Bug 222638

Summary: [PATCH] archivers/libzip: Update to 1.3.0, fixes security vulnerability
Product: Ports & Packages Reporter: Dani I. <i.dani>
Component: Individual Port(s)Assignee: Raphael Kubo da Costa <rakuco>
Status: Closed FIXED    
Severity: Affects Some People CC: i.dani, ports-secteam
Priority: --- Keywords: patch
Version: LatestFlags: rakuco: maintainer-feedback+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Update to 1.3.0 none

Description Dani I. 2017-09-27 10:07:06 UTC 
Created attachment 186756 [details]
Update to 1.3.0

The current version avilable for FreeBSD is vulnerable since 02.09.2017 and has already been patched upstream.

See here: https://nih.at/libzip/NEWS.html

Vulnerabilities:
>> CVE-2017-12858: Fix double free().
>> CVE-2017-14107: Improve EOCD64 parsing.

Patch to update is attached. Thanks for a fast fix.

Update to 1.3.0.

Release notes: http://www.nih.at/libzip/NEWS.html
  - Update & Fix broken patch
  - Update & Fix pkg-plist
  - Fixes CVE-2017-12858 & CVE-2017-14107
Comment 1 Dani I. 2017-09-27 10:08:40 UTC 
Poudriere output:
===========================================================================
====> Running Q/A tests (stage-qa)
====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
===> Checking for items in pkg-plist which are not in STAGEDIR
===> No pkg-plist issues found (check-plist)
====>> Checking for staging violations... done
=======================<phase: package        >============================
===>  Building package for libzip-1.3.0
===========================================================================
=======================<phase: install-mtree  >============================
===========================================================================
====>> Recording filesystem state for preinst... done
=======================<phase: install        >============================
===>  Installing for libzip-1.3.0
===>  Checking if libzip already installed
===>   Registering installation for libzip-1.3.0
[fb103] Installing libzip-1.3.0...
===========================================================================
====>> Checking shared library dependencies
 0x0000000000000001 (NEEDED)             Shared library: [libbz2.so.4]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.7]
 0x0000000000000001 (NEEDED)             Shared library: [libz.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [libzip.so.5]
=======================<phase: deinstall      >============================
===>  Deinstalling for libzip
===>   Deinstalling libzip-1.3.0
Updating database digests format: ... done
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
	libzip-1.3.0

Number of packages to be removed: 1
[fb103] [1/1] Deinstalling libzip-1.3.0...
[fb103] [1/1] Deleting files for libzip-1.3.0: .......... done
===========================================================================
====>> Checking for extra files and directories
=======================<phase: Interactive    >============================
[00:00:29] ====>> Installing packages
[00:00:29] ====>> Installing run-depends for archivers/libzip
[00:00:29] ====>> Installing archivers/libzip
[fb103] Installing libzip-1.3.0...
[fb103] Extracting libzip-1.3.0: 100%
[00:00:29] ====>> Installing local Pkg repository to /usr/local/etc/pkg/repos
[00:00:29] ====>> Entering interactive test mode. Type 'exit' when done.
Comment 2 Raphael Kubo da Costa freebsd_committer freebsd_triage 2017-09-27 10:23:09 UTC 
Thanks for the heads-up, I'll be able to take a look at this later today.

This update also bumps libzip's SOVERSION from .4 to .5, which means all consumers need to be tested and have their PORTREVISIONs bumped. When this happens, I prefer to land the CVE fixes separately (so that it's also easier to backport them to our quarterly branch) and only then update the port to a new version.
Comment 3 Raphael Kubo da Costa freebsd_committer freebsd_triage 2017-09-27 16:40:03 UTC 
According to https://security-tracker.debian.org/tracker/CVE-2017-12858, libzip 1.1.3 is not vulnerable. I can indeed verify there's no Winzip-related code in this version.

CVE-2017-14107 does affect us though, despite the fact that https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/ says the bug was introduced in 1.2.0.
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-09-27 16:50:39 UTC 
A commit references this bug:

Author: rakuco
Date: Wed Sep 27 16:50:21 UTC 2017
New revision: 450767
URL: https://svnweb.freebsd.org/changeset/ports/450767

Log:
  Fix version range for libzip's CVE-2017-14107 (r450692).

  I am going to land a fix for libzip 1.1.3 (the version currently in the ports
  tree) instead of updating the port to 1.3.0. 1.3.0 has a different SOVERSION
  number, which also requires updating dependent ports and makes MFH'ing the fix
  more difficult.

  PR:		222638

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-09-27 16:52:43 UTC 
A commit references this bug:

Author: rakuco
Date: Wed Sep 27 16:52:20 UTC 2017
New revision: 450768
URL: https://svnweb.freebsd.org/changeset/ports/450768

Log:
  Add a patch for CVE-2017-14107.

  This is a minor security vulnerability that can lead to a denial of service
  issue in libzip when a specially crafted archive is used.

  PR:		222638
  Security:	b2952517-07e5-4d19-8850-21c5b7e0623f
  Security:	CVE-2017-14107

Changes:
  head/archivers/libzip/Makefile
  head/archivers/libzip/files/patch-CVE-2017-14107
Comment 6 commit-hook freebsd_committer freebsd_triage 2017-09-27 16:54:46 UTC 
A commit references this bug:

Author: rakuco
Date: Wed Sep 27 16:53:51 UTC 2017
New revision: 450769
URL: https://svnweb.freebsd.org/changeset/ports/450769

Log:
  MFH: r450768

  Add a patch for CVE-2017-14107.

  This is a minor security vulnerability that can lead to a denial of service
  issue in libzip when a specially crafted archive is used.

  PR:		222638
  Security:	b2952517-07e5-4d19-8850-21c5b7e0623f
  Security:	CVE-2017-14107

  Approved by:	ports-secteam (blanket approval)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/archivers/libzip/Makefile
  branches/2017Q3/archivers/libzip/files/patch-CVE-2017-14107
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-09-27 18:06:46 UTC 
A commit references this bug:

Author: rakuco
Date: Wed Sep 27 18:06:06 UTC 2017
New revision: 450774
URL: https://svnweb.freebsd.org/changeset/ports/450774

Log:
  Update libzip to 1.3.0.

  It includes the fix for CVE-2017-14107 (landed separately in r450768) as well
  as a fix for CVE-2017-12858, which did not affect us due to the fact that the
  vulnerability was introduced in 1.2.0.

  libzip.so's SOVERSION got bumped after the removal of the undocumented function
  zip_archive_set_tempdir(). All ports depending on libzip continue to build fine
  after that.

  PR:		222638
  Submitted by:	Dani <i.dani@outlook.com>

Changes:
  head/archivers/libzip/Makefile
  head/archivers/libzip/distinfo
  head/archivers/libzip/files/patch-CVE-2017-14107
  head/archivers/libzip/files/patch-lib__Makefile.in
  head/archivers/libzip/pkg-plist
Comment 8 commit-hook freebsd_committer freebsd_triage 2017-09-27 18:08:50 UTC 
A commit references this bug:

Author: rakuco
Date: Wed Sep 27 18:08:16 UTC 2017
New revision: 450775
URL: https://svnweb.freebsd.org/changeset/ports/450775

Log:
  Bump PORTREVISION in ports depending on archivers/libzip.

  libzip was updated to 1.3.0 in r450774, and its SOVERSION went from .4 to .5
  after the removal of zip_archive_set_tempdir(). All dependent ports continue to
  build fine without that symbol.

  PR:		222638

Changes:
  head/archivers/php56-zip/Makefile
  head/archivers/php70-zip/Makefile
  head/archivers/php71-zip/Makefile
  head/audio/deadbeef/Makefile
  head/cad/repsnapper/Makefile
  head/comms/libconcord/Makefile
  head/deskutils/kchmviewer/Makefile
  head/devel/libsigrok/Makefile
  head/emulators/ppsspp/Makefile
  head/emulators/ppsspp-qt5/Makefile
  head/games/freedink-engine/Makefile
  head/games/naev/Makefile
  head/games/openrct2/Makefile
  head/graphics/pstoedit/Makefile
  head/math/sc-im/Makefile
  head/sysutils/fusefs-zip/Makefile
  head/textproc/ebook-tools/Makefile
  head/x11-fm/librfm/Makefile
Comment 9 Raphael Kubo da Costa freebsd_committer freebsd_triage 2017-09-27 18:09:25 UTC 
Alright, everything's been taken care of now. Thanks for the patch!
Comment 10 Dani I. 2017-10-02 07:33:20 UTC 
(In reply to Raphael Kubo da Costa from comment #9)
Thank you for taking care of this so fast! :-)