From unknown Sun Aug 10 00:25:42 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Resent-From: Zephyr official <zephyrofficialdiscord@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gzip@gnu.org
Resent-Date: Fri, 30 May 2025 03:59:02 +0000
Resent-Message-ID: <handler.78639.B.174857750220929@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 78639
X-GNU-PR-Package: gzip
X-GNU-PR-Keywords: 
To: 78639@debbugs.gnu.org
X-Debbugs-Original-To: bug-gzip@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.174857750220929
          (code B ref -1); Fri, 30 May 2025 03:59:02 +0000
Received: (at submit) by debbugs.gnu.org; 30 May 2025 03:58:22 +0000
Received: from localhost ([127.0.0.1]:42762 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uKqsv-0005RU-AI
	for submit@debbugs.gnu.org; Thu, 29 May 2025 23:58:22 -0400
Received: from lists.gnu.org ([2001:470:142::17]:33254)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKnZA-0005GM-17
 for submit@debbugs.gnu.org; Thu, 29 May 2025 20:25:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKnYx-0008Hi-Jq
 for bug-gzip@gnu.org; Thu, 29 May 2025 20:25:33 -0400
Received: from mail-pf1-x42b.google.com ([2607:f8b0:4864:20::42b])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKnYv-0003dz-Ra
 for bug-gzip@gnu.org; Thu, 29 May 2025 20:25:31 -0400
Received: by mail-pf1-x42b.google.com with SMTP id
 d2e1a72fcca58-7425bd5a83aso1216308b3a.0
 for <bug-gzip@gnu.org>; Thu, 29 May 2025 17:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1748564726; x=1749169526; darn=gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=+VQM9mAXyLZX0sfH3EMpSe/yMggEGmbyONK0wsnDIv0=;
 b=I/HqdFZreR8aRNXJySOw0jhsWP70kfhbFpW+9v/EQ+S0In3F1guxTnT8yc3iGe6GI/
 dS1JilhdW6vj2vcvkpPnpZtgcjkByKxt0TgDGFFkyU6dQ9favejCVDjX+uWpX1/Pbr9D
 oIm2qi0lsNtt0uy58nU9eTGOWlIDvypGhD7IOonbFnU1O0lQo89rlrmtVN44Rb9Z444C
 VQ6trQcE3rqzNReNR7mK705UUQ+nZgi+PdZsKSf7fyuy5rlcj4PUw9G1+H+faML6FTCo
 XBqTDlfb/GAF3u5yDgYnuMm8k4IRMIPFMYYe8vV7jxEmZhvOEt6iq25E5vXFwZ3IgaKN
 Yosw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1748564726; x=1749169526;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=+VQM9mAXyLZX0sfH3EMpSe/yMggEGmbyONK0wsnDIv0=;
 b=rAxy/CaQViEJ0ZW0PFRvmHon9/6Q1ApYuHJ261eTJ3DJY13hHxLgNJAr5oqFvV1NOV
 4FciOSTRttb6fLrsGjun59fJZpuP6YbpizNDVoNJZTdTTERJ/8GxphNG8UqlV5ppMuz+
 314xRRlCQrkv0RskFs1MubG1CDA6mdJ5VniWBYQRYQhYShzkEieKPVPkU0hlrOhyZKjR
 O2CkdvDNUX/vir9JFj8tw/buhpqL/FVmYeSM0+3Pm+uZMLPBycgaOtwC1le6Uia+zMbS
 cCoWNxDaNcABSfEDfhvboZ8uDdmAhZbjgVBdAzx0jWAnaWYiA6zfPJFywkISf54eNkLu
 RQYg==
X-Gm-Message-State: AOJu0YzZ2HsCSn5aYjUVQwI7zcRsZEmCPRpLGjJbtptRRYAG8oqSP1dx
 FR3vTPB/IlsjBpD+OLJOW1fthEozKe1X1mxORL3pvc6Ktj7hsfoP/KheU1xi4JscscltxzoGW9L
 evXlKfHjC65eoKUXXQN54kbqFjfwfrat2vhbA+1s=
X-Gm-Gg: ASbGnctAdmUkmCAjJY5O04VBKw41WpWiRu229UTzV6fTueKyehIxDFxbjfWToz2beXQ
 gftwQKaNR/iFqcBuopESAQjFk2itetuNa31Y+2qRLVsjKfiYSu1bVUqgSjhJ38qkt9kKTlASkXi
 jjn/8KdraP+PchkzzcnFQGRVs75DYGh3Ow4ntS7JExwXYuxSi/WhFqGkY=
X-Google-Smtp-Source: AGHT+IF3uGXKC5+2Lms9Wv1KntiNtVf0JZx4oaaS/k4a5g3kpSnCWSSv6ovhkMxLVAq3m93PMfASU5mRBTj1xdERvVM=
X-Received: by 2002:a05:6a00:22cb:b0:742:3cc1:9485 with SMTP id
 d2e1a72fcca58-747bd98230bmr1988206b3a.12.1748564726334; Thu, 29 May 2025
 17:25:26 -0700 (PDT)
MIME-Version: 1.0
From: Zephyr official <zephyrofficialdiscord@gmail.com>
Date: Fri, 30 May 2025 01:25:14 +0100
X-Gm-Features: AX0GCFtaWC7SGIYavhSp1GP3Z7-zemklKm_TCE2taoH2gLagrNUqYswN0v4QygI
Message-ID: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="00000000000061493c06364f73a3"
Received-SPF: pass client-ip=2607:f8b0:4864:20::42b;
 envelope-from=zephyrofficialdiscord@gmail.com; helo=mail-pf1-x42b.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Mailman-Approved-At: Thu, 29 May 2025 23:58:20 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--00000000000061493c06364f73a3
Content-Type: text/plain; charset="UTF-8"

Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah

--00000000000061493c06364f73a3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi gzip maintainers,<br><br>An out-of-bounds / uninitialis=
ed read occurs in unzip.c:check_zipfile()<br>when the PKZIP local header is=
 shorter than 30 bytes (CWE-457, CWE-125).<br><br>Reproduction (on 1.14, Li=
nux x86-64, gcc 13.3):<br><br>=C2=A0 =C2=A0 printf &#39;%s&#39; \<br>=C2=A0=
 =C2=A0 =C2=A0 504B0304 1400 0000 0000 0000 0000 00000000 \<br>=C2=A0 =C2=
=A0 =C2=A0 01000000 01000000 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 | xxd -r -p=
 &gt; poc.zip<br><br>=C2=A0 =C2=A0 valgrind --track-origins=3Dyes ./gzip -t=
v poc.zip<br>=C2=A0 =C2=A0 # conditional jump depends on uninitialised valu=
e(s) in check_zipfile()<br><br>Minimal fix:<br><br>--- a/unzip.c<br>+++ b/u=
nzip.c<br>@@<br>=C2=A0 =C2=A0 =C2=A0uch *h =3D inbuf + inptr;<br>+ =C2=A0 =
=C2=A0if (insize - inptr &lt; LOCHDR) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/* =
need full header */<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0goto bad_zip;<br>=C2=A0=
 =C2=A0 =C2=A0inptr +=3D LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);<br><br>B=
est regards,<br>Mohamed Maatallah<br></div>

--00000000000061493c06364f73a3--




From unknown Sun Aug 10 00:25:42 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Zephyr official <zephyrofficialdiscord@gmail.com>
Subject: bug#78639: closed (Re: bug#78639: Uninitialised read in
 check_zipfile() (gzip 1.14))
Message-ID: <handler.78639.D78639.174858543414438.notifdone@debbugs.gnu.org>
References: <9e53cf8c-5694-45e8-a76d-5394c05dd6e2@cs.ucla.edu>
 <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
X-Gnu-PR-Message: they-closed 78639
X-Gnu-PR-Package: gzip
Reply-To: 78639@debbugs.gnu.org
Date: Fri, 30 May 2025 06:11:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1748585462-14557-1"

This is a multi-part message in MIME format...

------------=_1748585462-14557-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#78639: Uninitialised read in check_zipfile() (gzip 1.14)

which was filed against the gzip package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 78639@debbugs.gnu.org.

--=20
78639: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78639
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1748585462-14557-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 78639-done) by debbugs.gnu.org; 30 May 2025 06:10:34 +0000
Received: from localhost ([127.0.0.1]:44102 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uKswp-0003kZ-4h
	for submit@debbugs.gnu.org; Fri, 30 May 2025 02:10:34 -0400
Received: from mail.cs.ucla.edu ([131.179.128.66]:59732)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eggert@cs.ucla.edu>)
 id 1uKswk-0003jz-38
 for 78639-done@debbugs.gnu.org; Fri, 30 May 2025 02:10:29 -0400
Received: from localhost (localhost [127.0.0.1])
 by mail.cs.ucla.edu (Postfix) with ESMTP id 902403C010841;
 Thu, 29 May 2025 23:10:19 -0700 (PDT)
Received: from mail.cs.ucla.edu ([127.0.0.1])
 by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP
 id SznRjg0RN68V; Thu, 29 May 2025 23:10:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by mail.cs.ucla.edu (Postfix) with ESMTP id 67ABF3C0149CF;
 Thu, 29 May 2025 23:10:19 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 67ABF3C0149CF
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu;
 s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1748585419;
 bh=ABURa39XAGJAmj9vmoLXUY0lGJZ0YALeojK8Nj+Cwco=;
 h=Message-ID:Date:MIME-Version:To:From;
 b=MyAUXJtRvorFn8Gf0ZB3MuEABhzqJdSp9f6DDnJqulWKv+iXaRdh1yaLgfkU5ZEHK
 BVjgVhm9bj9Uq+L6p2NegdlGJY8GMxFAr6PaOAiI+kg6bKBMM2uWafxJZckbS892NR
 4QN84UDEB55+mXKjOvQoyFYQeOlUBBQKWzWu9J/cyNXSTedkIBUByvUYBdsOWJaxY+
 hXUEqbKl/RJnWIJNGijrlQ3xFrz8udAASZhFlVgpQ1RQoc1iFEC5LsLuyjz1Yx8HZm
 +JJQDOLdgkWWGiyggFrXIWaPbg4OBI2Cnw1c5npkO3DXVwRM84vUVFk8TjvI3E++iv
 S2sgqIkFEd+yA==
X-Virus-Scanned: amavis at mail.cs.ucla.edu
Received: from mail.cs.ucla.edu ([127.0.0.1])
 by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP
 id awpBDgVhP7WO; Thu, 29 May 2025 23:10:19 -0700 (PDT)
Received: from penguin.cs.ucla.edu (unknown [47.143.215.226])
 by mail.cs.ucla.edu (Postfix) with ESMTPSA id 404103C010841;
 Thu, 29 May 2025 23:10:19 -0700 (PDT)
Content-Type: multipart/mixed; boundary="------------rSCZlHfUSnbt1fcrACjJ8u2k"
Message-ID: <9e53cf8c-5694-45e8-a76d-5394c05dd6e2@cs.ucla.edu>
Date: Thu, 29 May 2025 23:10:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
To: Zephyr official <zephyrofficialdiscord@gmail.com>
References: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
Content-Language: en-US
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
In-Reply-To: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 78639-done
Cc: 78639-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------rSCZlHfUSnbt1fcrACjJ8u2k
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Thanks for the bug report and proposed fix. I installed the attached, 
which should fix the gzip bug in a different way.

I think the bug is innocuous in practice, but it's good to fix it anyway 
as these things tend to mushroom.
--------------rSCZlHfUSnbt1fcrACjJ8u2k
Content-Type: text/x-patch; charset=UTF-8;
 name="0001-gzip-fix-uninitialized-read.patch"
Content-Disposition: attachment;
 filename="0001-gzip-fix-uninitialized-read.patch"
Content-Transfer-Encoding: base64

RnJvbSBjNWU3ODk5NzFkZmJjOTk5Y2RlNWQxY2U1MjZhNDQyMjMxMDYxN2I4IE1vbiBTZXAg
MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1
PgpEYXRlOiBUaHUsIDI5IE1heSAyMDI1IDIzOjA2OjE5IC0wNzAwClN1YmplY3Q6IFtQQVRD
SF0gZ3ppcDogZml4IHVuaW5pdGlhbGl6ZWQgcmVhZApNSU1FLVZlcnNpb246IDEuMApDb250
ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1F
bmNvZGluZzogOGJpdAoKUHJvYmxlbSByZXBvcnRlZCBieSBNb2hhbWVkIE1hYXRhbGxhaCA8
aHR0cHM6Ly9idWdzLmdudS5vcmcvNzg2Mzk+LgoqIHVuemlwLmMgKGNoZWNrX3ppcGZpbGUp
OgpEb27igJl0IHJlYWQgcGFzdCBlbmQgb2YgaW5pdGlhbGl6ZWQgZGF0YSBpbiB0aGUgaW5w
dXQgYnVmZmVyLgotLS0KIE5FV1MgICAgfCA1ICsrKysrCiBUSEFOS1MgIHwgMSArCiB1bnpp
cC5jIHwgNCArKystCiAzIGZpbGVzIGNoYW5nZWQsIDkgaW5zZXJ0aW9ucygrKSwgMSBkZWxl
dGlvbigtKQoKZGlmZiAtLWdpdCBhL05FV1MgYi9ORVdTCmluZGV4IDE2OTg0MDEuLjliZTFh
ODcgMTAwNjQ0Ci0tLSBhL05FV1MKKysrIGIvTkVXUwpAQCAtMiw2ICsyLDExIEBAIEdOVSBn
emlwIE5FV1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtKi0gb3V0bGlu
ZSAtKi0KIAogKiBOb3Rld29ydGh5IGNoYW5nZXMgaW4gcmVsZWFzZSA/Lj8gKD8/Pz8tPz8t
Pz8pIFs/XQogCisqKiBCdWcgZml4ZXMKKworICBBIHVzZSBvZiB1bmluaXRpYWxpemVkIG1l
bW9yeSBvbiBzb21lIG1hbGZvcm1lZCBpbnB1dHMgaGFzIGJlZW4gZml4ZWQuCisgIFtidWcg
cHJlc2VudCBzaW5jZSB0aGUgYmVnaW5uaW5nXQorCiAKICogTm90ZXdvcnRoeSBjaGFuZ2Vz
IGluIHJlbGVhc2UgMS4xNCAoMjAyNS0wNC0wOSkgW3N0YWJsZV0KIApkaWZmIC0tZ2l0IGEv
VEhBTktTIGIvVEhBTktTCmluZGV4IDYzNzNmZWEuLjRlNTQ1ZDkgMTAwNjQ0Ci0tLSBhL1RI
QU5LUworKysgYi9USEFOS1MKQEAgLTE4NCw2ICsxODQsNyBAQCBEYXZpZCBSLiBMaW5uCQlk
cmxAdnVzZS52YW5kZXJiaWx0LmVkdQogQW50b25pbyBMaW95ICAgICAgICAgICAgY2F0QGF0
aGVuYS5wb2xpdG8uaXQKIEphbWllIExva2llciAgICAgICAgICAgIHU5MGpsQGVjcy5veGZv
cmQuYWMudWsKIFJpY2hhcmQgTGxveWQgICAgICAgICAgIFIuSy5MbG95ZEBjc2MubGl2LmFj
LnVrCitNb2hhbWVkIE1hYXRhbGxhaAl6ZXBoeXJvZmZpY2lhbGRpc2NvcmRAZ21haWwuY29t
CiBEYXZpZCBKLiBNYWNLZW56aWUJZGptQGVuZy51bWQuZWR1CiBKb2huIFIgTWFjTWlsbGFu
ICAgICAgICBqb2huQGNoYW5jZS5ndHMub3JnCiBSb24gTWFsZSAgICAgICAgICAgICAgICBt
YWxlQGVzby5tYy54ZXJveC5jb20KZGlmZiAtLWdpdCBhL3VuemlwLmMgYi91bnppcC5jCmlu
ZGV4IDk4ODA0MDguLjFiZDljYTcgMTAwNjQ0Ci0tLSBhL3VuemlwLmMKKysrIGIvdW56aXAu
YwpAQCAtNjksNyArNjksOSBAQCBjaGVja196aXBmaWxlIChpbnQgaW4pCiAgICAgaWZkID0g
aW47CiAKICAgICAvKiBDaGVjayB2YWxpZGl0eSBvZiBsb2NhbCBoZWFkZXIsIGFuZCBza2lw
IG5hbWUgYW5kIGV4dHJhIGZpZWxkcyAqLwotICAgIGlucHRyICs9IExPQ0hEUiArIFNIKGgg
KyBMT0NGSUwpICsgU0goaCArIExPQ0VYVCk7CisgICAgaW5wdHIgKz0gTE9DSERSOworICAg
IGlmIChpbnB0ciA8PSBpbnNpemUpCisgICAgICBpbnB0ciArPSBTSChoICsgTE9DRklMKSAr
IFNIKGggKyBMT0NFWFQpOwogCiAgICAgaWYgKGlucHRyID4gaW5zaXplIHx8IExHKGgpICE9
IExPQ1NJRykgewogICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIlxuJXM6ICVzOiBub3QgYSB2
YWxpZCB6aXAgZmlsZVxuIiwKLS0gCjIuNDguMQoK

--------------rSCZlHfUSnbt1fcrACjJ8u2k--


------------=_1748585462-14557-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 30 May 2025 03:58:22 +0000
Received: from localhost ([127.0.0.1]:42762 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uKqsv-0005RU-AI
	for submit@debbugs.gnu.org; Thu, 29 May 2025 23:58:22 -0400
Received: from lists.gnu.org ([2001:470:142::17]:33254)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKnZA-0005GM-17
 for submit@debbugs.gnu.org; Thu, 29 May 2025 20:25:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKnYx-0008Hi-Jq
 for bug-gzip@gnu.org; Thu, 29 May 2025 20:25:33 -0400
Received: from mail-pf1-x42b.google.com ([2607:f8b0:4864:20::42b])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKnYv-0003dz-Ra
 for bug-gzip@gnu.org; Thu, 29 May 2025 20:25:31 -0400
Received: by mail-pf1-x42b.google.com with SMTP id
 d2e1a72fcca58-7425bd5a83aso1216308b3a.0
 for <bug-gzip@gnu.org>; Thu, 29 May 2025 17:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1748564726; x=1749169526; darn=gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=+VQM9mAXyLZX0sfH3EMpSe/yMggEGmbyONK0wsnDIv0=;
 b=I/HqdFZreR8aRNXJySOw0jhsWP70kfhbFpW+9v/EQ+S0In3F1guxTnT8yc3iGe6GI/
 dS1JilhdW6vj2vcvkpPnpZtgcjkByKxt0TgDGFFkyU6dQ9favejCVDjX+uWpX1/Pbr9D
 oIm2qi0lsNtt0uy58nU9eTGOWlIDvypGhD7IOonbFnU1O0lQo89rlrmtVN44Rb9Z444C
 VQ6trQcE3rqzNReNR7mK705UUQ+nZgi+PdZsKSf7fyuy5rlcj4PUw9G1+H+faML6FTCo
 XBqTDlfb/GAF3u5yDgYnuMm8k4IRMIPFMYYe8vV7jxEmZhvOEt6iq25E5vXFwZ3IgaKN
 Yosw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1748564726; x=1749169526;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=+VQM9mAXyLZX0sfH3EMpSe/yMggEGmbyONK0wsnDIv0=;
 b=rAxy/CaQViEJ0ZW0PFRvmHon9/6Q1ApYuHJ261eTJ3DJY13hHxLgNJAr5oqFvV1NOV
 4FciOSTRttb6fLrsGjun59fJZpuP6YbpizNDVoNJZTdTTERJ/8GxphNG8UqlV5ppMuz+
 314xRRlCQrkv0RskFs1MubG1CDA6mdJ5VniWBYQRYQhYShzkEieKPVPkU0hlrOhyZKjR
 O2CkdvDNUX/vir9JFj8tw/buhpqL/FVmYeSM0+3Pm+uZMLPBycgaOtwC1le6Uia+zMbS
 cCoWNxDaNcABSfEDfhvboZ8uDdmAhZbjgVBdAzx0jWAnaWYiA6zfPJFywkISf54eNkLu
 RQYg==
X-Gm-Message-State: AOJu0YzZ2HsCSn5aYjUVQwI7zcRsZEmCPRpLGjJbtptRRYAG8oqSP1dx
 FR3vTPB/IlsjBpD+OLJOW1fthEozKe1X1mxORL3pvc6Ktj7hsfoP/KheU1xi4JscscltxzoGW9L
 evXlKfHjC65eoKUXXQN54kbqFjfwfrat2vhbA+1s=
X-Gm-Gg: ASbGnctAdmUkmCAjJY5O04VBKw41WpWiRu229UTzV6fTueKyehIxDFxbjfWToz2beXQ
 gftwQKaNR/iFqcBuopESAQjFk2itetuNa31Y+2qRLVsjKfiYSu1bVUqgSjhJ38qkt9kKTlASkXi
 jjn/8KdraP+PchkzzcnFQGRVs75DYGh3Ow4ntS7JExwXYuxSi/WhFqGkY=
X-Google-Smtp-Source: AGHT+IF3uGXKC5+2Lms9Wv1KntiNtVf0JZx4oaaS/k4a5g3kpSnCWSSv6ovhkMxLVAq3m93PMfASU5mRBTj1xdERvVM=
X-Received: by 2002:a05:6a00:22cb:b0:742:3cc1:9485 with SMTP id
 d2e1a72fcca58-747bd98230bmr1988206b3a.12.1748564726334; Thu, 29 May 2025
 17:25:26 -0700 (PDT)
MIME-Version: 1.0
From: Zephyr official <zephyrofficialdiscord@gmail.com>
Date: Fri, 30 May 2025 01:25:14 +0100
X-Gm-Features: AX0GCFtaWC7SGIYavhSp1GP3Z7-zemklKm_TCE2taoH2gLagrNUqYswN0v4QygI
Message-ID: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
Subject: Uninitialised read in check_zipfile() (gzip 1.14)
To: bug-gzip@gnu.org
Content-Type: multipart/alternative; boundary="00000000000061493c06364f73a3"
Received-SPF: pass client-ip=2607:f8b0:4864:20::42b;
 envelope-from=zephyrofficialdiscord@gmail.com; helo=mail-pf1-x42b.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Thu, 29 May 2025 23:58:20 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--00000000000061493c06364f73a3
Content-Type: text/plain; charset="UTF-8"

Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah

--00000000000061493c06364f73a3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi gzip maintainers,<br><br>An out-of-bounds / uninitialis=
ed read occurs in unzip.c:check_zipfile()<br>when the PKZIP local header is=
 shorter than 30 bytes (CWE-457, CWE-125).<br><br>Reproduction (on 1.14, Li=
nux x86-64, gcc 13.3):<br><br>=C2=A0 =C2=A0 printf &#39;%s&#39; \<br>=C2=A0=
 =C2=A0 =C2=A0 504B0304 1400 0000 0000 0000 0000 00000000 \<br>=C2=A0 =C2=
=A0 =C2=A0 01000000 01000000 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 | xxd -r -p=
 &gt; poc.zip<br><br>=C2=A0 =C2=A0 valgrind --track-origins=3Dyes ./gzip -t=
v poc.zip<br>=C2=A0 =C2=A0 # conditional jump depends on uninitialised valu=
e(s) in check_zipfile()<br><br>Minimal fix:<br><br>--- a/unzip.c<br>+++ b/u=
nzip.c<br>@@<br>=C2=A0 =C2=A0 =C2=A0uch *h =3D inbuf + inptr;<br>+ =C2=A0 =
=C2=A0if (insize - inptr &lt; LOCHDR) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/* =
need full header */<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0goto bad_zip;<br>=C2=A0=
 =C2=A0 =C2=A0inptr +=3D LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);<br><br>B=
est regards,<br>Mohamed Maatallah<br></div>

--00000000000061493c06364f73a3--



------------=_1748585462-14557-1--


From unknown Sun Aug 10 00:25:42 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
References: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
In-Reply-To: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
Resent-From: Zephyr official <zephyrofficialdiscord@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gzip@gnu.org
Resent-Date: Fri, 30 May 2025 13:17:03 +0000
Resent-Message-ID: <handler.78639.B78639.174861098314671@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78639
X-GNU-PR-Package: gzip
X-GNU-PR-Keywords: 
To: 78639@debbugs.gnu.org
Received: via spool by 78639-submit@debbugs.gnu.org id=B78639.174861098314671
          (code B ref 78639); Fri, 30 May 2025 13:17:03 +0000
Received: (at 78639) by debbugs.gnu.org; 30 May 2025 13:16:23 +0000
Received: from localhost ([127.0.0.1]:47583 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uKzax-0003oY-3U
	for submit@debbugs.gnu.org; Fri, 30 May 2025 09:16:23 -0400
Received: from mail-pf1-x432.google.com ([2607:f8b0:4864:20::432]:52693)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <zephyrofficialdiscord@gmail.com>)
 id 1uKzav-0003o8-1q
 for 78639@debbugs.gnu.org; Fri, 30 May 2025 09:16:21 -0400
Received: by mail-pf1-x432.google.com with SMTP id
 d2e1a72fcca58-742b0840d98so1368623b3a.1
 for <78639@debbugs.gnu.org>; Fri, 30 May 2025 06:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1748610974; x=1749215774; darn=debbugs.gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=+sgr4I33v0Fx3e9bCj63V8TSOHQivhL3vVV+5elDXkw=;
 b=GfyryRLSakHvOPELFcpDLYeZWXbqtLfRECC9MJ+GB9CCF7kEP67HeZqHUJMGxghaaH
 PmsHDf28V+gscjAswt3lp0ilc9muhWdSiIfGqWV82HgfxtFKfGdykHOW08XHiEIGrg8k
 lxGslngdLtNRARMvCC7BwV2OnINazgC4PVOZuMfAx/XgJ3taVoApqrIZyNZz2il2zwH/
 8l7w6IyenzCvx1U+ronQYTj2oT5raf/v3Vt+ywBvJ3aHkGYVxXGu/JaM1ACeIh3tiDOn
 grO9aJ8XFGskjNx1pidaJSnIXdadyJ9D5d+b/EHIvxNri6dKCTMnacckpNwhJtXspYII
 h2BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1748610974; x=1749215774;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=+sgr4I33v0Fx3e9bCj63V8TSOHQivhL3vVV+5elDXkw=;
 b=FFHuSFNZFgiiV0LZyB88YCYYHENivYeI4AjQcIXC82tDi1YcICPDkyjWrbSIsT2G2T
 l2jbxjSRCDTT7kXQYjQKjFyf8fg8LMDC3r7cqsz0JOugyuOXy4Bosm3g9rNaSyH7oMnM
 Yw72dSV/gTWjxUpkmZ3Ul8h0aMeeOWQNSeXGM8g+aX+CPeWWvT1jd+qRT2kyIpC7pAf4
 Vu6obVK1sDhuTUnLIwf6IHn9kpMoC2NMGzVdNhdWQrV/UxByzQC2eMMenc4v6wUAMtsf
 spzB545gDUEWU4KQzq+XCIVnE20a+4AJcImbSmNozI6Yk/faxceq4wqaJQuD7ffmwEBR
 YdDg==
X-Gm-Message-State: AOJu0YzoSie2Wanp5GdEG9mcrE8V+omML9K+WaA3tvBnpbhk1bo2cfzG
 xeghgkpIdXsjHVhApxHr0o+GU3vDjdG8S3VRAgoWVDCYfYjEu09YPJK3yuWm0If10gIK2Bpwjs/
 KVx73OpCKgASunha5F0tvKv7ZjzOx2WXB2KDK/OI=
X-Gm-Gg: ASbGncv02+z12hPracSq0R6N0GEDp43H5x1NFW+ipNxj2JwccCi5QrZkajjoOiCfpM1
 uzUAJ9p8mzPtWJuu2n0t+RGHbcXXS0Gh40mkHaGW5Yl/mN8YzKTdytthfY+pgGNRmYzEEcCEpDV
 FP49iJencQoF+pI3zlf1A0btKZkH+U/R65oJiphLTs9WwC
X-Google-Smtp-Source: AGHT+IHPPEHlYTqNApOCVlZp/uzvgdY0qQ0wXPPomc54Z8e6h3cNA74WSwNvShKXex5OhsdneBzZwmP2CWNqVywf0Xo=
X-Received: by 2002:aa7:88c2:0:b0:746:2ad2:f38d with SMTP id
 d2e1a72fcca58-747c1bf2fc1mr2860879b3a.13.1748610974109; Fri, 30 May 2025
 06:16:14 -0700 (PDT)
MIME-Version: 1.0
From: Zephyr official <zephyrofficialdiscord@gmail.com>
Date: Fri, 30 May 2025 14:16:03 +0100
X-Gm-Features: AX0GCFsDhPMntpdLe4doFEdBcGDh98LxSLWRwsPtc8l4-kSJsWOMRc5_Y6icbeg
Message-ID: <CALS-=6OXeJyqBEFe-iCFTfDaX4+HAY8Dfmi25mNUWsJNR2bS=g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f6523606365a3747"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--000000000000f6523606365a3747
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Paul,

Thanks for the patch and for looking into this.

I've been digging a bit further into the interaction. Your patch `c5e7899`
tightens the bounds for `SH(h + LOCFIL)` and `SH(h + LOCEXT)` within
`check_zipfile()`, but there appears to be an uninitialized read of
inbuf[3] during the initial PKZIP magic number check in
`gzip.c:get_method()` also.

This occurs when `DYN_ALLOC` is active (making `inbuf` uninitialized heap)
and `insize` is precisely 3 due to a short input like PK\x03. The
memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `get_method()  will access inbuf[3]
before check_zipfile() is even invoked for that path.

This can be demonstrated with:

printf "\x50\x4B\x03" > trigger.dat
# Assuming gzip compiled with DYN_ALLOC and your patch c5e7899
valgrind --track-origins=3Dyes ./gzip -tv trigger.dat

Best regards,
Mohamed Maatallah

On Fri, May 30, 2025 at 7:10=E2=80=AFAM Paul Eggert <eggert@cs.ucla.edu> wr=
ote:

> Thanks for the bug report and proposed fix. I installed the attached,
> which should fix the gzip bug in a different way.
>
> I think the bug is innocuous in practice, but it's good to fix it anyway
> as these things tend to mushroom.

--000000000000f6523606365a3747
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br>Hi Paul,<br><br>Thanks for the patch =
and for looking into this.<br><br>I&#39;ve been digging a bit further into =
the interaction. Your patch `c5e7899` tightens the bounds for `SH(h + LOCFI=
L)` and `SH(h + LOCEXT)` within `check_zipfile()`, but there appears to be =
an uninitialized read of inbuf[3] during the initial PKZIP magic number che=
ck in `gzip.c:get_method()` also.<br><br>This occurs when `DYN_ALLOC` is ac=
tive (making `inbuf` uninitialized heap) and `insize` is precisely 3 due to=
 a short input like PK\x03. The memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `ge=
t_method()=C2=A0 will access inbuf[3] before check_zipfile() is even invoke=
d for that path.<br><br>This can be demonstrated with:<br><br>printf &quot;=
\x50\x4B\x03&quot; &gt; trigger.dat<br># Assuming gzip compiled with DYN_AL=
LOC and your patch c5e7899<br>valgrind --track-origins=3Dyes ./gzip -tv tri=
gger.dat<br><br>Best regards,<br>Mohamed Maatallah</div><br><div class=3D"g=
mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, May 30, 2025 at 7=
:10=E2=80=AFAM Paul Eggert &lt;<a href=3D"mailto:eggert@cs.ucla.edu" target=
=3D"_blank">eggert@cs.ucla.edu</a>&gt; wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex">Thanks for the bug report and proposed fix. I=
 installed the attached, <br>
which should fix the gzip bug in a different way.<br>
<br>
I think the bug is innocuous in practice, but it&#39;s good to fix it anywa=
y <br>
as these things tend to mushroom.</blockquote></div></div>

--000000000000f6523606365a3747--




From unknown Sun Aug 10 00:25:42 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gzip@gnu.org
Resent-Date: Fri, 30 May 2025 19:29:02 +0000
Resent-Message-ID: <handler.78639.B78639.174863330223749@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78639
X-GNU-PR-Package: gzip
X-GNU-PR-Keywords: 
To: Zephyr official <zephyrofficialdiscord@gmail.com>
Cc: 78639@debbugs.gnu.org
Received: via spool by 78639-submit@debbugs.gnu.org id=B78639.174863330223749
          (code B ref 78639); Fri, 30 May 2025 19:29:02 +0000
Received: (at 78639) by debbugs.gnu.org; 30 May 2025 19:28:22 +0000
Received: from localhost ([127.0.0.1]:50864 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uL5Ov-0006Ax-Gj
	for submit@debbugs.gnu.org; Fri, 30 May 2025 15:28:21 -0400
Received: from mail.cs.ucla.edu ([131.179.128.66]:34078)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eggert@cs.ucla.edu>)
 id 1uL5Ot-0006AU-3c
 for 78639@debbugs.gnu.org; Fri, 30 May 2025 15:28:20 -0400
Received: from localhost (localhost [127.0.0.1])
 by mail.cs.ucla.edu (Postfix) with ESMTP id A324C3C0149D7;
 Fri, 30 May 2025 12:28:12 -0700 (PDT)
Received: from mail.cs.ucla.edu ([127.0.0.1])
 by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP
 id Y7KFBhw_tuBw; Fri, 30 May 2025 12:28:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by mail.cs.ucla.edu (Postfix) with ESMTP id 7BA8C3C0149E2;
 Fri, 30 May 2025 12:28:12 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 7BA8C3C0149E2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu;
 s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1748633292;
 bh=/jO8u5rgKMR+G3YlUjCABJIM/TYMDiDRHtrvcxZ5+tg=;
 h=Message-ID:Date:MIME-Version:To:From;
 b=TUoW4npgahs0Vm4/4TMiK5S0D84XaNBP4pUF3cOm6xSkxMPnZ3xI5bLEPhjA5oEOQ
 aleAF86PwMtsSl+tpyJ3nmghuiVgmD2mz/Q9dMdjed4r9nBjHc6AAiwTSojLx/q2R3
 NesPti+yPfgRtO81yvn6eSfC35arKFuHyIYwBEg6J2mg7AVAXSxM8fbTXBHc+FKsYW
 hfJa0gF+MbMERf69Y2J7h1b/A2oRzi7OxbmtCGsCzQoCjmjo7FjnxeR40HY9mMlDIs
 cRUKjRMXHuXIAk+E3/OvbQ5YUJjn5/6FN52Bf4wcW+htQI1zZxCSVwnD8qJsncZQlV
 xerN1yajN0SBQ==
X-Virus-Scanned: amavis at mail.cs.ucla.edu
Received: from mail.cs.ucla.edu ([127.0.0.1])
 by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP
 id FBxCI6g0S2Ot; Fri, 30 May 2025 12:28:12 -0700 (PDT)
Received: from penguin.cs.ucla.edu
 (47-143-215-226.fdr01.snmn.ca.ip.frontiernet.net [47.143.215.226])
 by mail.cs.ucla.edu (Postfix) with ESMTPSA id 5DB2A3C0149D7;
 Fri, 30 May 2025 12:28:12 -0700 (PDT)
Content-Type: multipart/mixed; boundary="------------hRLL0O1YynxC6bzmKTbTTFFV"
Message-ID: <a6f31aae-b4cf-4be1-afce-28e3f0f48ba6@cs.ucla.edu>
Date: Fri, 30 May 2025 12:28:12 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
References: <CALS-=6P=vcYV8fa2GsBRcM7Ct=b4fLr6r=AZ66PY0LQHqTrjZQ@mail.gmail.com>
 <CALS-=6OXeJyqBEFe-iCFTfDaX4+HAY8Dfmi25mNUWsJNR2bS=g@mail.gmail.com>
Content-Language: en-US
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
In-Reply-To: <CALS-=6OXeJyqBEFe-iCFTfDaX4+HAY8Dfmi25mNUWsJNR2bS=g@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------hRLL0O1YynxC6bzmKTbTTFFV
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Thanks, I installed the attached additional patch.
--------------hRLL0O1YynxC6bzmKTbTTFFV
Content-Type: text/x-patch; charset=UTF-8;
 name="0001-gzip-fix-another-uninitialized-read.patch"
Content-Disposition: attachment;
 filename="0001-gzip-fix-another-uninitialized-read.patch"
Content-Transfer-Encoding: base64

RnJvbSBiMWRlMGU3ODJhMjkxYzQ2ZTI2Nzc3MDA1ODkzZWVjYTE0MmUwNDkwIE1vbiBTZXAg
MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1
PgpEYXRlOiBGcmksIDMwIE1heSAyMDI1IDEyOjIzOjQyIC0wNzAwClN1YmplY3Q6IFtQQVRD
SF0gZ3ppcDogZml4IGFub3RoZXIgdW5pbml0aWFsaXplZCByZWFkCk1JTUUtVmVyc2lvbjog
MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1VVEYtOApDb250ZW50LVRy
YW5zZmVyLUVuY29kaW5nOiA4Yml0CgpUaGlzIGNhbiBvY2N1ciBpZiB5b3UgZGVmaW5lIERZ
TkFMTE9DLgpQcm9ibGVtIHJlcG9ydGVkIGJ5IE1vaGFtZWQgTWFhdGFsbGFoIDxodHRwczov
L2J1Z3MuZ251Lm9yZy83ODYzOSMxMz4uCiogZ3ppcC5jIChnZXRfbWV0aG9kKTogRG9u4oCZ
dCBtZW1jbXAgbW9yZSBieXRlcyB0aGFuIHdlcmUgcmVhZC4KQWxzbywgbm8gbmVlZCB0byBk
byB0d28gbWVtY21w4oCZcyBub3csIG9yIHRvIGNoZWNrIGlucHRyLgotLS0KIGd6aXAuYyB8
IDIgKy0KIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMSBkZWxldGlvbigtKQoK
ZGlmZiAtLWdpdCBhL2d6aXAuYyBiL2d6aXAuYwppbmRleCA5MTNmYWZlLi4wMjMxZmZhIDEw
MDY0NAotLS0gYS9nemlwLmMKKysrIGIvZ3ppcC5jCkBAIC0xNjA5LDcgKzE2MDksNyBAQCBn
ZXRfbWV0aG9kIChpbnQgaW4pCiAgICAgICAgICAgICBoZWFkZXJfYnl0ZXMgPSBpbnB0ciAr
IDIqNDsgLyogaW5jbHVkZSBjcmMgYW5kIHNpemUgKi8KICAgICAgICAgfQogCi0gICAgfSBl
bHNlIGlmIChtZW1jbXAobWFnaWMsIFBLWklQX01BR0lDLCAyKSA9PSAwICYmIGlucHRyID09
IDIKKyAgICB9IGVsc2UgaWYgKDQgPD0gaW5zaXplCiAgICAgICAgICAgICAmJiBtZW1jbXAo
KGNoYXIqKWluYnVmLCBQS1pJUF9NQUdJQywgNCkgPT0gMCkgewogICAgICAgICAvKiBUbyBz
aW1wbGlmeSB0aGUgY29kZSwgd2Ugc3VwcG9ydCBhIHppcCBmaWxlIHdoZW4gYWxvbmUgb25s
eS4KICAgICAgICAgICogV2UgYXJlIHRodXMgZ3VhcmFudGVlZCB0aGF0IHRoZSBlbnRpcmUg
bG9jYWwgaGVhZGVyIGZpdHMgaW4gaW5idWYuCi0tIAoyLjQ4LjEKCg==

--------------hRLL0O1YynxC6bzmKTbTTFFV--