From 54378a04b4b9fdd43b8e34293877151bb29448d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Mon, 23 Oct 2023 10:58:30 +0700 Subject: [PATCH] minizip: update to 1.3. --- srcpkgs/minizip/patches/CVE-2023-45853.patch | 36 ++++++++++++++++++++ srcpkgs/minizip/template | 4 +-- srcpkgs/minizip/update | 5 ++- 3 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 srcpkgs/minizip/patches/CVE-2023-45853.patch diff --git a/srcpkgs/minizip/patches/CVE-2023-45853.patch b/srcpkgs/minizip/patches/CVE-2023-45853.patch new file mode 100644 index 00000000000..784c57766f2 --- /dev/null +++ b/srcpkgs/minizip/patches/CVE-2023-45853.patch @@ -0,0 +1,36 @@ +From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001 +From: Hans Wennborg +Date: Fri, 18 Aug 2023 11:05:33 +0200 +Subject: [PATCH] Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. +--- + contrib/minizip/zip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c +index 3d3d4cadd..0446109b2 100644 +--- a/contrib/minizip/zip.c ++++ b/contrib/minizip/zip.c +@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff --git a/srcpkgs/minizip/template b/srcpkgs/minizip/template index 09608c200c5..356ee21f8e0 100644 --- a/srcpkgs/minizip/template +++ b/srcpkgs/minizip/template @@ -1,6 +1,6 @@ # Template file for 'minizip' pkgname=minizip -version=1.2.13 +version=1.3 revision=1 build_wrksrc="contrib/${pkgname}" build_style=gnu-configure @@ -11,7 +11,7 @@ maintainer="ojab " license="Zlib" homepage="https://www.winimage.com/zLibDll/minizip.html" distfiles="https://www.zlib.net/zlib-${version}.tar.gz" -checksum=b3a24de97a8fdbc835b9833169501030b8977031bcb54b3b3ac13740f846ab30 +checksum=ff0ba4c292013dbc27530b3a81e1f9a813cd39de01ca5e0f8bf355702efa593e pre_configure() { autoreconf -i diff --git a/srcpkgs/minizip/update b/srcpkgs/minizip/update index 4403b5d7568..7ddf9288650 100644 --- a/srcpkgs/minizip/update +++ b/srcpkgs/minizip/update @@ -1,3 +1,2 @@ -pkgname="zlib" -ignore="*dll*" -version="${version//./}" +site="http://zlib.net/" +pattern="(?<=(?:zlib-))[\d.]*(?=(?:.tar.gz))"