[Git][reproducible-builds/strip-nondeterminism][debian] 4 commits: Catch invalid ZIP "local" field lengths; we were previously inherently blindly…

Sun Nov 11 17:43:40 CET 2018

Chris Lamb pushed to branch debian at Reproducible Builds / strip-nondeterminism


Commits:
e5f5008e by Chris Lamb at 2018-11-09T15:59:50Z
Catch invalid ZIP "local" field lengths; we were previously inherently blindly the value supplied in the ZIP file. Thanks to Daniel Stender for the report. (Closes: #803503)

- - - - -
f3b9949f by Chris Lamb at 2018-11-11T16:41:17Z
Release version 0.45.0, moving to SemVer <https://semver.org/> versioning scheme.

- - - - -
feecfbf8 by Chris Lamb at 2018-11-11T16:42:05Z
Merge tag '0.45.0' into debian

Release version 0.45.0

* tag '0.45.0':
  Release version 0.45.0, moving to SemVer <https://semver.org/> versioning scheme.
  Catch invalid ZIP "local" field lengths; we were previously inherently blindly the value supplied in the ZIP file. Thanks to Daniel Stender for the report. (Closes: #803503)

- - - - -
330a9a42 by Chris Lamb at 2018-11-11T16:42:34Z
Update changelog for 0.45.0-1 release

- - - - -


5 changed files:

- debian/changelog
- lib/File/StripNondeterminism.pm
- lib/File/StripNondeterminism/handlers/zip.pm
- + t/fixtures/zip/bug_803503.zip.in
- + t/fixtures/zip/bug_803503.zip.out


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+strip-nondeterminism (0.45.0-1) unstable; urgency=medium
+
+  * Move to SemVer <https://semver.org/> versioning scheme.
+  * Catch invalid ZIP "local" field lengths; we were previously inherently
+    blindly the value supplied in the ZIP file. Thanks to Daniel Stender for
+    the report. (Closes: #803503)
+
+ -- Chris Lamb <lamby at debian.org>  Sun, 11 Nov 2018 17:42:30 +0100
+
 strip-nondeterminism (0.044-1) unstable; urgency=medium
 
   [ Emmanuel Bourg ]


=====================================
lib/File/StripNondeterminism.pm
=====================================
@@ -25,7 +25,7 @@ use POSIX qw(tzset);
 
 our($VERSION, $canonical_time, $clamp_time);
 
-$VERSION = '0.044'; # 0.044
+$VERSION = '0.45.0'; # <https://semver.org/>
 
 sub init() {
 	$ENV{'TZ'} = 'UTC';


=====================================
lib/File/StripNondeterminism/handlers/zip.pm
=====================================
@@ -76,11 +76,6 @@ sub normalize_member($$) {
 	return 1;
 }
 
-use constant {
-	CENTRAL_HEADER => 0,
-	LOCAL_HEADER => 1
-};
-
 sub unixtime_to_winnt($) {
 	my $unixtime = shift || 0;
 
@@ -91,11 +86,10 @@ sub unixtime_to_winnt($) {
 	return $unixtime + $secondsdiff;
 }
 
-sub normalize_extra_fields($$$) {
+sub normalize_extra_fields($$) {
 	# See http://sources.debian.net/src/zip/3.0-6/proginfo/extrafld.txt for extra field documentation
-	# $header_type is CENTRAL_HEADER or LOCAL_HEADER.
 	# WARNING: some fields have a different format depending on the header type
-	my ($canonical_time, $field, $header_type) = @_;
+	my ($canonical_time, $field) = @_;
 
 	my $result = "";
 	my $pos = 0;
@@ -149,6 +143,12 @@ sub normalize_extra_fields($$$) {
 				$result .= substr($field, $pos + 4, $len);
 			}
 		} else {
+			# Catch invalid field lengths by calculating whether we would
+			# read beyond the end of the file.
+			if ($pos + $len >= length($field)) {
+				warn "strip-nondeterminism: invalid extra field length ($len)";
+				return;
+			}
 			# use the current extra field unmodified.
 			$result .= substr($field, $pos, $len+4);
 		}
@@ -209,10 +209,11 @@ sub normalize {
 				? oct(755)
 				: oct(644));
 		}
-		$member->cdExtraField(
-			normalize_extra_fields($canonical_time, $member->cdExtraField(), CENTRAL_HEADER));
-		$member->localExtraField(
-			normalize_extra_fields($canonical_time, $member->localExtraField(), LOCAL_HEADER));
+		foreach my $x (qw(cdExtraField localExtraField)) {
+			my $result = normalize_extra_fields($canonical_time, $member->$x);
+			return 0 unless defined $result;
+			$member->$x($result);
+		}
 	}
 	my $old_perms = (stat($zip_filename))[2] & oct(7777);
 	$zip->overwrite();


=====================================
t/fixtures/zip/bug_803503.zip.in
=====================================
Binary files /dev/null and b/t/fixtures/zip/bug_803503.zip.in differ


=====================================
t/fixtures/zip/bug_803503.zip.out
=====================================
@@ -0,0 +1 @@
+bug_803503.zip.in
\ No newline at end of file



View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/compare/4044ed558251f6c31c0d90034d115513361a4b72...330a9a4207e76c319b41a5e6198d6b5d359b3aa4

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/compare/4044ed558251f6c31c0d90034d115513361a4b72...330a9a4207e76c319b41a5e6198d6b5d359b3aa4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20181111/365fcfcf/attachment.html>
