr0 != NULL) -+ free(hdr0); -+ return ZZIP_CORRUPTED; -+ } - # endif -+ return 0; - } - - /* ------------------------- high-level interface ------------------------- */ --- -2.19.1 - diff --git a/CVE-2018-16548-2.patch b/CVE-2018-16548-2.patch deleted file mode 100644 index 5cd75c32deb1c2c31df8a7bc48d636387dd44e77..0000000000000000000000000000000000000000 --- a/CVE-2018-16548-2.patch +++ /dev/null @@ -1,56 +0,0 @@ -From e8d90fe7525c177f0c28f6843f2a25da2e6e5045 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 11:49:28 +0200 -Subject: [PATCH 2/3] Avoid memory leak from __zzip_parse_root_directory(). - -(cherry picked from commit d2e5d5c53212e54a97ad64b793a4389193fec687) -https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687 -Signed-off-by: Yufa Fang ---- - zzip/zip.c | 25 ++----------------------- - 1 file changed, 2 insertions(+), 23 deletions(-) - -diff --git a/zzip/zip.c b/zzip/zip.c -index 8318463..79fd9ad 100644 ---- a/zzip/zip.c -+++ b/zzip/zip.c -@@ -584,34 +584,13 @@ __zzip_parse_root_directory(int fd, - { - /* If it is not assigned to *hdr_return, it will never be free()'d */ - free(hdr0); -- /* Make sure we don't free it again in case of error */ -- hdr0 = NULL; - } - } /* else zero (sane) entries */ - # ifndef ZZIP_ALLOW_MODULO_ENTRIES -- if (entries != zz_entries) -- { -- /* If it was assigned to *hdr_return, undo assignment */ -- if (p_reclen && hdr_return) -- *hdr_return = NULL; -- /* Free it, if it was not already free()'d */ -- if (hdr0 != NULL) -- free(hdr0); -- return ZZIP_CORRUPTED; -- } -+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; - # else -- if (((entries & (unsigned)0xFFFF) != zz_entries) -- { -- /* If it was assigned to *hdr_return, undo assignment */ -- if (p_reclen && hdr_return) -- *hdr_return = NULL; -- /* Free it, if it was not already free()'d */ -- if (hdr0 != NULL) -- free(hdr0); -- return ZZIP_CORRUPTED; -- } -+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; - # endif -- return 0; - } - - /* ------------------------- high-level interface ------------------------- */ --- -2.19.1 - diff --git a/CVE-2018-16548-3.patch b/CVE-2018-16548-3.patch deleted file mode 100644 index fa1508b90476cb10e7670f85a918bde3333c2256..0000000000000000000000000000000000000000 --- a/CVE-2018-16548-3.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a37ce0d441050356efc5fcaa48e1cdcf21a6b8e1 Mon Sep 17 00:00:00 2001 -From: jmoellers -Date: Fri, 7 Sep 2018 13:55:35 +0200 -Subject: [PATCH 3/3] One more free() to avoid memory leak. - -(cherry picked from commit 0e1dadb05c1473b9df2d7b8f298dab801778ef99) -https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99 -Signed-off-by: Yufa Fang ---- - zzip/zip.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/zzip/zip.c b/zzip/zip.c -index 79fd9ad..f97a40a 100644 ---- a/zzip/zip.c -+++ b/zzip/zip.c -@@ -586,6 +586,8 @@ __zzip_parse_root_directory(int fd, - free(hdr0); - } - } /* else zero (sane) entries */ -+ else -+ free(hdr0); - # ifndef ZZIP_ALLOW_MODULO_ENTRIES - return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; - # else --- -2.19.1 - diff --git a/v0.13.69.tar.gz b/v0.13.69.tar.gz deleted file mode 100644 index 18154017bc2a9e2f496e5dd6d5688bb5bb545caa..0000000000000000000000000000000000000000 Binary files a/v0.13.69.tar.gz and /dev/null differ diff --git a/v0.13.71.tar.gz b/v0.13.71.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..c37ade89408000329f570954365e8fdce47a3cb6 Binary files /dev/null and b/v0.13.71.tar.gz differ diff --git a/zziplib.spec b/zziplib.spec index 1228d2575bf7e087ee45bb8196b535eca5497a1b..8ff77c4dd98e177ceea46059f649ed67cdac0fa0 100644 --- a/zziplib.spec +++ b/zziplib.spec @@ -3,19 +3,14 @@ sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' */libtoo sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool Name: zziplib -Version: 0.13.69 -Release: 5 +Version: 0.13.71 +Release: 1 Summary: Lightweight library for zip compression License: LGPLv2+ or MPLv1.1 URL: http://zziplib.sourceforge.net Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz -Patch6000: CVE-2018-16548-1.patch -Patch6001: CVE-2018-16548-2.patch -Patch6002: CVE-2018-16548-3.patch -Patch6003: CVE-2018-17828.patch - -BuildRequires: perl-interpreter python2 python2-rpm-macros zip xmlto +BuildRequires: perl-interpreter zip xmlto BuildRequires: zlib-devel SDL-devel pkgconfig autoconf automake gcc make Provides: zziplib-utils @@ -47,23 +42,16 @@ This package includes help documentation and manuals related to zziplib. %prep %setup -q -%patch6000 -p1 -%patch6001 -p1 -%patch6002 -p1 -%patch6003 -p1 - -find . -name '*.py' | xargs sed -i 's@#! /usr/bin/python@#! %__python2@g;s@#! /usr/bin/env python@#! %__python2@g' +sed -i -e 's:docs ::g' Makefile.am %build -export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" -export PYTHON=%__python2 %configure --disable-static --enable-sdl --enable-frame-pointer --enable-builddir=_builddir -%disable_rpath - %make_build %install %make_install +rm -rf docs/Make* docs/zziplib-manpages.ar +find %{buildroot} -type f -name "*.la" -delete -print %post -p /sbin/ldconfig @@ -86,6 +74,9 @@ export PYTHON=%__python2 %{_mandir}/man3/* %changelog +* Tue Nov 3 2020 tianwei - 0.13.71-1 +- update to 0.13.71 and remove python2 + * Fri Feb 14 2020 chengquan - 0.13.36-5 - Add necessary BuildRequires