Commit Graph

110 Commits

Author SHA1 Message Date
Matthieu Longo
1b70083bed Replace autotools macro AC_HELP_STRING with AS_HELP_STRING.
In minizip's configure.ac. AC_HELP_STRING is obsolete.
2024-04-29 18:14:17 -07:00
Mark Adler
0f51fb4933 Avert minizip warnings for MSVC. 2024-03-29 12:20:37 -07:00
Mark Adler
d201f04c72 Avoid conversion warning on 32-bit architectures in minizip. 2024-03-22 22:47:36 -07:00
Alexander Miller
f02ea29e5f Improve detection of UNIX-style systems in minizip.
Not all toolchains on UNIX-style operating systems predefine
"unix". For example, it's missing on NetBSD, OpenBSD/gcc, AIX,
HP-UX. There is no single macro defined everywhere, but checking
both "__unix__" and "__unix" should cover everything except macOS,
which is already checked for using "__APPLE__".

Note that case sensitivity should default to off on macOS and
cygwin, so the check there is different.
2024-03-16 11:18:50 -07:00
Mark Adler
99b229487c Avoid signed shift in minizip zip.c. 2024-03-12 13:40:57 -07:00
Mark Adler
f60ce91139 Improve random number seeding in skipset.h. 2024-03-10 23:21:10 -07:00
Mark Adler
4a5e3e7d25 Add zipAlreadyThere() to minizip zip.c to help avoid duplicates. 2024-03-10 00:37:23 -08:00
Mark Adler
54e205f878 Permit changing minizip Makefile optimization with CFLAGS. 2024-03-09 23:53:44 -08:00
Mark Adler
f56ad0aafa Note termination of returned strings in contrib/minizip/unzip.h. 2024-01-23 12:00:26 -08:00
Mark Adler
d4eaa1d939 Avoid unterminated file name in contrib/minizip/miniunz.c. 2024-01-23 08:19:24 -08:00
Mark Adler
da5937705d Permit compiling contrib/minizip/unzip.c with decryption. 2024-01-23 08:02:38 -08:00
Mark Adler
9f0f2d4f9f Change version number on develop branch to 1.3.1.1. 2024-01-22 13:07:41 -08:00
Mark Adler
51b7f2abda zlib 1.3.1 2024-01-22 10:32:37 -08:00
Mark Adler
c06dfecb8a Use Makefile compiler for minizip-test target. 2024-01-21 09:25:44 -08:00
Dimitri Papadopoulos
fe41d18921 Correct typos in source code. 2024-01-17 16:43:38 -08:00
Matt Wilson
14a5f8f266 Neutralize zip file traversal attacks in miniunz.
Archive formats such as .zip files are generally susceptible to
so-called "traversal attacks". This allows an attacker to craft
an archive that writes to unexpected locations of the file system
(e.g., /etc/shadow) if an unspecting root user were to unpack a
malicious archive.

This patch neutralizes absolute paths such as /tmp/moo and deeply
relative paths such as dummy/../../../../../../../../../../tmp/moo

The Debian project requested CVE-2014-9485 be allocated for the
first identified weakness. The fix was incomplete, resulting in a
revised patch applied here. Since there wasn't an updated version
released by Debian with the incomplete fix, I suggest we use this
CVE to identify both issues.

Link: https://security.snyk.io/research/zip-slip-vulnerability
Link: https://bugs.debian.org/774321
Link: https://bugs.debian.org/776831
Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
Reported-by: Jakub Wilk <jwilk@debian.org>
Fixed-by: Michael Gilbert <mgilbert@debian.org>
2024-01-17 15:08:08 -08:00
THE-Spellchecker
01155ccc3f Fix random typos over several source and text files. 2024-01-17 13:49:11 -08:00
William Leara
190168cc1c Correct case of MSDOS in contrib/minizip/miniunz.c. 2024-01-17 12:48:27 -08:00
William Leara
762cf49e63 Refer to correct function in contrib/minizip/unzip.c comment. 2024-01-17 12:46:14 -08:00
Paul Ivanov
643e17b749 Correct repeated words in source file comments and a readme. 2023-11-14 18:44:32 -08:00
Mark Adler
15c45adb76 Fix decision on the emission of Zip64 end records in minizip.
The appnote says that if the number of entries in the end record
is 0xffff, then the actual number of entries will be found in the
Zip64 end record. Therefore if the number of entries is equal to
0xffff, it can't be in the end record by itself, since that is an
instruction to get the number from the Zip64 end record. This code
would just store 0xffff in the end record in that case, not making
a Zip64 end record. This commit fixes that.
2023-11-07 15:46:41 -08:00
tbeu
88e50f1705 Update miniunz version. 2023-08-20 11:38:03 -07:00
Hans Wennborg
73331a6a04 Reject overflows of zip header fields in minizip.
This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.
2023-08-19 11:56:12 -07:00
Mark Adler
3a98b57e55 Change version number on develop branch to 1.3.0.1. 2023-08-18 13:23:07 -07:00
Mark Adler
09155eaa2f zlib 1.3 2023-08-18 01:45:36 -07:00
Mark Adler
25bbd7f5a6 Avoid uninitialized and unused warnings in contrib/minizip. 2023-08-17 22:35:43 -07:00
Mark Adler
89ef46ba09 Remove redundant includes in minizip. 2023-08-13 17:46:47 -07:00
Mark Adler
384e50eea4 Remove TRYFREE macro from minizip. 2023-08-13 17:43:36 -07:00
Eugene Golushkov
be7aa11551 Read multiple bytes instead of byte-by-byte in minizip unzip.c.
Use a single ZREAD64 call in the unz64local_getShort/Long/Long64
implementation, rather than read it byte by byte.
2023-08-03 11:43:34 -07:00
Gilles Vollant
aa154e3da0 Support Haiku in minizip. 2023-08-03 11:17:07 -07:00
Xiang Xiao
f679a939d3 Correct dummy filetime() prototype in minizip.c.
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
2023-08-03 11:02:39 -07:00
Mark Adler
dcd0d86b9e Match sign of printf directive to sign of argument in minizip. 2023-07-29 23:55:48 -07:00
Mark Adler
3061e5013c Fix logic error in minizip argument processing. 2023-07-29 23:51:22 -07:00
Dimitri Papadopoulos
379bbda363 Fix typos found by codespell in minizip 2023-07-29 23:44:25 -07:00
Mark Adler
e0bd0ad6e4 Fix reading disk number start on zip64 files in minizip. 2023-07-29 23:34:26 -07:00
Gilles Vollant
7b28ecc89d Remove duplicated code #806 2023-07-29 23:20:12 -07:00
RedworkDE
f209ca7be7 minizip: Fix being unable to open empty zip file 2023-07-29 23:13:45 -07:00
Mark Adler
05527a1b1e Fix cast in minizip's ioapi.c for Windows. 2023-04-17 14:35:40 -07:00
Mark Adler
bf2578be2d Remove K&R function definitions from contrib/minizip. 2023-04-15 22:56:37 -07:00
Mark Adler
41fda48fc2 Change version number on develop branch to 1.2.13.1. 2022-10-15 09:02:21 -07:00
Mark Adler
04f42ceca4 zlib 1.2.13 2022-10-12 22:06:55 -07:00
Mark Adler
40c5a9bc06 Find other BSD's without *64 functions in contrib/minizip/ioapi.h. 2022-10-10 02:39:33 -07:00
Mark Adler
2bb4961990 Avoid C89 warning in contrib/minizip/crypt.h. 2022-10-10 01:01:38 -07:00
Mark Adler
e61ff990c0 Comment out unused code in contrib/minizip/minizip.c. 2022-10-09 21:26:39 -07:00
Mark Adler
4572dfbe99 Remove some harmless semicolons in minizip. 2022-10-06 20:43:19 -07:00
Mark Adler
138c93cffb Security and warning fixes for minizip. [gvollant]
Remove unused code and unnecessary test for free().
2022-10-06 20:43:18 -07:00
Mark Adler
9b291c9f01 Fix incorrect cast in minizip's ioapi.c. 2022-10-06 20:43:18 -07:00
Mark Adler
2d283adfee Fix c89 compatibility in minizip's ioapi.c. [gvollant] 2022-10-06 20:43:18 -07:00
Mark Adler
ce12773790 Fix compile with Windows 10 SDK. (gvollant) 2022-03-28 18:46:59 -07:00
Mark Adler
a4c17581d8 Change version number on develop branch to 1.2.12.1. 2022-03-27 18:07:49 -07:00