From 7e4907e3aea29ec525118624155b47356af184a5 Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Wed, 28 Feb 2024 21:31:32 +0800 Subject: [PATCH] Initialize for libmspack --- .gitignore | 1 + .libmspack.metadata | 1 + baselibs.conf | 1 + cve-2018-18586.patch | 174 ++++++++++++++++++++++ libmspack-0.6alpha-CVE-2019-1010305.patch | 44 ++++++ libmspack-CVE-2018-14679.patch | 30 ++++ libmspack-CVE-2018-14681.patch | 65 ++++++++ libmspack-CVE-2018-14682.patch | 22 +++ libmspack-failing-tests.patch | 13 ++ libmspack-fix-bounds-checking.patch | 42 ++++++ libmspack-reject-blank-filenames.patch | 25 ++++ libmspack-resize-buffer.patch | 46 ++++++ libmspack.changes | 130 ++++++++++++++++ libmspack.spec | 121 +++++++++++++++ 14 files changed, 715 insertions(+) create mode 100644 .gitignore create mode 100644 .libmspack.metadata create mode 100644 baselibs.conf create mode 100644 cve-2018-18586.patch create mode 100644 libmspack-0.6alpha-CVE-2019-1010305.patch create mode 100644 libmspack-CVE-2018-14679.patch create mode 100644 libmspack-CVE-2018-14681.patch create mode 100644 libmspack-CVE-2018-14682.patch create mode 100644 libmspack-failing-tests.patch create mode 100644 libmspack-fix-bounds-checking.patch create mode 100644 libmspack-reject-blank-filenames.patch create mode 100644 libmspack-resize-buffer.patch create mode 100644 libmspack.changes create mode 100644 libmspack.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5b00e6c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +libmspack-0.6alpha.tar.gz diff --git a/.libmspack.metadata b/.libmspack.metadata new file mode 100644 index 0000000..53171d4 --- /dev/null +++ b/.libmspack.metadata @@ -0,0 +1 @@ +4ce099bfc37141a854f22223b9526685de3817ddd6f6f14974dab2477e48c8f8 libmspack-0.6alpha.tar.gz diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..b600719 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libmspack0 diff --git a/cve-2018-18586.patch b/cve-2018-18586.patch new file mode 100644 index 0000000..b9e9335 --- /dev/null +++ b/cve-2018-18586.patch @@ -0,0 +1,174 @@ +From 7cadd489698be117c47efcadd742651594429e6d Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Sat, 20 Oct 2018 19:06:32 +0100 +Subject: [PATCH] add anti "../" and leading slash protection to chmextract + +--- + src/chmextract.c | 140 +++++-------------------------------- + 2 files changed, 27 insertions(+), 123 deletions(-) + +diff --git a/src/chmextract.c b/src/chmextract.c +index 1e03341..b535f0e 100644 +--- a/src/chmextract.c ++++ b/src/chmextract.c +@@ -25,8 +25,6 @@ + + mode_t user_umask; + +-#define FILENAME ".test.chmx" +- + /** + * Ensures that all directory components in a filepath exist. New directory + * components are created, if necessary. +@@ -51,126 +49,22 @@ static int ensure_filepath(char *path) { + return 1; + } + +-/** +- * Creates a UNIX filename from the internal CAB filename and the given +- * parameters. +- * +- * @param fname the internal CAB filename. +- * @param dir a directory path to prepend to the output filename. +- * @param lower if non-zero, filename should be made lower-case. +- * @param isunix if zero, MS-DOS path seperators are used in the internal +- * CAB filename. If non-zero, UNIX path seperators are used. +- * @param utf8 if non-zero, the internal CAB filename is encoded in UTF8. +- * @return a freshly allocated and created filename, or NULL if there was +- * not enough memory. +- * @see unix_path_seperators() +- */ +-static char *create_output_name(unsigned char *fname, unsigned char *dir, +- int lower, int isunix, int utf8) +-{ +- unsigned char *p, *name, c, *fe, sep, slash; +- unsigned int x; +- +- sep = (isunix) ? '/' : '\\'; /* the path-seperator */ +- slash = (isunix) ? '\\' : '/'; /* the other slash */ +- +- /* length of filename */ +- x = strlen((char *) fname); +- /* UTF8 worst case scenario: tolower() expands all chars from 1 to 3 bytes */ +- if (utf8) x *= 3; +- /* length of output directory */ +- if (dir) x += strlen((char *) dir); +- +- if (!(name = (unsigned char *) malloc(x + 2))) { +- fprintf(stderr, "out of memory!\n"); +- return NULL; +- } +- +- /* start with blank name */ +- *name = '\0'; +- +- /* add output directory if needed */ +- if (dir) { +- strcpy((char *) name, (char *) dir); +- strcat((char *) name, "/"); +- } +- +- /* remove leading slashes */ +- while (*fname == sep) fname++; +- +- /* copy from fi->filename to new name, converting MS-DOS slashes to UNIX +- * slashes as we go. Also lowercases characters if needed. +- */ +- p = &name[strlen((char *)name)]; +- fe = &fname[strlen((char *)fname)]; +- +- if (utf8) { +- /* UTF8 translates two-byte unicode characters into 1, 2 or 3 bytes. +- * %000000000xxxxxxx -> %0xxxxxxx +- * %00000xxxxxyyyyyy -> %110xxxxx %10yyyyyy +- * %xxxxyyyyyyzzzzzz -> %1110xxxx %10yyyyyy %10zzzzzz +- * +- * Therefore, the inverse is as follows: +- * First char: +- * 0x00 - 0x7F = one byte char +- * 0x80 - 0xBF = invalid +- * 0xC0 - 0xDF = 2 byte char (next char only 0x80-0xBF is valid) +- * 0xE0 - 0xEF = 3 byte char (next 2 chars only 0x80-0xBF is valid) +- * 0xF0 - 0xFF = invalid +- */ +- do { +- if (fname >= fe) { +- free(name); +- return NULL; +- } +- +- /* get next UTF8 char */ +- if ((c = *fname++) < 0x80) x = c; +- else { +- if ((c >= 0xC0) && (c < 0xE0)) { +- x = (c & 0x1F) << 6; +- x |= *fname++ & 0x3F; +- } +- else if ((c >= 0xE0) && (c < 0xF0)) { +- x = (c & 0xF) << 12; +- x |= (*fname++ & 0x3F) << 6; +- x |= *fname++ & 0x3F; +- } +- else x = '?'; +- } +- +- /* whatever is the path seperator -> '/' +- * whatever is the other slash -> '\\' +- * otherwise, if lower is set, the lowercase version */ +- if (x == sep) x = '/'; +- else if (x == slash) x = '\\'; +- else if (lower) x = (unsigned int) tolower((int) x); +- +- /* integer back to UTF8 */ +- if (x < 0x80) { +- *p++ = (unsigned char) x; +- } +- else if (x < 0x800) { +- *p++ = 0xC0 | (x >> 6); +- *p++ = 0x80 | (x & 0x3F); +- } +- else { +- *p++ = 0xE0 | (x >> 12); +- *p++ = 0x80 | ((x >> 6) & 0x3F); +- *p++ = 0x80 | (x & 0x3F); +- } +- } while (x); +- } +- else { +- /* regular non-utf8 version */ +- do { +- c = *fname++; +- if (c == sep) c = '/'; +- else if (c == slash) c = '\\'; +- else if (lower) c = (unsigned char) tolower((int) c); +- } while ((*p++ = c)); +- } +- return (char *) name; ++char *create_output_name(char *fname) { ++ char *out, *p; ++ if ((out = malloc(strlen(fname) + 1))) { ++ /* remove leading slashes */ ++ while (*fname == '/' || *fname == '\\') fname++; ++ /* if that removes all characters, just call it "x" */ ++ strcpy(out, (*fname) ? fname : "x"); ++ ++ /* change "../" to "xx/" */ ++ for (p = out; *p; p++) { ++ if (p[0] == '.' && p[1] == '.' && (p[2] == '/' || p[2] == '\\')) { ++ p[0] = p[1] = 'x'; ++ } ++ } ++ } ++ return out; + } + + static int sortfunc(const void *a, const void *b) { +@@ -205,7 +99,7 @@ int main(int argc, char *argv[]) { + qsort(f, numf, sizeof(struct mschmd_file *), &sortfunc); + + for (i = 0; i < numf; i++) { +- char *outname = create_output_name((unsigned char *)f[i]->filename,NULL,0,1,0); ++ char *outname = create_output_name(f[i]->filename); + printf("Extracting %s\n", outname); + ensure_filepath(outname); + if (chmd->extract(chmd, f[i], outname)) { diff --git a/libmspack-0.6alpha-CVE-2019-1010305.patch b/libmspack-0.6alpha-CVE-2019-1010305.patch new file mode 100644 index 0000000..f6027d5 --- /dev/null +++ b/libmspack-0.6alpha-CVE-2019-1010305.patch @@ -0,0 +1,44 @@ +From 2f084136cfe0d05e5bf5703f3e83c6d955234b4d Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Mon, 18 Feb 2019 13:04:58 +0000 +Subject: [PATCH] length checks when looking for control files + +--- + libmspack/mspack/chmd.c | 24 +++++++++++------------- + 2 files changed, 19 insertions(+), 13 deletions(-) + +Index: libmspack-0.6alpha/mspack/chmd.c +=================================================================== +--- libmspack-0.6alpha.orig/mspack/chmd.c ++++ libmspack-0.6alpha/mspack/chmd.c +@@ -483,19 +483,17 @@ static int chmd_read_headers(struct mspa + + if (name[0] == ':' && name[1] == ':') { + /* system file */ +- if (mspack_memcmp(&name[2], &content_name[2], 31L) == 0) { +- if (mspack_memcmp(&name[33], &content_name[33], 8L) == 0) { +- chm->sec1.content = fi; +- } +- else if (mspack_memcmp(&name[33], &control_name[33], 11L) == 0) { +- chm->sec1.control = fi; +- } +- else if (mspack_memcmp(&name[33], &spaninfo_name[33], 8L) == 0) { +- chm->sec1.spaninfo = fi; +- } +- else if (mspack_memcmp(&name[33], &rtable_name[33], 72L) == 0) { +- chm->sec1.rtable = fi; +- } ++ if (name_len == 40 && memcmp(name, content_name, 40) == 0) { ++ chm->sec1.content = fi; ++ } ++ else if (name_len == 44 && memcmp(name, control_name, 44) == 0) { ++ chm->sec1.control = fi; ++ } ++ else if (name_len == 41 && memcmp(name, spaninfo_name, 41) == 0) { ++ chm->sec1.spaninfo = fi; ++ } ++ else if (name_len == 105 && memcmp(name, rtable_name, 105) == 0) { ++ chm->sec1.rtable = fi; + } + fi->next = chm->sysfiles; + chm->sysfiles = fi; diff --git a/libmspack-CVE-2018-14679.patch b/libmspack-CVE-2018-14679.patch new file mode 100644 index 0000000..b64958d --- /dev/null +++ b/libmspack-CVE-2018-14679.patch @@ -0,0 +1,30 @@ +From 72e70a921f0f07fee748aec2274b30784e1d312a Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Sat, 12 May 2018 10:51:34 +0100 +Subject: [PATCH] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CHM=20?= + =?UTF-8?q?PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filenames.?= + =?UTF-8?q?=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + libmspack/mspack/chmd.c | 9 ++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/mspack/chmd.c b/mspack/chmd.c +index c921c8c..9c32658 100644 +--- a/mspack/chmd.c ++++ b/mspack/chmd.c +@@ -447,7 +447,10 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + while (num_entries--) { + READ_ENCINT(name_len); + if (name_len > (unsigned int) (end - p)) goto chunk_end; ++ /* consider blank filenames to be an error */ ++ if (name_len == 0) goto chunk_end; + name = p; p += name_len; ++ + READ_ENCINT(section); + READ_ENCINT(offset); + READ_ENCINT(length); + diff --git a/libmspack-CVE-2018-14681.patch b/libmspack-CVE-2018-14681.patch new file mode 100644 index 0000000..fcb4de5 --- /dev/null +++ b/libmspack-CVE-2018-14681.patch @@ -0,0 +1,65 @@ +From 0b0ef9344255ff5acfac6b7af09198ac9c9756c8 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Sun, 26 Nov 2017 14:28:54 +0000 +Subject: [PATCH] kwaj_read_headers(): fix handling of non-terminated strings + +--- + libmspack/mspack/kwajd.c | 32 ++++--- + 56 files changed, 164 insertions(+), 14 deletions(-) + create mode 100644 libmspack/test/kwajd_test.c + +diff --git a/libmspack/mspack/kwajd.c b/libmspack/mspack/kwajd.c +index c9e006c..50be257 100644 +--- a/mspack/kwajd.c ++++ b/mspack/kwajd.c +@@ -198,30 +198,36 @@ static int kwajd_read_headers(struct mspack_system *sys, + + /* filename and extension */ + if (hdr->headers & (MSKWAJ_HDR_HASFILENAME | MSKWAJ_HDR_HASFILEEXT)) { +- off_t pos = sys->tell(fh); +- char *fn = (char *) sys->alloc(sys, (size_t) 13); +- ++ int len; + /* allocate memory for maximum length filename */ +- if (! fn) return MSPACK_ERR_NOMEMORY; +- hdr->filename = fn; ++ char *fn = (char *) sys->alloc(sys, (size_t) 13); ++ if (!(hdr->filename = fn)) return MSPACK_ERR_NOMEMORY; + + /* copy filename if present */ + if (hdr->headers & MSKWAJ_HDR_HASFILENAME) { +- if (sys->read(fh, &buf[0], 9) != 9) return MSPACK_ERR_READ; +- for (i = 0; i < 9; i++, fn++) if (!(*fn = buf[i])) break; +- pos += (i < 9) ? i+1 : 9; +- if (sys->seek(fh, pos, MSPACK_SYS_SEEK_START)) ++ /* read and copy up to 9 bytes of a null terminated string */ ++ if ((len = sys->read(fh, &buf[0], 9)) < 2) return MSPACK_ERR_READ; ++ for (i = 0; i < len; i++) if (!(*fn++ = buf[i])) break; ++ /* if string was 9 bytes with no null terminator, reject it */ ++ if (i == 9 && buf[8] != '\0') return MSPACK_ERR_DATAFORMAT; ++ /* seek to byte after string ended in file */ ++ if (sys->seek(fh, (off_t)(i + 1 - len), MSPACK_SYS_SEEK_CUR)) + return MSPACK_ERR_SEEK; ++ fn--; /* remove the null terminator */ + } + + /* copy extension if present */ + if (hdr->headers & MSKWAJ_HDR_HASFILEEXT) { + *fn++ = '.'; +- if (sys->read(fh, &buf[0], 4) != 4) return MSPACK_ERR_READ; +- for (i = 0; i < 4; i++, fn++) if (!(*fn = buf[i])) break; +- pos += (i < 4) ? i+1 : 4; +- if (sys->seek(fh, pos, MSPACK_SYS_SEEK_START)) ++ /* read and copy up to 4 bytes of a null terminated string */ ++ if ((len = sys->read(fh, &buf[0], 4)) < 2) return MSPACK_ERR_READ; ++ for (i = 0; i < len; i++) if (!(*fn++ = buf[i])) break; ++ /* if string was 4 bytes with no null terminator, reject it */ ++ if (i == 4 && buf[3] != '\0') return MSPACK_ERR_DATAFORMAT; ++ /* seek to byte after string ended in file */ ++ if (sys->seek(fh, (off_t)(i + 1 - len), MSPACK_SYS_SEEK_CUR)) + return MSPACK_ERR_SEEK; ++ fn--; /* remove the null terminator */ + } + *fn = '\0'; + } + diff --git a/libmspack-CVE-2018-14682.patch b/libmspack-CVE-2018-14682.patch new file mode 100644 index 0000000..0a8e972 --- /dev/null +++ b/libmspack-CVE-2018-14682.patch @@ -0,0 +1,22 @@ +From 4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Tue, 6 Feb 2018 23:17:30 +0000 +Subject: [PATCH] Fix off-by-one error in chmd TOLOWER() fallback + +--- + libmspack/mspack/chmd.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/mspack/chmd.c b/mspack/chmd.c +index 1a486c8..221784b 100644 +--- a/mspack/chmd.c ++++ b/mspack/chmd.c +@@ -831,7 +831,7 @@ static int search_chunk(struct mschmd_header *chm, + # endif + # define TOLOWER(x) tolower(x) + #else +-# define TOLOWER(x) (((x)<0||(x)>256)?(x):mspack_tolower_map[(x)]) ++# define TOLOWER(x) (((x)<0||(x)>255)?(x):mspack_tolower_map[(x)]) + /* Map of char -> lowercase char for the first 256 chars. Generated with: + * LC_CTYPE=en_GB.utf-8 perl -Mlocale -le 'print map{ord(lc chr).","} 0..255' + */ diff --git a/libmspack-failing-tests.patch b/libmspack-failing-tests.patch new file mode 100644 index 0000000..7a54665 --- /dev/null +++ b/libmspack-failing-tests.patch @@ -0,0 +1,13 @@ +Index: libmspack-0.6alpha/test/cabd_test.c +=================================================================== +--- libmspack-0.6alpha.orig/test/cabd_test.c ++++ libmspack-0.6alpha/test/cabd_test.c +@@ -186,7 +186,7 @@ void cabd_open_test_05() { + for (i = 0; i < (sizeof(str_files)/sizeof(char *)); i++) { + cab = cabd->open(cabd, str_files[i]); + TEST(cab == NULL); +- TEST(cabd->last_error(cabd) == MSPACK_ERR_DATAFORMAT); ++// TEST(cabd->last_error(cabd) == MSPACK_ERR_DATAFORMAT); + } + + /* lack of data blocks should NOT be a problem for merely reading */ diff --git a/libmspack-fix-bounds-checking.patch b/libmspack-fix-bounds-checking.patch new file mode 100644 index 0000000..5d13de7 --- /dev/null +++ b/libmspack-fix-bounds-checking.patch @@ -0,0 +1,42 @@ +From 72e70a921f0f07fee748aec2274b30784e1d312a Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Sat, 12 May 2018 10:51:34 +0100 +Subject: [PATCH] Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames. Thanks to Hanno Böck for reporting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + libmspack/ChangeLog | 10 ++++++++++ + libmspack/mspack/chmd.c | 9 ++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/mspack/chmd.c b/mspack/chmd.c +index c921c8c..9c32658 100644 +--- a/mspack/chmd.c ++++ b/mspack/chmd.c +@@ -1,5 +1,5 @@ + /* This file is part of libmspack. +- * (C) 2003-2011 Stuart Caie. ++ * (C) 2003-2018 Stuart Caie. + * + * libmspack is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License (LGPL) version 2.1 +@@ -397,7 +397,7 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + D(("first pmgl chunk is after last pmgl chunk")) + return MSPACK_ERR_DATAFORMAT; + } +- if (chm->index_root != 0xFFFFFFFF && chm->index_root > chm->num_chunks) { ++ if (chm->index_root != 0xFFFFFFFF && chm->index_root >= chm->num_chunks) { + D(("index_root outside valid range")) + return MSPACK_ERR_DATAFORMAT; + } +@@ -622,7 +625,7 @@ static unsigned char *read_chunk(struct mschm_decompressor_p *self, + unsigned char *buf; + + /* check arguments - most are already checked by chmd_fast_find */ +- if (chunk_num > chm->num_chunks) return NULL; ++ if (chunk_num >= chm->num_chunks) return NULL; + + /* ensure chunk cache is available */ + if (!chm->chunk_cache) { diff --git a/libmspack-reject-blank-filenames.patch b/libmspack-reject-blank-filenames.patch new file mode 100644 index 0000000..61398d2 --- /dev/null +++ b/libmspack-reject-blank-filenames.patch @@ -0,0 +1,25 @@ +From 8759da8db6ec9e866cb8eb143313f397f925bb4f Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:29:03 +0100 +Subject: [PATCH] Avoid returning CHM file entries that are "blank" because + they have embedded null bytes + +--- + libmspack/ChangeLog | 6 ++++++ + libmspack/mspack/chmd.c | 6 +++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +Index: libmspack-0.6alpha/mspack/chmd.c +=================================================================== +--- libmspack-0.6alpha.orig/mspack/chmd.c ++++ libmspack-0.6alpha/mspack/chmd.c +@@ -452,6 +452,9 @@ static int chmd_read_headers(struct mspa + READ_ENCINT(offset); + READ_ENCINT(length); + ++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ ++ if (name_len < 2 || !name[0] || !name[1]) continue; ++ + /* empty files and directory names are stored as a file entry at + * offset 0 with length 0. We want to keep empty files, but not + * directory names, which end with a "/" */ diff --git a/libmspack-resize-buffer.patch b/libmspack-resize-buffer.patch new file mode 100644 index 0000000..2405a9f --- /dev/null +++ b/libmspack-resize-buffer.patch @@ -0,0 +1,46 @@ +From 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:33:35 +0100 +Subject: [PATCH] CAB block input buffer is one byte too small for maximal + Quantum block + +--- + libmspack/ChangeLog | 8 ++++++++ + libmspack/mspack/cab.h | 12 ++++++++++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/mspack/cab.h b/mspack/cab.h +index c1d48d8..bd234cc 100644 +--- a/mspack/cab.h ++++ b/mspack/cab.h +@@ -1,5 +1,5 @@ + /* This file is part of libmspack. +- * (C) 2003-2004 Stuart Caie. ++ * (C) 2003-2018 Stuart Caie. + * + * libmspack is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License (LGPL) version 2.1 +@@ -70,6 +70,14 @@ + #define CAB_BLOCKMAX (32768) + #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) + ++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block ++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. ++ * ++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be ++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 ++ */ ++#define CAB_INPUTBUF (65535 + 1) ++ + /* There are no more than 65535 data blocks per folder, so a folder cannot + * be more than 32768*65535 bytes in length. As files cannot span more than + * one folder, this is also their max offset, length and offset+length limit. +@@ -101,7 +109,7 @@ struct mscabd_decompress_state { + struct mspack_file *infh; /* input file handle */ + struct mspack_file *outfh; /* output file handle */ + unsigned char *i_ptr, *i_end; /* input data consumed, end */ +- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ ++ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ + }; + + struct mscab_decompressor_p { diff --git a/libmspack.changes b/libmspack.changes new file mode 100644 index 0000000..899ba1e --- /dev/null +++ b/libmspack.changes @@ -0,0 +1,130 @@ +* Wed Jan 5 2022 danilo.spinella@suse.com +- chmextract.c add anti "../" and leading slash protection to chmextract + (CVE-2018-18586.patch, bsc#1113040) + * cve-2018-18586.patch +* Wed Jul 14 2021 danilo.spinella@suse.com +- There is an off-by-one error in the CHM PMGI/PMGL chunk number validity + checks, which could lead to denial of service + (CVE-2018-14679, bsc#1103032) + * libmspack-CVE-2018-14679.patch +- Bad KWAJ file header extensions could cause a one or two byte overwrite + (CVE-2018-14681, bsc#1103032). + * libmspack-CVE-2018-14681.patch +- There is an off-by-one error in the TOLOWER() macro for CHM decompression + (CVE-2018-14682, bsc#1103032). + * libmspack-CVE-2018-14682.patch +* Mon Nov 4 2019 kstreitova@suse.com +- add libmspack-0.6alpha-CVE-2019-1010305.patch to fix a buffer + overflow in chmd_read_headers(): a CHM file name beginning "::" + but shorter than 33 bytes will lead to reading past the + freshly-allocated name buffer - checks for specific control + filenames didn't take length into account [bsc#1141680] + [CVE-2019-1010305] +* Fri Mar 29 2019 mcalabkova@suse.com +- Enable build-time tests (bsc#1130489) + * Added patch libmspack-failing-tests.patch +* Fri Oct 26 2018 mcalabkova@suse.com +- Added patches: + * libmspack-resize-buffer.patch -- CAB block input buffer is one + byte too small for maximal Quantum block. + * libmspack-fix-bounds-checking.patch -- Fix off-by-one bounds + check on CHM PMGI/PMGL chunk numbers and reject empty filenames. + * libmspack-reject-blank-filenames.patch -- Avoid returning CHM + file entries that are "blank" because they have embedded null + bytes. + * (the last two patches were modified by removing unneeded part + in order to make them more independent) +- Fixed bugs: + * CVE-2018-18584 (bsc#1113038) + * CVE-2018-18585 (bsc#1113039) +* Fri Jan 19 2018 adam.majer@suse.de +- Correct mspack-tools group to Productivity/File utilities +* Tue Jan 16 2018 jengelh@inai.de +- Correct SRPM group. +* Tue Jan 16 2018 mardnh@gmx.de +- Fix typo +* Mon Jan 15 2018 mardnh@gmx.de +- Update to version 0.6 + * read_spaninfo(): a CHM file can have no ResetTable and have a + negative length in SpanInfo, which then feeds a negative output + length to lzxd_init(), which then sets frame_size to a value of + your choosing, the lower 32 bits of output length, larger than + LZX_FRAME_SIZE. If the first LZX block is uncompressed, this + writes data beyond the end of the window. + This issue was raised by ClamAV as CVE-2017-6419. + * lzxd_init(), lzxd_set_output_length(), mszipd_init(): due to the + issue mentioned above, these functions now reject negative lengths + * cabd_read_string(): add missing error check on result of read(). + If an mspack_system implementation returns an error, it's + interpreted as a huge positive integer, which leads to reading + past the end of the stack-based buffer. + This issue was raised by ClamAV as CVE-2017-11423 +- Add subpackage for helper tools +- Run spec-cleaner +* Fri Feb 27 2015 sbrabec@suse.cz +- Remove problematic libmspack-qtmd_decompress-loop.patch + (bnc#912214#c10). + Version 0.5 has a correct fix dated 2015-01-05. +* Wed Feb 11 2015 p.drouand@gmail.com +- Update to version 0.5 + * Please read the changelog; too many things to list +* Tue Jan 20 2015 sbrabec@suse.cz +- Fix possible infinite loop caused DoS (bnc912214, CVE-2014-9556, + libmspack-qtmd_decompress-loop.patch). +* Fri Apr 4 2014 jengelh@inai.de +- Add baselibs.conf: wxWidgets-32bit depends on libmspack0-32bit +* Mon Jun 24 2013 werner@suse.de +- Avoid Source URL for http://www.cabextract.org.uk/ as this does + not work +* Sat Jun 22 2013 dimstar@opensuse.org +- Update to version 0.4alpha: + + This release adds support for the Microsoft Exchange Offline + Address Book (OAB) format, both compressed and incremental + variants. +* Wed Jul 18 2012 aj@suse.de +- Remove autoreconf call and libtool buildrequires, they are not + needed anymore. +* Wed Jul 18 2012 sbrabec@suse.cz +- Update to version 0.3alpha: + * code cleanup and build system update + * handle corrupted cabinet files better + * handle special cases of cabinet files +- License update: LGPL-2.1 only. +* Mon Feb 27 2012 cfarrell@suse.com +- license update: LGPL-2.1+ + No indication of GPL-2.0+ code in the package +* Mon Feb 13 2012 coolo@suse.com +- patch license to follow spdx.org standard +* Sun Nov 20 2011 jengelh@medozas.de +- Remove redundant/unwanted tags/section (cf. specfile guidelines) +- Use %%_smp_mflags for parallel building +* Sat Nov 19 2011 coolo@suse.com +- add libtool as buildrequire to avoid implicit dependency +* Wed Dec 22 2010 andreas.hanke@gmx-topmail.de +- update to version 0.2alpha (#660942): + * matches cabextract-1.3, fixing CVE-2010-2800 and CVE-2010-2801 + * adds pkg-config support + * obsoletes half of libmspack-warnings.patch +- remove self-obsoletion +- drop -D_POSIX_SOURCE as it breaks the build with this version +- drop empty NEWS file +* Tue Jan 15 2008 sbrabec@suse.cz +- Applied shared library packaging policy. +- Removed unneeded static library and .la file. +* Fri Oct 20 2006 sbrabec@suse.cz +- Updated to version 0.0.20060920alpha: + * Bug fixes. + * Write an mspack_system implementation that can handle normal + disk files, open file handles, open file descriptors and raw + memory all at the same time. + * Added a program for dumping useful data from CHM files. + * Added a new test example which shows an mspack_system + implementation that reads and writes from memory only. +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Mon Nov 22 2004 ro@suse.de +- "sed -i" does not work on older distributions +* Wed Apr 14 2004 mcihar@suse.cz +- include some documentation +* Wed Apr 14 2004 mcihar@suse.cz +- initial packaging diff --git a/libmspack.spec b/libmspack.spec new file mode 100644 index 0000000..b378ef2 --- /dev/null +++ b/libmspack.spec @@ -0,0 +1,121 @@ +# +# spec file for package libmspack +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +# "alpha" in the version string just says that it is an alpha version. +%define _version %{version}alpha +Name: libmspack +Version: 0.6 +Release: 3.14.1 +Summary: Library That Implements Different Microsoft Compressions +License: LGPL-2.1 +Group: Development/Libraries/C and C++ +Url: http://www.cabextract.org.uk/libmspack/ +Source: http://www.cabextract.org.uk/libmspack/%{name}-%{_version}.tar.gz +Source2: baselibs.conf +# PATCH-FIX-UPSTREAM libmspack-resize-buffer.patch https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2 -- CAB block input buffer is one byte too small. +Patch0: %{name}-resize-buffer.patch +# PATCH-FIX-UPSTREAM libmspack-fix-bounds-checking.patch https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a -- Fix off-by-one bounds check. +Patch1: %{name}-fix-bounds-checking.patch +# PATCH-FIX-UPSTREAM libmspack-reject-blank-filenames.patch https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f -- Avoid returning etries that are blank. +Patch2: %{name}-reject-blank-filenames.patch +Patch3: %{name}-failing-tests.patch +Patch4: libmspack-0.6alpha-CVE-2019-1010305.patch +Patch5: libmspack-CVE-2018-14679.patch +Patch6: libmspack-CVE-2018-14681.patch +Patch7: libmspack-CVE-2018-14682.patch +# PATCH-FIX-UPSTREAM cve-2018-18586.patch https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d +Patch8: cve-2018-18586.patch +BuildRequires: pkgconfig + +%description +The purpose of libmspack is to provide both compression and +decompression of some loosely related file formats used by Microsoft. +Currently the most common formats are implemented. + +%package -n libmspack0 +Summary: Library That Implements Different Microsoft Compressions +# OpenSUSE <= 10.3, SLES <= 10: +Group: System/Libraries +Provides: libmspack = %{version}-%{release} +Obsoletes: libmspack < %{version}-%{release} + +%description -n libmspack0 +The purpose of libmspack is to provide both compression and +decompression of some loosely related file formats used by Microsoft. +Currently the most common formats are implemented. + +%package devel +Summary: Static libraries, header files and documentation for libmspack +Group: Development/Libraries/C and C++ +Requires: libmspack0 = %{version} + +%description devel +The libmspack-devel package contains the header files and static +libraries necessary for developing programs using libmspack. + +%package -n mspack-tools +Summary: Library That Implements Different Microsoft Compressions +Group: Productivity/File utilities + +%description -n mspack-tools +The purpose of libmspack is to provide both compression and +decompression of some loosely related file formats used by Microsoft. +Currently the most common formats are implemented. + +This subpacke provides useful programs that make use of libmspack. + * cabrip - Extracts any CAB files embedded in another file. + * chmextract - Extracts all files in a CHM file to disk. + * msexpand - Expands an SZDD or KWAJ file. + * oabextract - Extracts an Exchange Offline Address Book (.LZX) file. + + +%prep +%setup -q -n %{name}-%{_version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 + +%build +%configure\ + --disable-static +make %{?_smp_mflags} + +%install +%make_install +rm %{buildroot}%{_libdir}/*.*a + +%check +make %{?_smp_mflags} check +cd test +./cabd_test +cd .. + +%post -n libmspack0 -p /sbin/ldconfig +%postun -n libmspack0 -p /sbin/ldconfig + +%files -n mspack-tools +%{_bindir}/cabrip +%{_bindir}/chmextract +%{_bindir}/msexpand +%{_bindir}/oabextract + +%files -n libmspack0 +%doc AUTHORS COPYING.LIB ChangeLog README TODO +%{_libdir}/*.so.* + +%files devel +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/* + +%changelog