[libzip] CVE-2015-2331: integer overflow when processing ZIP archives (#1204676, #1204677)

Rex Dieter rdieter at fedoraproject.org
Mon Mar 23 12:49:25 UTC 2015 

commit 9f9eb8c9ed2a2ab07e684cecfbfff558ece33792
Author: Rex Dieter <rdieter at math.unl.edu>
Date:   Mon Mar 23 07:49:24 2015 -0500

    CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)

 libzip-0.11.2-CVE-2015-2331.patch | 12 ++++++++++++
 libzip.spec                       |  9 ++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
---
diff --git a/libzip-0.11.2-CVE-2015-2331.patch b/libzip-0.11.2-CVE-2015-2331.patch
new file mode 100644
index 0000000..44aeb5a
--- /dev/null
+++ b/libzip-0.11.2-CVE-2015-2331.patch
@@ -0,0 +1,12 @@
+diff -up libzip-0.11.2/lib/zip_dirent.c.CVE-2015-2331 libzip-0.11.2/lib/zip_dirent.c
+--- libzip-0.11.2/lib/zip_dirent.c.CVE-2015-2331	2013-11-28 10:57:10.000000000 -0600
++++ libzip-0.11.2/lib/zip_dirent.c	2015-03-23 07:45:27.486986723 -0500
+@@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struc
+ 
+     if (nentry == 0)
+ 	cd->entry = NULL;
+-    else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
++    else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(zip_entry_t *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);
+ 	return NULL;
diff --git a/libzip.spec b/libzip.spec
index 25da572..bcc898b 100644
--- a/libzip.spec
+++ b/libzip.spec
@@ -3,13 +3,17 @@
 
 Name:    libzip
 Version: 0.11.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: C library for reading, creating, and modifying zip archives
 
 License: BSD
 URL:     http://www.nih.at/libzip/index.html
 Source0: http://www.nih.at/libzip/libzip-%{version}.tar.xz
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1204677
+# http://hg.nih.at/libzip/raw-rev/9f11d54f692e
+Patch1: libzip-0.11.2-CVE-2015-2331.patch
+
 #BuildRequires:  automake libtool
 BuildRequires:  zlib-devel
 
@@ -93,6 +97,9 @@ make check
 
 
 %changelog
+* Mon Mar 23 2015 Rex Dieter <rdieter at fedoraproject.org> 0.11.2-4
+- CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)
+
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.11.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

More information about the scm-commits mailing list