diff --git a/SOURCES/0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch b/SOURCES/0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch new file mode 100644 index 0000000..a98a34d --- /dev/null +++ b/SOURCES/0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch @@ -0,0 +1,47 @@ +diff --git a/libgcab/cabinet.c b/libgcab/cabinet.c +index a675d1b..9847f1c 100644 +--- a/libgcab/cabinet.c ++++ b/libgcab/cabinet.c +@@ -460,18 +460,38 @@ cdata_read (cdata_t *cd, u1 res_data, gint comptype, + gboolean success = FALSE; + int ret, zret = Z_OK; + gint compression = comptype & GCAB_COMPRESSION_MASK; +- guint8 *buf = compression == GCAB_COMPRESSION_NONE ? cd->out : cd->in; ++ gsize buf_sz; ++ guint8 *buf = NULL; + CHECKSUM datacsum; + +- if (compression > GCAB_COMPRESSION_MSZIP && +- compression != GCAB_COMPRESSION_LZX) { ++ /* decompress directly into ->out for no decompression */ ++ switch (compression) { ++ case GCAB_COMPRESSION_NONE: ++ buf = cd->out; ++ buf_sz = sizeof(cd->out); ++ break; ++ case GCAB_COMPRESSION_MSZIP: ++ case GCAB_COMPRESSION_LZX: ++ buf = cd->in; ++ buf_sz = sizeof(cd->in); ++ break; ++ default: + g_set_error (error, GCAB_ERROR, GCAB_ERROR_FAILED, + _("unsupported compression method %d"), compression); +- return FALSE; ++ break; + } ++ if (buf == NULL) ++ return FALSE; + + R4 (cd->checksum); + R2 (cd->ncbytes); ++ if (cd->ncbytes > buf_sz) { ++ g_set_error (error, GCAB_ERROR, GCAB_ERROR_FAILED, ++ "tried to decompress %" G_GUINT16_FORMAT " bytes " ++ "into buffer of size %" G_GSIZE_FORMAT, ++ cd->ncbytes, buf_sz); ++ return FALSE; ++ } + R2 (cd->nubytes); + cd->reserved = g_malloc (res_data); + RN (cd->reserved, res_data); diff --git a/SOURCES/0001-Fix-a-few-Dereference-of-null-pointer-warnings.patch b/SOURCES/0001-Fix-a-few-Dereference-of-null-pointer-warnings.patch new file mode 100644 index 0000000..cc0ed4b --- /dev/null +++ b/SOURCES/0001-Fix-a-few-Dereference-of-null-pointer-warnings.patch @@ -0,0 +1,53 @@ +From 411ce03bdeddd7cbf69cb7c68845c99908657bf9 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 1 Mar 2017 16:39:27 +0000 +Subject: [PATCH 1/4] Fix a few 'Dereference of null pointer' warnings + +--- + libgcab/cabinet.c | 2 +- + libgcab/gcab-cabinet.c | 2 +- + libgcab/gcab-folder.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libgcab/cabinet.c b/libgcab/cabinet.c +index 1fa2af8..4df9024 100644 +--- a/libgcab/cabinet.c ++++ b/libgcab/cabinet.c +@@ -562,7 +562,7 @@ end: + g_set_error (error, GCAB_ERROR, GCAB_ERROR_FAILED, + "zlib failed: %s", zError (zret)); + +- if (!*error && !success) ++ if (error != NULL && *error == NULL && !success) + g_set_error (error, GCAB_ERROR, GCAB_ERROR_FAILED, + "Invalid cabinet chunk"); + +diff --git a/libgcab/gcab-cabinet.c b/libgcab/gcab-cabinet.c +index e81b052..a6cc4f0 100644 +--- a/libgcab/gcab-cabinet.c ++++ b/libgcab/gcab-cabinet.c +@@ -257,7 +257,7 @@ gcab_cabinet_write (GCabCabinet *self, + + g_clear_object (&in); + in = G_INPUT_STREAM (g_file_read (file->file, cancellable, error)); +- if (*error) ++ if (in == NULL) + goto end; + + while ((len = g_input_stream_read (in, +diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c +index e724097..dc33b6a 100644 +--- a/libgcab/gcab-folder.c ++++ b/libgcab/gcab-folder.c +@@ -240,7 +240,7 @@ gcab_folder_add_file (GCabFolder *self, GCabFile *file, + g_return_val_if_fail (G_IS_FILE (gfile), FALSE); + + GFileInfo *info = g_file_query_info (gfile, FILE_ATTRS, 0, NULL, error); +- if (*error) ++ if (info == NULL) + return FALSE; + + success = add_file_info (self, file, info, +-- +2.9.3 + diff --git a/SOURCES/0002-Always-check-the-return-value-when-writing-to-the-st.patch b/SOURCES/0002-Always-check-the-return-value-when-writing-to-the-st.patch new file mode 100644 index 0000000..8f8b665 --- /dev/null +++ b/SOURCES/0002-Always-check-the-return-value-when-writing-to-the-st.patch @@ -0,0 +1,30 @@ +From 4d2c600f54d2f00d1604aaeb20e2285e9ab0cad9 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 1 Mar 2017 16:40:05 +0000 +Subject: [PATCH 2/4] Always check the return value when writing to the stream + +--- + libgcab/cabinet.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/libgcab/cabinet.c b/libgcab/cabinet.c +index 4df9024..a675d1b 100644 +--- a/libgcab/cabinet.c ++++ b/libgcab/cabinet.c +@@ -190,9 +190,10 @@ cheader_write (cheader_t *ch, GDataOutputStream *out, + return FALSE; + + if (ch->flags & CABINET_HEADER_RESERVE) { +- W2 (ch->res_header); +- W1 (ch->res_folder); +- W1 (ch->res_data); ++ if (!W2 (ch->res_header) || ++ !W1 (ch->res_folder) || ++ !W1 (ch->res_data)) ++ return FALSE; + if (g_output_stream_write (stream, ch->reserved, ch->res_header, + cancellable, error) == -1) + return FALSE; +-- +2.9.3 + diff --git a/SOURCES/0003-Fix-a-theoretical-crash-when-building-the-table-entr.patch b/SOURCES/0003-Fix-a-theoretical-crash-when-building-the-table-entr.patch new file mode 100644 index 0000000..7f64e2f --- /dev/null +++ b/SOURCES/0003-Fix-a-theoretical-crash-when-building-the-table-entr.patch @@ -0,0 +1,29 @@ +From 42c5e4f6d227b0dcee7e01702e9338f15dfa1568 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 1 Mar 2017 17:02:05 +0000 +Subject: [PATCH 3/4] Fix a theoretical crash when building the table entries + +I can't actually see a way to construct the ZIPstate with no tables, but this +at least this stops Coverity complaining. +--- + libgcab/decomp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libgcab/decomp.c b/libgcab/decomp.c +index cce368e..52445e8 100644 +--- a/libgcab/decomp.c ++++ b/libgcab/decomp.c +@@ -248,6 +248,10 @@ struct Ziphuft **t, cab_LONG *m, fdi_decomp_state *decomp_state) + i ^= j; + i ^= j; + ++ /* no tables */ ++ if (h < 0) ++ return 2; /* corrupt */ ++ + /* backup over finished tables */ + while ((i & ((1 << w) - 1)) != ZIP(x)[h]) + w -= l[--h]; /* don't need to update q */ +-- +2.9.3 + diff --git a/SOURCES/0004-Fix-buffer-overrun-when-generating-Huffman-codes.patch b/SOURCES/0004-Fix-buffer-overrun-when-generating-Huffman-codes.patch new file mode 100644 index 0000000..8416e27 --- /dev/null +++ b/SOURCES/0004-Fix-buffer-overrun-when-generating-Huffman-codes.patch @@ -0,0 +1,27 @@ +From 42a8b8af21af24bb35548bcd2499c792d1a8c1a3 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 1 Mar 2017 17:15:10 +0000 +Subject: [PATCH 4/4] Fix buffer overrun when generating Huffman codes + +--- + libgcab/decomp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libgcab/decomp.c b/libgcab/decomp.c +index 52445e8..3ee8f9b 100644 +--- a/libgcab/decomp.c ++++ b/libgcab/decomp.c +@@ -190,7 +190,9 @@ struct Ziphuft **t, cab_LONG *m, fdi_decomp_state *decomp_state) + xp = ZIP(c) + k; + while (++j < z) /* try smaller tables up to z bits */ + { +- if ((f <<= 1) <= *++xp) ++ if (*++xp > ZIPBMAX) ++ return 2; /* corrupt */ ++ if ((f <<= 1) <= *xp) + break; /* enough codes to use up j bits */ + f -= *xp; /* else deduct codes from patterns */ + } +-- +2.9.3 + diff --git a/SPECS/gcab.spec b/SPECS/gcab.spec new file mode 100644 index 0000000..1386690 --- /dev/null +++ b/SPECS/gcab.spec @@ -0,0 +1,157 @@ +Name: gcab +Version: 0.7 +Release: 4%{?dist} +Summary: Cabinet file library and tool + +License: LGPLv2+ +#VCS: git:git://git.gnome.org/gcab +URL: http://ftp.gnome.org/pub/GNOME/sources/gcab +Source0: http://ftp.gnome.org/pub/GNOME/sources/gcab/%{version}/%{name}-%{version}.tar.xz + +# Already upstream +Patch1: 0001-Fix-a-few-Dereference-of-null-pointer-warnings.patch +Patch2: 0002-Always-check-the-return-value-when-writing-to-the-st.patch +Patch3: 0003-Fix-a-theoretical-crash-when-building-the-table-entr.patch +Patch4: 0004-Fix-buffer-overrun-when-generating-Huffman-codes.patch +Patch5: 0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch + +BuildRequires: intltool +BuildRequires: vala-tools +BuildRequires: glib2-devel +BuildRequires: gobject-introspection-devel +BuildRequires: zlib-devel + +Requires: libgcab1%{?_isa} = %{version}-%{release} + +%description +gcab is a tool to manipulate Cabinet archive. + +%package -n libgcab1 +Summary: Library to create Cabinet archives + +%description -n libgcab1 +libgcab is a library to manipulate Cabinet archive using GIO/GObject. + +%package -n libgcab1-devel +Summary: Development files to create Cabinet archives +Requires: libgcab1%{?_isa} = %{version}-%{release} +Requires: glib2-devel +Requires: pkgconfig + +%description -n libgcab1-devel +libgcab is a library to manipulate Cabinet archive. + +Libraries, includes, etc. to compile with the gcab library. + +%prep +%setup -q +%patch1 -p1 -b .coverity1 +%patch2 -p1 -b .coverity2 +%patch3 -p1 -b .coverity3 +%patch4 -p1 -b .coverity4 +%patch5 -p1 -b .cve20185345 + +%build +%configure --disable-silent-rules --disable-static +make %{?_smp_mflags} + +%install +rm -rf %{buildroot} +make DESTDIR=%{buildroot} install + +rm -f %{buildroot}%{_libdir}/*.a +rm -f %{buildroot}%{_libdir}/*.la + +%find_lang %{name} + +%post -n libgcab1 -p /sbin/ldconfig +%postun -n libgcab1 -p /sbin/ldconfig + +%files +%doc COPYING NEWS +%{_bindir}/gcab +%{_mandir}/man1/gcab.1* + +%files -n libgcab1 -f %{name}.lang +%doc COPYING NEWS +%{_libdir}/girepository-1.0/GCab-1.0.typelib +%{_libdir}/libgcab-1.0.so.* + +%files -n libgcab1-devel +%{_datadir}/gir-1.0/GCab-1.0.gir +%{_datadir}/gtk-doc/html/gcab/* +%{_datadir}/vala/vapi/libgcab-1.0.vapi +%{_includedir}/libgcab-1.0/* +%{_libdir}/libgcab-1.0.so +%{_libdir}/pkgconfig/libgcab-1.0.pc + +%changelog +* Wed Feb 14 2018 Richard Hughes - 0.7-4 +- Fixes the security issue known as CVE-2018-5345 +- Resolves: #1533174 + +* Mon Mar 06 2017 Richard Hughes - 0.7-3 +- Fix some more bugs spotted by coverity and RPMDiff. +- Resolves: #1388476 + +* Thu Mar 02 2017 Richard Hughes - 0.7-2 +- Fix some bugs spotted by coverity and RPMDiff. +- Resolves: #1388476 + +* Wed Mar 09 2016 Marc-André Lureau - 0.7-1 +- 0.7 release update. + +* Wed Feb 03 2016 Fedora Release Engineering - 0.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Dec 01 2015 Fabiano Fidêncio - 0.6-5 +- Bump NVR and rebuild due to a mistakenly deleted build + +* Thu Jul 30 2015 Marc-André Lureau - 0.6-4 +- Fix wrong file modification date when creating cab. + +* Wed Jun 17 2015 Fedora Release Engineering - 0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 23 2015 Kalev Lember - 0.6-2 +- Pull in the base library package when installing -devel + +* Tue Mar 17 2015 Marc-André Lureau - 0.6-1 +- Update to upstream release v0.6 + +* Tue Jan 06 2015 Marc-André Lureau - 0.4-7 +- Avoid directory traversal CVE-2015-0552. rhbz#1179126 + +* Sat Aug 16 2014 Fedora Release Engineering - 0.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 22 2014 Kalev Lember - 0.4-5 +- Rebuilt for gobject-introspection 1.41.4 + +* Sat Jun 07 2014 Fedora Release Engineering - 0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Feb 12 2013 Simone Caronni - 0.4-2 +- Removed rpm 4.5 macros/tags, it cannot be built with the vala in el5/el6. +- Removed redundant requirement on libgcab1%%{_isa}, added automatically by rpm. + +* Fri Feb 8 2013 Marc-André Lureau - 0.4-1 +- Update to upstream v0.4. + +* Fri Feb 8 2013 Marc-André Lureau - 0.3-3 +- Align more fields. +- Use double percentage in comment. +- Include COPYING file in gcab package too. + +* Fri Feb 8 2013 Marc-André Lureau - 0.3-2 +- Untabify. +- Use %%{buildroot} consitantly. +- Do not use -1.0 in package names. +- Add more tags based on the el5 spec template. +- Re-add --enable-fast-install trick, to make gcab relink. + +* Sun Jan 26 2013 Marc-André Lureau - 0.3-1 +- Initial package (rhbz#895757)