Package: odt2txt Version: 0.4-1 Severity: normal Tags: patch, security User: [email protected] Usertags: origin-ubuntu jaunty ubuntu-patch
Hello! I noticed that odt2txt uses an embedded version of a ZIP unpacker. It would be much safer to link against the system libzip libraries so that if security issues are found, odt2txt would be covered automatically by updates to those libraries. Attached patch (while a little brute-force in the Makefile) solves this issue. Thanks! -Kees -- Kees Cook @debian.org
diff -u odt2txt-0.4/debian/control odt2txt-0.4/debian/control --- odt2txt-0.4/debian/control +++ odt2txt-0.4/debian/control @@ -2,7 +2,7 @@ Section: text Priority: optional Maintainer: Nelson A. de Oliveira <[email protected]> -Build-Depends: cdbs, debhelper (>= 7), zlib1g-dev +Build-Depends: cdbs, debhelper (>= 7), zlib1g-dev, libzip-dev Standards-Version: 3.8.0 Homepage: http://stosberg.net/odt2txt/ --- odt2txt-0.4.orig/Makefile +++ odt2txt-0.4/Makefile @@ -20,6 +20,10 @@ LIBS = -lz ALL_OBJ = $(OBJ) $(TEST_OBJ) +KUNZIP_OBJS = +override CFLAGS += -DHAVE_LIBZIP +LIBS += -lzip + INSTALL = install GROFF = groff only in patch2: unchanged: --- odt2txt-0.4.orig/odt2txt.c +++ odt2txt-0.4/odt2txt.c @@ -36,7 +36,11 @@ #include "mem.h" #include "regex.h" #include "strbuf.h" -#include "kunzip/kunzip.h" +#ifdef HAVE_LIBZIP +# include <zip.h> +#else +# include "kunzip/kunzip.h" +#endif #define VERSION "0.4" @@ -167,7 +171,9 @@ { printf("odt2txt %s\n" "Copyright (c) 2006,2007 Dennis Stosberg <[email protected]>\n" +#ifndef HAVE_LIBZIP "Uses the kunzip library, Copyright 2005,2006 by Michael Kohn\n" +#endif "\n" "This program is free software; you can redistribute it and/or\n" "modify it under the terms of the GNU General Public License,\n" @@ -375,10 +381,27 @@ static STRBUF *read_from_zip(const char *zipfile, const char *filename) { - int r; - STRBUF *content; + int r = 0; + STRBUF *content = NULL; +#ifdef HAVE_LIBZIP + int zip_error; + struct zip *zip = NULL; + struct zip_stat stat; + struct zip_file *unzipped = NULL; + char *buf = NULL; + + if ( !(zip = zip_open(zipfile, 0, &zip_error)) || + (r = zip_name_locate(zip, filename, ZIP_FL_NOCASE)) < 0 || + (zip_stat_index(zip, r, ZIP_FL_UNCHANGED, &stat)<0) || + !(unzipped = zip_fopen_index(zip, r, ZIP_FL_UNCHANGED)) ) { + if (unzipped) zip_fclose(unzipped); + if (zip) zip_close(zip); + r = -1; + } +#else r = kunzip_get_offset_by_name((char*)zipfile, (char*)filename, 3, -1); +#endif if(-1 == r) { fprintf(stderr, @@ -386,7 +409,18 @@ exit(EXIT_FAILURE); } +#ifdef HAVE_LIBZIP + if ( !(buf = ymalloc(stat.size + 1)) || + (zip_fread(unzipped, buf, stat.size) != stat.size) || + !(content = strbuf_slurp_n(buf, stat.size)) ) { + if (buf) yfree(buf); + content = NULL; + } + zip_fclose(unzipped); + zip_close(zip); +#else content = kunzip_next_tobuf((char*)zipfile, r); +#endif if (!content) { fprintf(stderr,
