| Commit message (Collapse) | Author | Age | Files | Lines | ||
|---|---|---|---|---|---|---|
| ... | ||||||
| * | Neutralize zip file traversal attacks in miniunz. | Matt Wilson | 2024-01-17 | 1 | -0/+14 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | Archive formats such as .zip files are generally susceptible to so-called "traversal attacks". This allows an attacker to craft an archive that writes to unexpected locations of the file system (e.g., /etc/shadow) if an unspecting root user were to unpack a malicious archive. This patch neutralizes absolute paths such as /tmp/moo and deeply relative paths such as dummy/../../../../../../../../../../tmp/moo The Debian project requested CVE-2014-9485 be allocated for the first identified weakness. The fix was incomplete, resulting in a revised patch applied here. Since there wasn't an updated version released by Debian with the incomplete fix, I suggest we use this CVE to identify both issues. Link: https://security.snyk.io/research/zip-slip-vulnerability Link: https://bugs.debian.org/774321 Link: https://bugs.debian.org/776831 Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485 Reported-by: Jakub Wilk <jwilk@debian.org> Fixed-by: Michael Gilbert <mgilbert@debian.org> | |||||
| * | Fix random typos over several source and text files. | THE-Spellchecker | 2024-01-17 | 3 | -5/+5 | |
| | | ||||||
| * | Correct case of MSDOS in contrib/minizip/miniunz.c. | William Leara | 2024-01-17 | 1 | -1/+1 | |
| | | ||||||
| * | Refer to correct function in contrib/minizip/unzip.c comment. | William Leara | 2024-01-17 | 1 | -1/+1 | |
| | | ||||||
| * | Correct repeated words in source file comments and a readme. | Paul Ivanov | 2023-11-14 | 3 | -5/+5 | |
| | | ||||||
| * | Fix decision on the emission of Zip64 end records in minizip. | Mark Adler | 2023-11-07 | 1 | -1/+1 | |
| | | | | | | | | | | | The appnote says that if the number of entries in the end record is 0xffff, then the actual number of entries will be found in the Zip64 end record. Therefore if the number of entries is equal to 0xffff, it can't be in the end record by itself, since that is an instruction to get the number from the Zip64 end record. This code would just store 0xffff in the end record in that case, not making a Zip64 end record. This commit fixes that. | |||||
| * | Update miniunz version. | tbeu | 2023-08-20 | 1 | -1/+1 | |
| | | ||||||
| * | Reject overflows of zip header fields in minizip. | Hans Wennborg | 2023-08-19 | 1 | -0/+11 | |
| | | | | | | | | | This checks the lengths of the file name, extra field, and comment that would be put in the zip headers, and rejects them if they are too long. They are each limited to 65535 bytes in length by the zip format. This also avoids possible buffer overflows if the provided fields are too long. | |||||
| * | Change version number on develop branch to 1.3.0.1. | Mark Adler | 2023-08-18 | 1 | -1/+1 | |
| | | ||||||
| * | zlib 1.3v1.3 | Mark Adler | 2023-08-18 | 1 | -1/+1 | |
| | | ||||||
| * | Avoid uninitialized and unused warnings in contrib/minizip. | Mark Adler | 2023-08-17 | 2 | -2/+8 | |
| | | ||||||
| * | Remove redundant includes in minizip. | Mark Adler | 2023-08-13 | 2 | -4/+0 | |
| | | ||||||
| * | Remove TRYFREE macro from minizip. | Mark Adler | 2023-08-13 | 2 | -25/+19 | |
| | | ||||||
| * | Read multiple bytes instead of byte-by-byte in minizip unzip.c. | Eugene Golushkov | 2023-08-03 | 1 | -96/+38 | |
| | | | | | | Use a single ZREAD64 call in the unz64local_getShort/Long/Long64 implementation, rather than read it byte by byte. | |||||
| * | Support Haiku in minizip. | Gilles Vollant | 2023-08-03 | 4 | -4/+4 | |
| | | ||||||
| * | Correct dummy filetime() prototype in minizip.c. | Xiang Xiao | 2023-08-03 | 1 | -1/+1 | |
| | | | | | Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com> | |||||
| * | Match sign of printf directive to sign of argument in minizip. | Mark Adler | 2023-07-29 | 1 | -1/+1 | |
| | | ||||||
| * | Fix logic error in minizip argument processing. | Mark Adler | 2023-07-29 | 1 | -1/+1 | |
| | | ||||||
| * | Fix typos found by codespell in minizip | Dimitri Papadopoulos | 2023-07-29 | 8 | -36/+36 | |
| | | ||||||
| * | Fix reading disk number start on zip64 files in minizip. | Mark Adler | 2023-07-29 | 1 | -4/+2 | |
| | | ||||||
| * | Remove duplicated code #806 | Gilles Vollant | 2023-07-29 | 1 | -1/+0 | |
| | | ||||||
| * | minizip: Fix being unable to open empty zip file | RedworkDE | 2023-07-29 | 1 | -22/+26 | |
| | | ||||||
| * | Fix cast in minizip's ioapi.c for Windows. | Mark Adler | 2023-04-17 | 1 | -1/+1 | |
| | | ||||||
| * | Remove K&R function definitions from contrib/minizip. | Mark Adler | 2023-04-15 | 12 | -759/+514 | |
| | | ||||||
| * | Change version number on develop branch to 1.2.13.1. | Mark Adler | 2022-10-15 | 1 | -1/+1 | |
| | | ||||||
| * | zlib 1.2.13v1.2.13 | Mark Adler | 2022-10-12 | 1 | -1/+1 | |
| | | ||||||
| * | Find other BSD's without *64 functions in contrib/minizip/ioapi.h. | Mark Adler | 2022-10-10 | 1 | -1/+1 | |
| | | ||||||
| * | Avoid C89 warning in contrib/minizip/crypt.h. | Mark Adler | 2022-10-10 | 1 | -1/+1 | |
| | | ||||||
| * | Comment out unused code in contrib/minizip/minizip.c. | Mark Adler | 2022-10-09 | 1 | -2/+2 | |
| | | ||||||
| * | Remove some harmless semicolons in minizip. | Mark Adler | 2022-10-06 | 2 | -2/+2 | |
| | | ||||||
| * | Security and warning fixes for minizip. [gvollant] | Mark Adler | 2022-10-06 | 2 | -7/+4 | |
| | | | | | Remove unused code and unnecessary test for free(). | |||||
| * | Fix incorrect cast in minizip's ioapi.c. | Mark Adler | 2022-10-06 | 1 | -1/+1 | |
| | | ||||||
| * | Fix c89 compatibility in minizip's ioapi.c. [gvollant] | Mark Adler | 2022-10-06 | 1 | -10/+10 | |
| | | ||||||
| * | Fix compile with Windows 10 SDK. (gvollant) | Mark Adler | 2022-03-28 | 1 | -0/+5 | |
| | | ||||||
| * | Change version number on develop branch to 1.2.12.1. | Mark Adler | 2022-03-27 | 1 | -1/+1 | |
| | | ||||||
| * | zlib 1.2.12v1.2.12 | Mark Adler | 2022-03-27 | 1 | -1/+1 | |
| | | ||||||
| * | Clean up minizip to reduce warnings for testing. | Mark Adler | 2022-01-01 | 9 | -87/+96 | |
| | | | | | Also fix Makefile test target and permit added compile options. | |||||
| * | Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner) | Mark Adler | 2022-01-01 | 1 | -0/+3 | |
| | | | | | | | | | | | | | The issue is that unztell64() does not return the correct value if the position in the current file (in the ZIP archive) is beyond 4 GB. The cause is that unzReadCurrentFile() does not account for pfile_in_zip_read_info->stream.total_out at line 1854 of unzip.c wrapping around (it is a 32-bit variable). So, on line 1860 uTotalOutAfter can be *less* than uTotalOutBefore, propagating the wraparound to uOutThis, which in turn is added to pfile_in_zip_read_info->total_out_64. That has the effect of subtracting 4 GB. | |||||
| * | minizip warning fix if MAXU32 already defined. (gvollant) | Mark Adler | 2021-12-31 | 1 | -3/+5 | |
| | | ||||||
| * | Fix indentation in minizip's zip.c. | Mark Adler | 2021-07-08 | 1 | -2/+2 | |
| | | ||||||
| * | Improve portability of contrib/minizip. | Mark Adler | 2021-02-10 | 4 | -10/+21 | |
| | | ||||||
| * | Change version number to 1.2.11.1. | Mark Adler | 2017-01-15 | 1 | -1/+1 | |
| | | ||||||
| * | zlib 1.2.11v1.2.11 | Mark Adler | 2017-01-15 | 1 | -1/+1 | |
| | | ||||||
| * | Change version number to 1.2.10.1. | Mark Adler | 2017-01-15 | 1 | -1/+1 | |
| | | ||||||
| * | zlib 1.2.10v1.2.10 | Mark Adler | 2017-01-02 | 1 | -1/+1 | |
| | | ||||||
| * | Change version number to zlib 1.2.9.1. | Mark Adler | 2017-01-01 | 1 | -1/+1 | |
| | | ||||||
| * | zlib 1.2.9v1.2.9 | Mark Adler | 2016-12-31 | 1 | -1/+1 | |
| | | ||||||
| * | Fix some typos. | Mark Adler | 2016-10-30 | 2 | -12/+12 | |
| | | ||||||
| * | Fix contrib/minizip to permit unzipping with desktop API [Zouzou]. | Mark Adler | 2013-08-03 | 1 | -3/+4 | |
| | | ||||||
| * | Change version number to 1.2.8.1. | Mark Adler | 2013-05-02 | 1 | -1/+1 | |
| | | ||||||
 |
index : zlib | |
| A mirror of https://github.com/madler/zlib.git |
| aboutsummaryrefslogtreecommitdiff |