From unknown Thu Aug 14 21:50:45 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#27365 <27365@debbugs.gnu.org>
To: bug#27365 <27365@debbugs.gnu.org>
Subject: Status: [PATCH] gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.
Reply-To: bug#27365 <27365@debbugs.gnu.org>
Date: Fri, 15 Aug 2025 04:50:45 +0000

retitle 27365 [PATCH] gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,=
5981}.
reassign 27365 guix-patches
submitter 27365 Leo Famulari <leo@famulari.name>
severity 27365 normal
tag 27365 patch fixed

thanks


From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 14 16:36:50 2017
Received: (at submit) by debbugs.gnu.org; 14 Jun 2017 20:36:50 +0000
Received: from localhost ([127.0.0.1]:48026 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dLF22-0002bq-Bd
	for submit@debbugs.gnu.org; Wed, 14 Jun 2017 16:36:50 -0400
Received: from eggs.gnu.org ([208.118.235.92]:45157)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1dLF1y-0002bZ-Qq
 for submit@debbugs.gnu.org; Wed, 14 Jun 2017 16:36:49 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dLF1r-0007cQ-Pw
 for submit@debbugs.gnu.org; Wed, 14 Jun 2017 16:36:41 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=5.0 tests=BAYES_40,T_DKIM_INVALID,
 UNWANTED_LANGUAGE_BODY autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:40779)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dLF1r-0007cM-M0
 for submit@debbugs.gnu.org; Wed, 14 Jun 2017 16:36:39 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36115)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dLF1p-0005YW-LM
 for guix-patches@gnu.org; Wed, 14 Jun 2017 16:36:39 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dLF1m-0007Yo-4W
 for guix-patches@gnu.org; Wed, 14 Jun 2017 16:36:37 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:40453)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dLF1l-0007Xm-UZ
 for guix-patches@gnu.org; Wed, 14 Jun 2017 16:36:34 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 2795620B12;
 Wed, 14 Jun 2017 16:36:32 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Wed, 14 Jun 2017 16:36:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:message-id:subject:to:x-me-sender:x-me-sender
 :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=ES/Nbn9FLkSu4kjblYOiAoOAbxK
 28XLxtXZ5rDa+u1s=; b=t9/7oodoL4AhqjELJQE3DF0miVsrOHlv661UxtUH1NC
 gwIWFlTKY3yUflhD2G4ilh8SZNiTMyXjgNZ8BhV26Avj6VeDK/2o68aWrU5gQVFd
 po+TAOdncZsdSsY3PiGULXGct7TWOJhWQL2mBFJ1NOWz78DXxaYzf04G3U119cvM
 =
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=date:from:message-id:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=ES/Nbn
 9FLkSu4kjblYOiAoOAbxK28XLxtXZ5rDa+u1s=; b=FmeQzih8v4Yf1HEN5bynt4
 1+vsEoUjN0w+SrvLz9Yf8TSniHAITpBEU6hY1HzOclRZ5aNxfPwqRGLiwHVz25C5
 Tiz2IrR5mZW+81deujpalxWw5dIWFnhL1wmmW+Ton6RSFO/L+whK4+XCUzYfi9DE
 E/f1aSLzWrhQGJseJB0SyTeLTKCxXrL9/pX76rB9FOlosJufv4w7SmShPCltrpuk
 IaIjv7twL7ubjMjfXEvZEvhV3eSNCQDyEK6XjYBtScQob8zr6zPkVOBpWJkktZF9
 P6pZwRA/U78veEy1AuTUt7PHiukFF6txIzef06FQrmEs07F9g/LkyA5+8p0h6d1w
 ==
X-ME-Sender: <xms:UJ5BWZzF8CA_mSSLtwRlQ6l3TtPLqw02UUIQOR3UIjyR2nc5QV9iCw>
X-Sasl-enc: zmUOAADP61SK6tFjR5645VT0MKDwwuUwq6Da2CEH5ZKx 1497472591
Received: from jasmine.lan (c-71-230-114-75.hsd1.pa.comcast.net
 [71.230.114.75])
 by mail.messagingengine.com (Postfix) with ESMTPA id BA89B24850
 for <guix-patches@gnu.org>; Wed, 14 Jun 2017 16:36:31 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: zziplib: Fix CVE-2017-{5974,5975,5976,5978,5979,5981}.
Date: Wed, 14 Jun 2017 16:36:27 -0400
Message-Id: <c742c0c091fc61c8497bb7471bb642d145c15f16.1497472587.git.leo@famulari.name>
X-Mailer: git-send-email 2.13.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

* gnu/packages/patches/zziplib-CVE-2017-5974.patch,
gnu/packages/patches/zziplib-CVE-2017-5975.patch,
gnu/packages/patches/zziplib-CVE-2017-5976.patch,
gnu/packages/patches/zziplib-CVE-2017-5978.patch,
gnu/packages/patches/zziplib-CVE-2017-5979.patch,
gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (zziplib)[source]: Use them.
---
 gnu/local.mk                                     |  8 +++-
 gnu/packages/patches/zziplib-CVE-2017-5974.patch | 28 +++++++++++
 gnu/packages/patches/zziplib-CVE-2017-5975.patch | 32 +++++++++++++
 gnu/packages/patches/zziplib-CVE-2017-5976.patch | 61 ++++++++++++++++++++++++
 gnu/packages/patches/zziplib-CVE-2017-5978.patch | 37 ++++++++++++++
 gnu/packages/patches/zziplib-CVE-2017-5979.patch | 19 ++++++++
 gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 ++++++++
 gnu/packages/zip.scm                             |  6 +++
 8 files changed, 209 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5974.patch
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5975.patch
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5976.patch
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5978.patch
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5979.patch
 create mode 100644 gnu/packages/patches/zziplib-CVE-2017-5981.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..5e2fa7a5e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1085,7 +1085,13 @@ dist_patch_DATA =						\
   %D%/packages/patches/xinetd-CVE-2013-4342.patch		\
   %D%/packages/patches/xmodmap-asprintf.patch 			\
   %D%/packages/patches/libyaml-CVE-2014-9130.patch 		\
-  %D%/packages/patches/zathura-plugindir-environment-variable.patch
+  %D%/packages/patches/zathura-plugindir-environment-variable.patch	\
+  %D%/packages/patches/zziplib-CVE-2017-5974.patch		\
+  %D%/packages/patches/zziplib-CVE-2017-5975.patch		\
+  %D%/packages/patches/zziplib-CVE-2017-5976.patch		\
+  %D%/packages/patches/zziplib-CVE-2017-5978.patch		\
+  %D%/packages/patches/zziplib-CVE-2017-5979.patch		\
+  %D%/packages/patches/zziplib-CVE-2017-5981.patch
 
 MISC_DISTRO_FILES =				\
   %D%/packages/ld-wrapper.in
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
new file mode 100644
index 000000000..9ae02103e
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
@@ -0,0 +1,28 @@
+Fix CVE-2017-5974:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+         /* override sizes/offsets with zip64 values for largefile support */
+         zzip_extra_zip64 *block = (zzip_extra_zip64 *)
+             zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
+-        if (block)
++        if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
+         {
+-            item->zz_usize = __zzip_get64(block->z_usize);
+-            item->zz_csize = __zzip_get64(block->z_csize);
+-            item->zz_offset = __zzip_get64(block->z_offset);
+-            item->zz_diskstart = __zzip_get32(block->z_diskstart);
++            item->zz_usize = ZZIP_GET64(block->z_usize);
++            item->zz_csize = ZZIP_GET64(block->z_csize);
++            item->zz_offset = ZZIP_GET64(block->z_offset);
++            item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
+         }
+     }
+     /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
new file mode 100644
index 000000000..fad174b05
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
@@ -0,0 +1,32 @@
+Fix CVE-2017-5975:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+         return 0;               /* errno=ENOMEM; */
+     ___ struct zzip_file_header *header =
+         zzip_disk_entry_to_file_header(disk, entry);
++    if (!header)
++	{ free(item); return 0; }
+     /*  there is a number of duplicated information in the file header
+      *  or the disk entry block. Theoretically some part may be missing
+      *  that exists in the other, ... but we will prefer the disk entry.
+Index: zziplib-0.13.62/zzip/mmapped.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/mmapped.c
++++ zziplib-0.13.62/zzip/mmapped.c
+@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
+         (disk->buffer + zzip_disk_entry_fileoffset(entry));
+     if (disk->buffer > file_header || file_header >= disk->endbuf)
+         return 0;
++    if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
++        return 0;
+     return (struct zzip_file_header *) file_header;
+ }
+ 
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
new file mode 100644
index 000000000..17fc30e30
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-5976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+         {
+             void *mem = malloc(ext1 + 2);
+             item->zz_ext[1] = mem;
++	    item->zz_extlen[1] = ext1 + 2;
+             memcpy(mem, ptr1, ext1);
+             ((char *) (mem))[ext1 + 0] = 0;
+             ((char *) (mem))[ext1 + 1] = 0;
+@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+         {
+             void *mem = malloc(ext2 + 2);
+             item->zz_ext[2] = mem;
++	    item->zz_extlen[2] = ext2 + 2;
+             memcpy(mem, ptr2, ext2);
+             ((char *) (mem))[ext2 + 0] = 0;
+             ((char *) (mem))[ext2 + 1] = 0;
+@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+     while (1)
+     {
+         ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
+-        if (ext)
++        if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
+         {
++	    char *endblock = (char *)ext + entry->zz_extlen[i];
++
+             while (*(short *) (ext->z_datatype))
+             {
+                 if (datatype == zzip_extra_block_get_datatype(ext))
+@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
+                 e += zzip_extra_block_headerlength;
+                 e += zzip_extra_block_get_datasize(ext);
+                 ext = (void *) e;
++		if (e >= endblock)
++		{
++		    break;
++		}
+                 ____;
+             }
+         }
+Index: zziplib-0.13.62/zzip/memdisk.h
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.h
++++ zziplib-0.13.62/zzip/memdisk.h
+@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
+     int              zz_filetype;  /* (from "z_filetype") */
+     char*            zz_comment;   /* zero-terminated (from "comment") */
+     ZZIP_EXTRA_BLOCK* zz_ext[3];   /* terminated by null in z_datatype */
++    int              zz_extlen[3]; /* length of zz_ext[i] in bytes */
+ };                                 /* the extra blocks are NOT converted */
+ 
+ #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
new file mode 100644
index 000000000..452b14f80
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-5978:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/memdisk.c
++++ zziplib-0.13.62/zzip/memdisk.c
+@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+      *  that exists in the other, ... but we will prefer the disk entry.
+      */
+     item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
+-    item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
++    item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
+     item->zz_data = zzip_file_header_to_data(header);
+     item->zz_flags = zzip_disk_entry_get_flags(entry);
+     item->zz_compr = zzip_disk_entry_get_compr(entry);
+@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+         int /*            */ ext2 = zzip_file_header_get_extras(header);
+         char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
+ 
+-        if (ext1)
++        if (ext1 && ((ptr1 + ext1) < disk->endbuf))
+         {
+             void *mem = malloc(ext1 + 2);
+             item->zz_ext[1] = mem;
+@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+             ((char *) (mem))[ext1 + 0] = 0;
+             ((char *) (mem))[ext1 + 1] = 0;
+         }
+-        if (ext2)
++        if (ext2 && ((ptr2 + ext2) < disk->endbuf))
+         {
+             void *mem = malloc(ext2 + 2);
+             item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
new file mode 100644
index 000000000..b38f50b17
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5979:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
+
+Patch copied from Debian.
+
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
+         return 0;
+     /* we read out chunks of 8 KiB in the hope to match disk granularity */
+     ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
+-    ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
++    ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
+     if (! entry)
+         return 0;
+     ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
new file mode 100644
index 000000000..ed82cb3b9
--- /dev/null
+++ b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
@@ -0,0 +1,19 @@
+Fix CVE-2017-5981:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
+
+Patch copied from Debian.
+Index: zziplib-0.13.62/zzip/fseeko.c
+===================================================================
+--- zziplib-0.13.62.orig/zzip/fseeko.c
++++ zziplib-0.13.62/zzip/fseeko.c
+@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
+             } else
+                 continue;
+ 
+-            assert(0 <= root && root < mapsize);
++	    if (root < 0 || root >= mapsize)
++	        goto error;
+             if (fseeko(disk, root, SEEK_SET) == -1)
+                 goto error;
+             if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm
index 8feb4fea2..018891359 100644
--- a/gnu/packages/zip.scm
+++ b/gnu/packages/zip.scm
@@ -136,6 +136,12 @@ recreates the stored directory structure by default.")
       (uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
                           version "/zziplib-"
                           version ".tar.bz2"))
+      (patches (search-patches "zziplib-CVE-2017-5974.patch"
+                               "zziplib-CVE-2017-5975.patch"
+                               "zziplib-CVE-2017-5976.patch"
+                               "zziplib-CVE-2017-5978.patch"
+                               "zziplib-CVE-2017-5979.patch"
+                               "zziplib-CVE-2017-5981.patch"))
       (sha256
        (base32
         "0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
-- 
2.13.1





From debbugs-submit-bounces@debbugs.gnu.org Thu Jun 15 04:08:51 2017
Received: (at 27365) by debbugs.gnu.org; 15 Jun 2017 08:08:51 +0000
Received: from localhost ([127.0.0.1]:48484 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dLPpi-00031D-Ar
	for submit@debbugs.gnu.org; Thu, 15 Jun 2017 04:08:51 -0400
Received: from eggs.gnu.org ([208.118.235.92]:41254)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1dLPpf-00030v-30
 for 27365@debbugs.gnu.org; Thu, 15 Jun 2017 04:08:49 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1dLPpW-0007TA-36
 for 27365@debbugs.gnu.org; Thu, 15 Jun 2017 04:08:42 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46675)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1dLPpV-0007T6-WA; Thu, 15 Jun 2017 04:08:38 -0400
Received: from [193.50.110.101] (port=45358 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1dLPpU-0001Xm-Jn; Thu, 15 Jun 2017 04:08:37 -0400
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@famulari.name>
Subject: Re: [bug#27365] [PATCH] gnu: zziplib: Fix CVE-2017-{5974, 5975, 5976,
 5978, 5979, 5981}.
References: <c742c0c091fc61c8497bb7471bb642d145c15f16.1497472587.git.leo@famulari.name>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 27 Prairial an 225 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Thu, 15 Jun 2017 10:08:34 +0200
In-Reply-To: <c742c0c091fc61c8497bb7471bb642d145c15f16.1497472587.git.leo@famulari.name>
 (Leo Famulari's message of "Wed, 14 Jun 2017 16:36:27 -0400")
Message-ID: <87shj14qrh.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 27365
Cc: 27365@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/zziplib-CVE-2017-5974.patch,
> gnu/packages/patches/zziplib-CVE-2017-5975.patch,
> gnu/packages/patches/zziplib-CVE-2017-5976.patch,
> gnu/packages/patches/zziplib-CVE-2017-5978.patch,
> gnu/packages/patches/zziplib-CVE-2017-5979.patch,
> gnu/packages/patches/zziplib-CVE-2017-5981.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/zip.scm (zziplib)[source]: Use them.

LGTM.  Thanks for taking care of it!

Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 01 18:24:09 2017
Received: (at control) by debbugs.gnu.org; 1 Sep 2017 22:24:09 +0000
Received: from localhost ([127.0.0.1]:40727 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dnuMD-0002HF-6j
	for submit@debbugs.gnu.org; Fri, 01 Sep 2017 18:24:09 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42910)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1dnuMC-0002Gv-4m
 for control@debbugs.gnu.org; Fri, 01 Sep 2017 18:24:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1dnuM6-0000jY-60
 for control@debbugs.gnu.org; Fri, 01 Sep 2017 18:24:02 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:50126)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1dnuM6-0000jO-2j
 for control@debbugs.gnu.org; Fri, 01 Sep 2017 18:24:02 -0400
Received: from [2a01:e0a:1d:7270:6a6c:dc17:fc02:cfda] (port=41598 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>) id 1dnuM5-0000qT-IN
 for control@debbugs.gnu.org; Fri, 01 Sep 2017 18:24:01 -0400
Date: Sat, 02 Sep 2017 00:24:00 +0200
Message-Id: <87ziaexdkv.fsf@gnu.org>
To: control@debbugs.gnu.org
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #27365
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

tags 27365 fixed
close 27365 




From unknown Thu Aug 14 21:50:45 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Sat, 30 Sep 2017 11:24:07 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator