Commit Graph

177 Commits

Author SHA1 Message Date
Mark Adler
51b7f2abda zlib 1.3.1 2024-01-22 10:32:37 -08:00
Mark Adler
c06dfecb8a Use Makefile compiler for minizip-test target. 2024-01-21 09:25:44 -08:00
Dimitri Papadopoulos
fe41d18921 Correct typos in source code. 2024-01-17 16:43:38 -08:00
Matt Wilson
14a5f8f266 Neutralize zip file traversal attacks in miniunz.
Archive formats such as .zip files are generally susceptible to
so-called "traversal attacks". This allows an attacker to craft
an archive that writes to unexpected locations of the file system
(e.g., /etc/shadow) if an unspecting root user were to unpack a
malicious archive.

This patch neutralizes absolute paths such as /tmp/moo and deeply
relative paths such as dummy/../../../../../../../../../../tmp/moo

The Debian project requested CVE-2014-9485 be allocated for the
first identified weakness. The fix was incomplete, resulting in a
revised patch applied here. Since there wasn't an updated version
released by Debian with the incomplete fix, I suggest we use this
CVE to identify both issues.

Link: https://security.snyk.io/research/zip-slip-vulnerability
Link: https://bugs.debian.org/774321
Link: https://bugs.debian.org/776831
Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
Reported-by: Jakub Wilk <jwilk@debian.org>
Fixed-by: Michael Gilbert <mgilbert@debian.org>
2024-01-17 15:08:08 -08:00
THE-Spellchecker
01155ccc3f Fix random typos over several source and text files. 2024-01-17 13:49:11 -08:00
William Leara
190168cc1c Correct case of MSDOS in contrib/minizip/miniunz.c. 2024-01-17 12:48:27 -08:00
William Leara
762cf49e63 Refer to correct function in contrib/minizip/unzip.c comment. 2024-01-17 12:46:14 -08:00
Paul Ivanov
643e17b749 Correct repeated words in source file comments and a readme. 2023-11-14 18:44:32 -08:00
Mark Adler
15c45adb76 Fix decision on the emission of Zip64 end records in minizip.
The appnote says that if the number of entries in the end record
is 0xffff, then the actual number of entries will be found in the
Zip64 end record. Therefore if the number of entries is equal to
0xffff, it can't be in the end record by itself, since that is an
instruction to get the number from the Zip64 end record. This code
would just store 0xffff in the end record in that case, not making
a Zip64 end record. This commit fixes that.
2023-11-07 15:46:41 -08:00
tbeu
88e50f1705 Update miniunz version. 2023-08-20 11:38:03 -07:00
Mark Adler
79a0e447a0 Update version and date in contrib/nuget. 2023-08-19 23:17:29 -07:00
Mark Adler
8988e03256 Update version numbers and year in contrib/vstudio/vc17. 2023-08-19 17:13:12 -07:00
Mark Adler
7192d692be Update vc directory in contrib/nuget. 2023-08-19 17:07:35 -07:00
Mark Adler
60bfe641af Rename contrib/vstudio/vc143 to vc17.
This makes it consistent with the other vstudio projects, which
use the version number.
2023-08-19 12:13:00 -07:00
Hans Wennborg
73331a6a04 Reject overflows of zip header fields in minizip.
This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.
2023-08-19 11:56:12 -07:00
AraHaan
4a47c1bf3d Add project and solution files for building a nuget package. 2023-08-19 10:57:26 -07:00
AraHaan
d7de5971f4 Add VS2022 project files.
Also replaced Itanium with ARM and ARM64 configurations.
2023-08-19 10:54:50 -07:00
Mark Adler
4c5a81c2ae Remove carriage returns from contrib/vstudio/readme.txt. 2023-08-19 10:43:36 -07:00
Mark Adler
3a98b57e55 Change version number on develop branch to 1.3.0.1. 2023-08-18 13:23:07 -07:00
Mark Adler
09155eaa2f zlib 1.3 2023-08-18 01:45:36 -07:00
Mark Adler
25bbd7f5a6 Avoid uninitialized and unused warnings in contrib/minizip. 2023-08-17 22:35:43 -07:00
Bastian Germann
efc9c7b801 Add license to contrib/untgz.
A zlib license was agreed to by the authors.
2023-08-17 17:10:12 -07:00
Dimitri Papadopoulos
6951bc609b Fix typos in contrib/ada. 2023-08-14 08:17:22 -07:00
Mark Adler
89ef46ba09 Remove redundant includes in minizip. 2023-08-13 17:46:47 -07:00
Mark Adler
384e50eea4 Remove TRYFREE macro from minizip. 2023-08-13 17:43:36 -07:00
Dimitri Papadopoulos
c7ddcc2e0e Fix some spelling errors. 2023-08-03 13:53:24 -07:00
Eugene Golushkov
be7aa11551 Read multiple bytes instead of byte-by-byte in minizip unzip.c.
Use a single ZREAD64 call in the unz64local_getShort/Long/Long64
implementation, rather than read it byte by byte.
2023-08-03 11:43:34 -07:00
Gilles Vollant
aa154e3da0 Support Haiku in minizip. 2023-08-03 11:17:07 -07:00
Xiang Xiao
f679a939d3 Correct dummy filetime() prototype in minizip.c.
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
2023-08-03 11:02:39 -07:00
Mark Adler
b3f23f7fb7 Match sign of printf directive to sign of argument in testzlib. 2023-07-29 23:58:11 -07:00
Mark Adler
dcd0d86b9e Match sign of printf directive to sign of argument in minizip. 2023-07-29 23:55:48 -07:00
Mark Adler
3061e5013c Fix logic error in minizip argument processing. 2023-07-29 23:51:22 -07:00
Dimitri Papadopoulos
379bbda363 Fix typos found by codespell in minizip 2023-07-29 23:44:25 -07:00
Mark Adler
e0bd0ad6e4 Fix reading disk number start on zip64 files in minizip. 2023-07-29 23:34:26 -07:00
Gilles Vollant
7b28ecc89d Remove duplicated code #806 2023-07-29 23:20:12 -07:00
RedworkDE
f209ca7be7 minizip: Fix being unable to open empty zip file 2023-07-29 23:13:45 -07:00
Mark Adler
05527a1b1e Fix cast in minizip's ioapi.c for Windows. 2023-04-17 14:35:40 -07:00
Mark Adler
66588683b3 Remove use of OF() from contrib/untgz and render it compilable. 2023-04-15 22:56:43 -07:00
Mark Adler
bf2578be2d Remove K&R function definitions from contrib/minizip. 2023-04-15 22:56:37 -07:00
Mark Adler
c4aa356742 Remove K&R function definitions from infback9. 2023-04-15 21:18:52 -07:00
Mark Adler
41fda48fc2 Change version number on develop branch to 1.2.13.1. 2022-10-15 09:02:21 -07:00
Mark Adler
04f42ceca4 zlib 1.2.13 2022-10-12 22:06:55 -07:00
Mark Adler
40c5a9bc06 Find other BSD's without *64 functions in contrib/minizip/ioapi.h. 2022-10-10 02:39:33 -07:00
Mark Adler
2bb4961990 Avoid C89 warning in contrib/minizip/crypt.h. 2022-10-10 01:01:38 -07:00
Mark Adler
e61ff990c0 Comment out unused code in contrib/minizip/minizip.c. 2022-10-09 21:26:39 -07:00
Mark Adler
4572dfbe99 Remove some harmless semicolons in minizip. 2022-10-06 20:43:19 -07:00
Mark Adler
138c93cffb Security and warning fixes for minizip. [gvollant]
Remove unused code and unnecessary test for free().
2022-10-06 20:43:18 -07:00
Mark Adler
9b291c9f01 Fix incorrect cast in minizip's ioapi.c. 2022-10-06 20:43:18 -07:00
Mark Adler
2d283adfee Fix c89 compatibility in minizip's ioapi.c. [gvollant] 2022-10-06 20:43:18 -07:00
Mark Adler
d0704a8201 Remove deleted assembler code references.
The code was removed, but the builds that used the code were not
updated. This fixes that. Thanks to Adenilson and toxieainc for
the patches.
2022-10-06 20:43:09 -07:00