Commit Graph

106 Commits

Author SHA1 Message Date
Mark Adler
99b229487c Avoid signed shift in minizip zip.c. 2024-03-12 13:40:57 -07:00
Mark Adler
f60ce91139 Improve random number seeding in skipset.h. 2024-03-10 23:21:10 -07:00
Mark Adler
4a5e3e7d25 Add zipAlreadyThere() to minizip zip.c to help avoid duplicates. 2024-03-10 00:37:23 -08:00
Mark Adler
54e205f878 Permit changing minizip Makefile optimization with CFLAGS. 2024-03-09 23:53:44 -08:00
Mark Adler
f56ad0aafa Note termination of returned strings in contrib/minizip/unzip.h. 2024-01-23 12:00:26 -08:00
Mark Adler
d4eaa1d939 Avoid unterminated file name in contrib/minizip/miniunz.c. 2024-01-23 08:19:24 -08:00
Mark Adler
da5937705d Permit compiling contrib/minizip/unzip.c with decryption. 2024-01-23 08:02:38 -08:00
Mark Adler
9f0f2d4f9f Change version number on develop branch to 1.3.1.1. 2024-01-22 13:07:41 -08:00
Mark Adler
51b7f2abda zlib 1.3.1 2024-01-22 10:32:37 -08:00
Mark Adler
c06dfecb8a Use Makefile compiler for minizip-test target. 2024-01-21 09:25:44 -08:00
Dimitri Papadopoulos
fe41d18921 Correct typos in source code. 2024-01-17 16:43:38 -08:00
Matt Wilson
14a5f8f266 Neutralize zip file traversal attacks in miniunz.
Archive formats such as .zip files are generally susceptible to
so-called "traversal attacks". This allows an attacker to craft
an archive that writes to unexpected locations of the file system
(e.g., /etc/shadow) if an unspecting root user were to unpack a
malicious archive.

This patch neutralizes absolute paths such as /tmp/moo and deeply
relative paths such as dummy/../../../../../../../../../../tmp/moo

The Debian project requested CVE-2014-9485 be allocated for the
first identified weakness. The fix was incomplete, resulting in a
revised patch applied here. Since there wasn't an updated version
released by Debian with the incomplete fix, I suggest we use this
CVE to identify both issues.

Link: https://security.snyk.io/research/zip-slip-vulnerability
Link: https://bugs.debian.org/774321
Link: https://bugs.debian.org/776831
Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
Reported-by: Jakub Wilk <jwilk@debian.org>
Fixed-by: Michael Gilbert <mgilbert@debian.org>
2024-01-17 15:08:08 -08:00
THE-Spellchecker
01155ccc3f Fix random typos over several source and text files. 2024-01-17 13:49:11 -08:00
William Leara
190168cc1c Correct case of MSDOS in contrib/minizip/miniunz.c. 2024-01-17 12:48:27 -08:00
William Leara
762cf49e63 Refer to correct function in contrib/minizip/unzip.c comment. 2024-01-17 12:46:14 -08:00
Paul Ivanov
643e17b749 Correct repeated words in source file comments and a readme. 2023-11-14 18:44:32 -08:00
Mark Adler
15c45adb76 Fix decision on the emission of Zip64 end records in minizip.
The appnote says that if the number of entries in the end record
is 0xffff, then the actual number of entries will be found in the
Zip64 end record. Therefore if the number of entries is equal to
0xffff, it can't be in the end record by itself, since that is an
instruction to get the number from the Zip64 end record. This code
would just store 0xffff in the end record in that case, not making
a Zip64 end record. This commit fixes that.
2023-11-07 15:46:41 -08:00
tbeu
88e50f1705 Update miniunz version. 2023-08-20 11:38:03 -07:00
Hans Wennborg
73331a6a04 Reject overflows of zip header fields in minizip.
This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.
2023-08-19 11:56:12 -07:00
Mark Adler
3a98b57e55 Change version number on develop branch to 1.3.0.1. 2023-08-18 13:23:07 -07:00
Mark Adler
09155eaa2f zlib 1.3 2023-08-18 01:45:36 -07:00
Mark Adler
25bbd7f5a6 Avoid uninitialized and unused warnings in contrib/minizip. 2023-08-17 22:35:43 -07:00
Mark Adler
89ef46ba09 Remove redundant includes in minizip. 2023-08-13 17:46:47 -07:00
Mark Adler
384e50eea4 Remove TRYFREE macro from minizip. 2023-08-13 17:43:36 -07:00
Eugene Golushkov
be7aa11551 Read multiple bytes instead of byte-by-byte in minizip unzip.c.
Use a single ZREAD64 call in the unz64local_getShort/Long/Long64
implementation, rather than read it byte by byte.
2023-08-03 11:43:34 -07:00
Gilles Vollant
aa154e3da0 Support Haiku in minizip. 2023-08-03 11:17:07 -07:00
Xiang Xiao
f679a939d3 Correct dummy filetime() prototype in minizip.c.
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
2023-08-03 11:02:39 -07:00
Mark Adler
dcd0d86b9e Match sign of printf directive to sign of argument in minizip. 2023-07-29 23:55:48 -07:00
Mark Adler
3061e5013c Fix logic error in minizip argument processing. 2023-07-29 23:51:22 -07:00
Dimitri Papadopoulos
379bbda363 Fix typos found by codespell in minizip 2023-07-29 23:44:25 -07:00
Mark Adler
e0bd0ad6e4 Fix reading disk number start on zip64 files in minizip. 2023-07-29 23:34:26 -07:00
Gilles Vollant
7b28ecc89d Remove duplicated code #806 2023-07-29 23:20:12 -07:00
RedworkDE
f209ca7be7 minizip: Fix being unable to open empty zip file 2023-07-29 23:13:45 -07:00
Mark Adler
05527a1b1e Fix cast in minizip's ioapi.c for Windows. 2023-04-17 14:35:40 -07:00
Mark Adler
bf2578be2d Remove K&R function definitions from contrib/minizip. 2023-04-15 22:56:37 -07:00
Mark Adler
41fda48fc2 Change version number on develop branch to 1.2.13.1. 2022-10-15 09:02:21 -07:00
Mark Adler
04f42ceca4 zlib 1.2.13 2022-10-12 22:06:55 -07:00
Mark Adler
40c5a9bc06 Find other BSD's without *64 functions in contrib/minizip/ioapi.h. 2022-10-10 02:39:33 -07:00
Mark Adler
2bb4961990 Avoid C89 warning in contrib/minizip/crypt.h. 2022-10-10 01:01:38 -07:00
Mark Adler
e61ff990c0 Comment out unused code in contrib/minizip/minizip.c. 2022-10-09 21:26:39 -07:00
Mark Adler
4572dfbe99 Remove some harmless semicolons in minizip. 2022-10-06 20:43:19 -07:00
Mark Adler
138c93cffb Security and warning fixes for minizip. [gvollant]
Remove unused code and unnecessary test for free().
2022-10-06 20:43:18 -07:00
Mark Adler
9b291c9f01 Fix incorrect cast in minizip's ioapi.c. 2022-10-06 20:43:18 -07:00
Mark Adler
2d283adfee Fix c89 compatibility in minizip's ioapi.c. [gvollant] 2022-10-06 20:43:18 -07:00
Mark Adler
ce12773790 Fix compile with Windows 10 SDK. (gvollant) 2022-03-28 18:46:59 -07:00
Mark Adler
a4c17581d8 Change version number on develop branch to 1.2.12.1. 2022-03-27 18:07:49 -07:00
Mark Adler
21767c654d zlib 1.2.12 2022-03-27 16:05:02 -07:00
Mark Adler
2014a993ad Clean up minizip to reduce warnings for testing.
Also fix Makefile test target and permit added compile options.
2022-01-01 14:55:47 -08:00
Mark Adler
58ca4e57ce Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
The issue is that unztell64() does not return the correct value if
the position in the current file (in the ZIP archive) is beyond 4
GB. The cause is that unzReadCurrentFile() does not account for
pfile_in_zip_read_info->stream.total_out at line 1854 of unzip.c
wrapping around (it is a 32-bit variable). So, on line 1860
uTotalOutAfter can be *less* than uTotalOutBefore, propagating the
wraparound to uOutThis, which in turn is added to
pfile_in_zip_read_info->total_out_64. That has the effect of
subtracting 4 GB.
2022-01-01 12:09:30 -08:00
Mark Adler
b135d46eaf minizip warning fix if MAXU32 already defined. (gvollant) 2021-12-31 17:22:37 -08:00