Bug#1004049: marked as done (buster-pu: package zziplib/0.13.62-3.2+deb10u1)

Debian Bug Tracking System Sat, 26 Mar 2022 05:15:49 -0700

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id 
<540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1004049,
regarding buster-pu: package zziplib/0.13.62-3.2+deb10u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004049: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004049
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

The attached debdiff for zziplib fixes CVE-2020-18442 in Buster. This CVEis marked as no-dsa by the security team.


The same patch is uploaded to Stretch already and nobody complained yet.

  Thorsten

diff -Nru zziplib-0.13.62/debian/changelog zziplib-0.13.62/debian/changelog
--- zziplib-0.13.62/debian/changelog    2019-03-04 22:43:14.000000000 +0100
+++ zziplib-0.13.62/debian/changelog    2021-12-26 00:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+zziplib (0.13.62-3.2+deb10u1) buster; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2020-18442
+    Because of mishandling a return value, an attacker might cause a
+    denial of service due to an infinite loop.
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Sun, 26 Dec 2021 00:03:02 +0100
+
 zziplib (0.13.62-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch 
zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch
--- zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch       1970-01-01 
01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/CVE-2020-18442-2.patch       2021-12-26 
00:03:02.000000000 +0100
@@ -0,0 +1,28 @@
+commit 7e786544084548da7fcfcd9090d3c4e7f5777f7e
+Author: Guido Draheim <gui...@gmx.de>
+Date:   Mon Jan 4 21:50:26 2021 +0100
+
+    #68 return value of zzip_mem_disk_fread is signed
+
+Index: zziplib-0.13.62/bins/unzip-mem.c
+===================================================================
+--- zziplib-0.13.62.orig/bins/unzip-mem.c      2021-12-26 00:59:28.017867652 
+0100
++++ zziplib-0.13.62/bins/unzip-mem.c   2021-12-26 00:59:28.013867656 +0100
+@@ -90,7 +90,7 @@
+     if (file) 
+     {
+       char buffer[1024]; int len;
+-      while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
++      while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+           fwrite (buffer, len, 1, out);
+       
+       zzip_mem_disk_fclose (file);
+@@ -124,7 +124,7 @@
+     {
+       unsigned long crc = crc32 (0L, NULL, 0);
+       unsigned char buffer[1024]; int len; 
+-      while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
++      while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
+           crc = crc32 (crc, buffer, len);
+       }
+       
diff -Nru zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch 
zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch
--- zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch       1970-01-01 
01:00:00.000000000 +0100
+++ zziplib-0.13.62/debian/patches/CVE-2020-18442-4.patch       2021-12-26 
00:03:02.000000000 +0100
@@ -0,0 +1,28 @@
+commit 0a9db9ded9d15fbdb63bf5cf451920d0a368c00e
+Author: Guido Draheim <gui...@gmx.de>
+Date:   Mon Jan 4 21:51:56 2021 +0100
+
+    #68 return value of zzip_mem_disk_fread is signed
+
+Index: zziplib-0.13.62/bins/unzzipcat-mem.c
+===================================================================
+--- zziplib-0.13.62.orig/bins/unzzipcat-mem.c  2021-12-26 00:59:59.133843763 
+0100
++++ zziplib-0.13.62/bins/unzzipcat-mem.c       2021-12-26 00:59:59.129843767 
+0100
+@@ -40,7 +40,7 @@
+     if (file) 
+     {
+       char buffer[1024]; int len;
+-      while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
++      while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
+           fwrite (buffer, len, 1, out);
+       
+       zzip_mem_disk_fclose (file);
+@@ -53,7 +53,7 @@
+     if (file) 
+     {
+       char buffer[1024]; int len;
+-      while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file))) 
++      while (0 < (len = zzip_mem_disk_fread (buffer, 1, 1024, file))) 
+       {
+           fwrite (buffer, 1, len, out);
+       }
diff -Nru zziplib-0.13.62/debian/patches/series 
zziplib-0.13.62/debian/patches/series
--- zziplib-0.13.62/debian/patches/series       2019-03-04 22:43:14.000000000 
+0100
+++ zziplib-0.13.62/debian/patches/series       2021-12-26 00:03:02.000000000 
+0100
@@ -17,3 +17,8 @@
 Avoid-memory-leak-from-__zzip_parse_root_directory-1.patch
 Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
 One-more-free-to-avoid-memory-leak.patch
+
+# not all of the seven patches mentioned in the security tracker
+# for this CVE are needed in every release
+CVE-2020-18442-2.patch
+CVE-2020-18442-4.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam

--- End Message ---

Bug#1004049: marked as done (buster-pu: package zziplib/0.13.62-3.2+deb10u1)

Reply via email to