File zziplib.changes of Package zziplib.35221

Overview Repositories Revisions Requests Users Attributes Meta

File zziplib.changes of Package zziplib.35221

-------------------------------------------------------------------
Mon Aug 12 13:24:15 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- fetch_disk_trailer: Don't truncate the size verif.
  [bsc#1227178, CVE-2024-39134,
   bsc1227178-fetch_disk_trailer-Don-t-truncate-the-size-verif.patch]

-------------------------------------------------------------------
Tue Feb 27 16:42:55 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- assert full zzip_file_header.
  [bsc#1214577, CVE-2020-18770, CVE-2020-18770.patch]

-------------------------------------------------------------------
Mon Jun 21 09:27:12 UTC 2021 - Josef Möllers <josef.moellers@suse.com>

- A recent upstream commit has introduced a regression:
  The return value of the function ‘zzip_fread’ is a signed int
  and "0" is a valid return value.
  [bsc#1187526, CVE-2020-18442,
   bsc1187526-fix-Incorrect-handling-of-function-zzip_fread-return-value.patch]

-------------------------------------------------------------------
Mon Feb 24 15:27:38 UTC 2020 - Josef Möllers <josef.moellers@suse.com>

- Corrected control flow in zzip_mem_entry_make() to
  gain correct exit status.
  [bsc#1154002, bsc1154002-prevent-unnecessary-perror.patch]

-------------------------------------------------------------------
Thu Jan  9 15:00:11 UTC 2020 - Josef Möllers <josef.moellers@suse.com>

- Make an unconditional error message conditional by checking
  the return value of a function call.
  [bsc1154002, bsc1154002-prevent-unnecessary-perror.patch]

-------------------------------------------------------------------
Thu Oct 17 14:13:28 UTC 2019 - Josef Möllers <josef.moellers@suse.com>

- Fixed another instance where division by 0 may occur.
  [bsc#1129403, bsc1129403-prevent-division-by-zero.patch]

-------------------------------------------------------------------
Mon Sep 16 08:23:21 UTC 2019 - Josef Möllers <josef.moellers@suse.com>

- Avoid memory leak from __zzip_parse_root_directory().
  Free allocated structure if its address is not passed back.
  [bsc#1107424, CVE-2018-16548, CVE-2018-16548.patch]

-------------------------------------------------------------------
Wed Jul 17 07:35:33 UTC 2019 - josef.moellers@suse.com

- In bins/unzzipcat-mem.c::unzzip_cat() close disk file at end
  to avoid memory leak.
  [bsc#1084515, CVE-2018-7727,
   bsc1084515-ensure-disk_close-to-avoid-mem-leak.patch]

-------------------------------------------------------------------
Tue Jul 16 13:53:20 UTC 2019 - josef.moellers@suse.com

- Prevent division by zero by first checking if uncompressed size
  is 0. This may happen with directories which have a compressed
  and uncompressed size of 0.
  [bsc#1129403, bsc1129403-prevent-division-by-zero.patch]

-------------------------------------------------------------------
Thu Oct  4 10:19:43 UTC 2018 - josef.moellers@suse.com

- Remove any "../" components from pathnames of extracted files. 
  [bsc#1110687, CVE-2018-17828, CVE-2018-17828.patch]

-------------------------------------------------------------------
Thu May  3 11:59:45 UTC 2018 - josef.moellers@suse.com

- If the size of the central directory is too big, reject
  the file.
  Then, if loading the ZIP file fails, display an error message.
  [CVE-2018-6542.patch, CVE-2018-6542, bsc#1079094]

-------------------------------------------------------------------
Tue Mar 20 07:57:26 UTC 2018 - josef.moellers@suse.com

- Check if data from End of central directory record makes sense.
  Especially the Offset of start of central directory must not
  a) be negative or
  b) point behind the end-of-file.
- Check if compressed size in Central directory file header
  makes sense, i.e. the file's data does not extend beyond the 
  end of the file.
  [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch,
   bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch]

-------------------------------------------------------------------
Tue Feb 20 14:04:10 UTC 2018 - meissner@suse.com

- package COPYING.LIB correctly

-------------------------------------------------------------------
Tue Feb  6 14:55:03 UTC 2018 - josef.moellers@suse.com

- If an extension block is too small to hold an extension,
  do not use the information therein.
- If the End of central directory record (EOCD) contains an
  Offset of start of central directory which is beyond the end of
  the file, reject the file.
  [CVE-2018-6540, bsc#1079096, CVE-2018-6540.patch]

-------------------------------------------------------------------
Fri Feb  2 09:31:49 UTC 2018 - josef.moellers@suse.com

- Reject the ZIP file and report it as corrupt if the size of the
  central directory and/or the offset of start of central directory
  point beyond the end of the ZIP file.
  [CVE-2018-6484, boo#1078701, CVE-2018-6484.patch]

-------------------------------------------------------------------
Thu Feb  1 10:49:56 UTC 2018 - josef.moellers@suse.com

- If a file is uncompressed, compressed and uncompressed sizes
  should be identical.
  [CVE-2018-6381, bsc#1078497, CVE-2018-6381.patch]

-------------------------------------------------------------------
Tue Jan 23 20:18:19 UTC 2018 - tchvatal@suse.com

- Drop tests as they fail completely anyway, not finding lib needing
  zip command, this should allow us to kill python dependency
- Also drop docs subdir avoiding python dependency for it
  * The generated xmls were used for mans too but we shipped those
    only in devel pkg and as such we will live without them

-------------------------------------------------------------------
Tue Jan 23 20:03:01 UTC 2018 - tchvatal@suse.com

- Version update to 0.13.67:
  * Various fixes found by fuzzing
  * Merged bellow patches
- Remove merged patches:
  * zziplib-CVE-2017-5974.patch
  * zziplib-CVE-2017-5975.patch
  * zziplib-CVE-2017-5976.patch
  * zziplib-CVE-2017-5978.patch
  * zziplib-CVE-2017-5979.patch
  * zziplib-CVE-2017-5981.patch
- Switch to github tarball as upstream seem no longer pull it to
  sourceforge
- Remove no longer applying patch zziplib-unzipcat-NULL-name.patch
  * The sourcecode was quite changed for this to work this way
    anymore, lets hope this is fixed too

-------------------------------------------------------------------
Wed Nov  1 12:37:02 UTC 2017 - mpluskal@suse.com

- Packaking changes:
  * Depend on python2 explicitly
  * Cleanup with spec-cleaner

-------------------------------------------------------------------
Thu Mar 23 13:32:03 UTC 2017 - josef.moellers@suse.com

- Several bugs fixed:
  * heap-based buffer overflows
    (bsc#1024517, CVE-2017-5974, zziplib-CVE-2017-5974.patch)
  * check if "relative offset of local header" in "central
    directory header" really points to a local header
    (ZZIP_FILE_HEADER_MAGIC)
    (bsc#1024528, CVE-2017-5975, zziplib-CVE-2017-5975.patch)
  * protect against bad formatted data in extra blocks
    (bsc#1024531, CVE-2017-5976, zziplib-CVE-2017-5976.patch)
  * NULL pointer dereference in main (unzzipcat-mem.c)
    (bsc#1024532, bsc#1024536, CVE-2017-5975,
    zziplib-CVE-2017-5975.patch) 
  * protect against huge values of "extra field length"
    in local file header and central file header
    (bsc#1024533, CVE-2017-5978, zziplib-CVE-2017-5978.patch)
  * clear ZZIP_ENTRY record before use.
    (bsc#1024534, bsc#1024535, CVE-2017-5979, CVE-2017-5977,
    zziplib-CVE-2017-5979.patch)
  * prevent unzzipcat.c from trying to print a NULL name
    (bsc#1024537, zziplib-unzipcat-NULL-name.patch)
  * Replace assert() by going to error exit.
    (bsc#1034539, CVE-2017-5981, zziplib-CVE-2017-5981.patch)

-------------------------------------------------------------------
Sat Mar 16 21:37:21 UTC 2013 - schwab@linux-m68k.org

- zziplib-largefile.patch: Enable largefile support
- Enable debug information

-------------------------------------------------------------------
Sat Dec 15 18:36:24 UTC 2012 - p.drouand@gmail.com

- Update to 0.13.62 version:
	* configure.ac: fallback to libtool -export-dynamic unless being sure to
      use gnu-ld --export-dynamic. The darwin case is a bit special here 
	  as the c-compiler and linker might be from different worlds.
    * Makefile.am: allow nonstaic build
    * wrap fd.open like in the Fedora patch
- Remove the package name on summary
- Add dos2unix as build dependencie to fix a wrong file encoding

-------------------------------------------------------------------
Sat Nov 19 15:38:23 UTC 2011 - coolo@suse.com

- add libtool as buildrequire to avoid implicit dependency

-------------------------------------------------------------------
Fri Sep 16 16:02:33 UTC 2011 - jengelh@medozas.de

- Implement shlib policy/packaging for package, add baselibs.conf
  and resolve redundant constructs

-------------------------------------------------------------------
Sat Apr 30 15:22:39 UTC 2011 - crrodriguez@opensuse.org

- Fix build with gcc 4.6

-------------------------------------------------------------------
Mon Feb 15 16:43:03 CET 2010 - dimstar@opensuse.org

- Update to version 0.13.58:
  + Some bugs fixed, see ChangeLog

-------------------------------------------------------------------
Mon Jul 27 16:24:06 CEST 2009 - coolo@novell.com

- update to version 0.13.56 - fixes many smaller issues
 (see Changelog)

-------------------------------------------------------------------
Wed Jun 17 10:05:23 CEST 2009 - coolo@novell.com

- fix build with automake 1.11

-------------------------------------------------------------------
Mon Jan 26 20:39:14 CET 2009 - crrodriguez@suse.de

- remove "la" files

-------------------------------------------------------------------
Fri Oct 24 12:32:13 CEST 2008 - wgottwalt@suse.de

- removed ./msvc7/pkzip.exe and ./msvc8/zip.exe to avoid license
  problems

-------------------------------------------------------------------
Wed Aug 15 05:35:45 CEST 2007 - crrodriguez@suse.de

- update to version 0.13.49 fixes #260734 buffer overflow
 due to wrong usage of strcpy()

-------------------------------------------------------------------
Thu Mar 29 20:59:38 CEST 2007 - dmueller@suse.de

- adjust buildrequires

-------------------------------------------------------------------
Mon Dec  4 15:10:35 CET 2006 - dmueller@suse.de

- don't build as root

-------------------------------------------------------------------
Tue Oct  3 11:24:24 CEST 2006 - aj@suse.de

- Fix build.

-------------------------------------------------------------------
Fri Aug 18 08:15:46 CEST 2006 - aj@suse.de

- Fix build.

-------------------------------------------------------------------
Mon May 22 13:53:45 CEST 2006 - wgottwalt@suse.de

- initial release
- still problems with the "make check" build option

Places

File zziplib.changes of Package zziplib.35221

Places