Open
Conversation
https://svn.filezilla-project.org/filezilla?view=revision&revision=3966 https://svn.filezilla-project.org/filezilla?view=revision&revision=3977 https://svn.filezilla-project.org/filezilla?view=revision&revision=4049 https://svn.filezilla-project.org/filezilla?view=revision&revision=6013 https://svn.filezilla-project.org/filezilla?view=revision&revision=6648 https://sourceforge.net/p/tinyxml/patches/51/ https://sourceforge.net/p/tinyxml/patches/58/
Several major vulnerabilities have been fixed upstream since the nearly twenty-year-old 1.0.3 release: CAN-2005-0953 CAN-2005-0758 CERT-FI 20469 CVE-2010-0405 CVE-2010-0405 CVE-2016-3189 CVE-2019-12900 bzip2-1.0.8 also fixes large file support under WIndows.
Plus replace sprintf in bzip2recover https://sourceware.org/bugzilla/attachment.cgi?id=14412
Including 64k, >2GiB, and patches for: CVE-2011-0421 CVE-2012-1162 CVE-2012-1163 CVE-2015-2331 As well as a fix from PHP and RedHat. This probably broke something. A small initial price to pay for ZIP support being dragged into the 21st C :)
This reverts commit 77829cb.
Via Debian, Gentoo, upstream, and GItLab bzip2. https://sources.debian.org/patches/bzip2/1.0.8-6/20-legacy.patch/ https://sources.debian.org/patches/bzip2/1.0.8-6/40-bzdiff-l.patch/ https://gitweb.gentoo.org/repo/gentoo.git/tree/app-arch/bzip2/files/bzip2-1.0.8-mingw.patch https://gitlab.com/bzip2/bzip2/-/commit/65179284ceddc43e6388bf4ed8c2d85cf16e1b2f https://sourceware.org/git/?p=bzip2.git;a=commit;h=8ca1faa31f396d94ab927b257f3a05236c84e330
Since the bundled 1.2.3 was released, the following major vulnerabilities have been fixed: CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2018-25032 CVE-2022-37434 CVE-2023-45853 Also includes select patches from SUSE. https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/0001-Do-not-try-to-store-negative-values-in-unsigned-int.patch https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/minizip-dont-install-crypt-header.patch https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/zlib-1.2.11-covscan-issues-rhel9.patch https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/zlib-1.2.11-covscan-issues.patch https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/zlib-format.patch
Plus some C++ headers in TinyXML for the road.
Includes backported patches for CVE-2011-0421 (nih-at/libzip@88efa42) CVE-2015-2331 (php/php-src@ef8fc4b) Other CVE's were introduced well after the bundled libzip's release.
This reverts commit 41d8538.
CVE-2011-0421 (nih-at/libzip@88efa42) CVE-2015-2331 (php/php-src@ef8fc4b) Fix MSVC build strcasecmp has a Watcom-native implementation and is portable sans Windows. This replaces a prior stricmp call, which is deprecated in the Watcom C library.
Member
|
Sorry, such "mega" change is not accepted, nobody will be checking this. |
ddanila
added a commit
to ddanila/open-watcom-v2
that referenced
this pull request
Apr 16, 2026
Reference: open-watcom#1369 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
ddanila
added a commit
to ddanila/open-watcom-v2
that referenced
this pull request
Apr 16, 2026
…-2015-2331 Backport fixes for multiple security vulnerabilities to bundled libzip 0.6.1. A full library upgrade is not feasible due to breaking API changes in libzip 0.11+. Fixes: - CVE-2012-1162: heap buffer overflow in _zip_readcdir when nentry is 0 but central directory data is present. Initialize directory entries before reading to prevent use of uninitialized memory. - CVE-2012-1163: integer overflow in central directory size calculation. Validate cd->size + cd->comment_len + EOCDLEN does not wrap. Add overflow guards before size*nentry allocations. - CVE-2015-2331: integer overflow in _zip_cdir_new when computing allocation size for large nentry values on 32-bit systems. - Fix memory leaks on error paths in _zip_dirent_read where partial allocations (filename, extrafield, comment) were not freed on subsequent allocation failures (related to CVE-2017-12858). - Replace deprecated stricmp with portable strcasecmp in zip_name_locate. Note: CVE-2011-0421 was already patched in the bundled copy. CVE-2017-14107 does not apply (no ZIP64 support in 0.6.1). CVE-2017-12858 and CVE-2019-17582 manifest differently in 0.6.1 (memory leak, not double-free/use-after-free) and are addressed by the error-path cleanup above. Reference: open-watcom#1369 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
ddanila
added a commit
to ddanila/open-watcom-v2
that referenced
this pull request
Apr 17, 2026
…-2015-2331 Backport fixes for multiple security vulnerabilities to bundled libzip 0.6.1. A full library upgrade is not feasible due to breaking API changes in libzip 0.11+. Fixes: - CVE-2012-1162: heap buffer overflow in _zip_readcdir when nentry is 0 but central directory data is present. Initialize directory entries before reading to prevent use of uninitialized memory. - CVE-2012-1163: integer overflow in central directory size calculation. Validate cd->size + cd->comment_len + EOCDLEN does not wrap. Add overflow guards before size*nentry allocations. - CVE-2015-2331: integer overflow in _zip_cdir_new when computing allocation size for large nentry values on 32-bit systems. - Fix memory leaks on error paths in _zip_dirent_read where partial allocations (filename, extrafield, comment) were not freed on subsequent allocation failures (related to CVE-2017-12858). - Replace deprecated stricmp with portable strcasecmp in zip_name_locate. Note: CVE-2011-0421 was already patched in the bundled copy. CVE-2017-14107 does not apply (no ZIP64 support in 0.6.1). CVE-2017-12858 and CVE-2019-17582 manifest differently in 0.6.1 (memory leak, not double-free/use-after-free) and are addressed by the error-path cleanup above. Reference: open-watcom#1369 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
jmalak
pushed a commit
that referenced
this pull request
Apr 17, 2026
…-2015-2331 (#1616) * libzip: backport security fixes for CVE-2012-1162, CVE-2012-1163, CVE-2015-2331 Backport fixes for multiple security vulnerabilities to bundled libzip 0.6.1. A full library upgrade is not feasible due to breaking API changes in libzip 0.11+. Fixes: - CVE-2012-1162: heap buffer overflow in _zip_readcdir when nentry is 0 but central directory data is present. Initialize directory entries before reading to prevent use of uninitialized memory. - CVE-2012-1163: integer overflow in central directory size calculation. Validate cd->size + cd->comment_len + EOCDLEN does not wrap. Add overflow guards before size*nentry allocations. - CVE-2015-2331: integer overflow in _zip_cdir_new when computing allocation size for large nentry values on 32-bit systems. - Fix memory leaks on error paths in _zip_dirent_read where partial allocations (filename, extrafield, comment) were not freed on subsequent allocation failures (related to CVE-2017-12858). - Replace deprecated stricmp with portable strcasecmp in zip_name_locate. Note: CVE-2011-0421 was already patched in the bundled copy. CVE-2017-14107 does not apply (no ZIP64 support in 0.6.1). CVE-2017-12858 and CVE-2019-17582 manifest differently in 0.6.1 (memory leak, not double-free/use-after-free) and are addressed by the error-path cleanup above. Reference: #1369 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Fix build: replace SIZE_MAX with portable (size_t)-1, revert strcasecmp SIZE_MAX from <stddef.h> is not available in the Watcom C compiler. Use (size_t)-1 which is equivalent and C89-portable. Revert stricmp -> strcasecmp change: stricmp is the Watcom-native function, and clibext.h already maps stricmp to strcasecmp on UNIX platforms. Using strcasecmp directly would break the Watcom build. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * libzip: add installer-like extraction test Add extractall.c regression test that simulates the OW installer workflow: open archive, enumerate all entries, stat and extract each one, verify sizes match. Three subtests: - Full extraction of test.zip (3 entries, stored) - Enumeration and stat of broken.zip (5 entries, mixed methods with intentional CRC/zlib errors) - Round-trip: create archive, add file from buffer, close, reopen with consistency check, extract and verify data integrity Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * libzip: use INT_MAX for overflow checks, cast nentry to unsigned at allocation Keep overflow arithmetic in int domain for 16/32/64-bit portability, as requested by maintainer review on PR #1616. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sybase OW development did this until it stalled out; probably a good idea to take a look here, since those that are from the 2000's are full of nasty vulnerabilities that could affect OW2.