[Buildroot] [PATCH 1/2] package/zziplib: fix CVE-2018-16548
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Tue Mar 3 21:54:40 UTC 2020
On Tue, 3 Mar 2020 21:16:21 +0100
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> An issue was discovered in ZZIPlib through 0.13.69. There is a memory
> leak triggered in the function __zzip_parse_root_directory in zip.c,
> which will lead to a denial of service attack.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> ...eak-from-__zzip_parse_root_directory.patch | 74 +++++++++++++++++++
> ...k-from-__zzip_parse_root_directory-2.patch | 53 +++++++++++++
> ...3-One-more-free-to-avoid-memory-leak.patch | 25 +++++++
> package/zziplib/zziplib.mk | 5 ++
> 4 files changed, 157 insertions(+)
> create mode 100644 package/zziplib/0001-Avoid-memory-leak-from-__zzip_parse_root_directory.patch
> create mode 100644 package/zziplib/0002-Avoid-memory-leak-from-__zzip_parse_root_directory-2.patch
> create mode 100644 package/zziplib/0003-One-more-free-to-avoid-memory-leak.patch
Both applied to master. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list