!59 [sync] PR-58: backport 3 commits，and fix changelog，to support build with clang

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

0002-backport-disable-zzip_use_file_header_zip64_offset.patch

@@ -0,0 +1,91 @@
+From dd0c880a734ebb04d3a5b788575d5d2b072f31d2 Mon Sep 17 00:00:00 2001
+From: yuncang123 <1050706328@qq.com>
+Date: Thu, 29 Aug 2024 16:08:44 +0800
+Subject: [PATCH] backport disable zzip_use_file_header_zip64_offset
+
+---
+ zzip/fetch.h   |  1 +
+ zzip/mmapped.c | 33 ++++++++++++++++++++++++++-------
+ 2 files changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/zzip/fetch.h b/zzip/fetch.h
+index 0e4c94d..89cd9d9 100644
+--- a/zzip/fetch.h
++++ b/zzip/fetch.h
+@@ -308,6 +308,7 @@ extern void     __zzip_set64(zzip_byte_t * s, uint64_t v);
+ #define zzip_disk_trailer_to_endoffile(__p)   ((void*) \
+         (zzip_disk_trailer_to_comment(__p) + zzip_disk_trailer_comment(__p)))
+ 
++#define zzip_use_file_header_zip64_offset 0
+ #define zzip_extra_zip64_csize(__p)   ((zzip_size_t) \
+         zzip_extra_zip64_get_csize(__p))
+ #define zzip_extra_zip64_usize(__p)   ((zzip_size_t) \
+diff --git a/zzip/mmapped.c b/zzip/mmapped.c
+index 2071882..5d9dd98 100644
+--- a/zzip/mmapped.c
++++ b/zzip/mmapped.c
+@@ -276,7 +276,8 @@ struct zzip_file_header *
+ zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry)
+ {
+     zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry);
+-    if (disk->buffer > ptr || ptr >= disk->endbuf)
++    zzip_byte_t *const end = ptr + sizeof(struct zzip_file_header);
++    if (disk->buffer > ptr || end >= disk->endbuf || (void*)end <= NULL)
+     {
+         debug2("file header: offset out of bounds (0x%llx)", (long long unsigned)(disk->buffer));
+         errno = EBADMSG;
+@@ -661,19 +662,37 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
+ 
+     ___ /* a ZIP64 extended block may follow. */
+     size_t csize = zzip_file_header_csize(header);
+-    off_t offset = zzip_file_header_to_data(header);
++    zzip_byte_t*  start = zzip_file_header_to_data(header);
+     if (csize == 0xFFFFu) {
+         struct zzip_extra_zip64* zip64 =
+-           zzip_file_header_to_extras(header);
++            (struct zzip_extra_zip64*) zzip_file_header_to_extras(header);
+         if (ZZIP_EXTRA_ZIP64_CHECK(zip64)) {
+             csize = zzip_extra_zip64_csize(zip64);
+         }
+     }
+-    if (offset == 0xFFFFu) {
++
++    if (((unsigned long)start) & 0xFFFFu == 0xFFFFu) {
++        /* actually the ZIP64 rootseek in the central directory should have updated the 
++           header start with the data portion to follow right behind it. The usage of
++           this field in a local file header is wrong on a number of levels. Specifically
++           that the zip64 extended field value points to yet another header but it is
++           actually used to point to the actual data portion instead. */
+         struct zzip_extra_zip64* zip64 =
+-           zzip_file_header_to_extras(header);
++            (struct zzip_extra_zip64*)zzip_file_header_to_extras(header);
+         if (ZZIP_EXTRA_ZIP64_CHECK(zip64)) {
+-            offset = zzip_extra_zip64_offset(zip64);
++            zzip_off64_t offset = zzip_extra_zip64_offset(zip64); /* offset of local header record */
++            if (offset && zzip_use_file_header_zip64_offset) {
++               start = disk->buffer + offset; /* but points directly to the data portion */
++               if (disk->buffer > start || start+csize >= disk->endbuf) {
++                    debug2("file start: offset out of bounds (0x%llx)", (long long unsigned) (offset));
++                    errno = EBADMSG;
++                    return 0;
++                }
++            } else {
++                debug1("file start: no zip64 local offset");
++                errno = EBADMSG;
++                return 0;
++            }
+         }
+     }
+ 
+@@ -682,7 +701,7 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
+     file->zlib.zalloc = Z_NULL;
+     file->zlib.zfree = Z_NULL;
+     file->zlib.avail_in = csize;
+-    file->zlib.next_in = offset;
++    file->zlib.next_in  = start;
+     ____;
+ 
+     DBG2("compressed size %i", (int) file->zlib.avail_in);
+-- 
+2.43.0
+

backport-0001-CVE-2020-18442.patch

@@ -1,26 +0,0 @@
-From ac9ae39ef419e9f0f83da1e583314d8c7cda34a6 Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:48:45 +0100
-Subject: [PATCH 01/35] #68 ssize_t return value of zzip_file_read is a signed
- value being possibly -1
-
----
- bins/unzzipcat-zip.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bins/unzzipcat-zip.c b/bins/unzzipcat-zip.c
-index dd78c2b..385aeaf 100644
---- a/bins/unzzipcat-zip.c
-+++ b/bins/unzzipcat-zip.c
-@@ -34,7 +34,7 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_file_read (file, buffer, 1024))) 
-+	while (0 < (len = zzip_file_read (file, buffer, 1024))) 
- 	{
- 	    fwrite (buffer, 1, len, out);
- 	}
--- 
-1.8.3.1
-

backport-0002-CVE-2020-18442.patch

@@ -1,34 +0,0 @@
-From 7e786544084548da7fcfcd9090d3c4e7f5777f7e Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:50:26 +0100
-Subject: [PATCH 02/35] #68 return value of zzip_mem_disk_fread is signed
-
----
- bins/unzip-mem.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/bins/unzip-mem.c b/bins/unzip-mem.c
-index cc009f8..50eb5a6 100644
---- a/bins/unzip-mem.c
-+++ b/bins/unzip-mem.c
-@@ -81,7 +81,7 @@ static void zzip_mem_entry_pipe(ZZIP_MEM_DISK* disk,
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
-+	while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
- 	    fwrite (buffer, len, 1, out);
- 	
- 	zzip_mem_disk_fclose (file);
-@@ -115,7 +115,7 @@ static void zzip_mem_entry_test(ZZIP_MEM_DISK* disk,
-     {
- 	unsigned long crc = crc32 (0L, NULL, 0);
- 	unsigned char buffer[1024]; int len; 
--	while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
-+	while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file))) {
- 	    crc = crc32 (crc, buffer, len);
- 	}
- 	
--- 
-1.8.3.1
-

backport-0003-CVE-2020-18442.patch

@@ -1,34 +0,0 @@
-From d453977f59ca59c61bf59dec28dd724498828f2a Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:51:12 +0100
-Subject: [PATCH 03/35] #68 return value of zzip_entry_fread is signed
-
----
- bins/unzzipcat-big.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/bins/unzzipcat-big.c b/bins/unzzipcat-big.c
-index 111ef47..ecebe11 100644
---- a/bins/unzzipcat-big.c
-+++ b/bins/unzzipcat-big.c
-@@ -26,7 +26,7 @@ static void unzzip_big_entry_fprint(ZZIP_ENTRY* entry, FILE* out)
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
-+	while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
- 	{
- 	    DBG2("entry read %i", len);
- 	    fwrite (buffer, len, 1, out);
-@@ -45,7 +45,7 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out)
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
-+	while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
- 	    fwrite (buffer, len, 1, out);
- 	
- 	zzip_entry_fclose (file);
--- 
-1.8.3.1
-

backport-0004-CVE-2020-18442.patch

@@ -1,34 +0,0 @@
-From 0a9db9ded9d15fbdb63bf5cf451920d0a368c00e Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:51:56 +0100
-Subject: [PATCH 04/35] #68 return value of zzip_mem_disk_fread is signed
-
----
- bins/unzzipcat-mem.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/bins/unzzipcat-mem.c b/bins/unzzipcat-mem.c
-index 6bd79b7..1b5bc22 100644
---- a/bins/unzzipcat-mem.c
-+++ b/bins/unzzipcat-mem.c
-@@ -35,7 +35,7 @@ static void unzzip_mem_entry_fprint(ZZIP_MEM_DISK* disk,
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
-+	while (0 < (len = zzip_mem_disk_fread (buffer, 1024, 1, file)))
- 	    fwrite (buffer, len, 1, out);
- 	
- 	zzip_mem_disk_fclose (file);
-@@ -48,7 +48,7 @@ static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out)
-     if (file) 
-     {
- 	char buffer[1025]; int len;
--	while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file))) 
-+	while (0 < (len = zzip_mem_disk_fread (buffer, 1, 1024, file))) 
- 	{
- 	    fwrite (buffer, 1, len, out);
- 	}
--- 
-1.8.3.1
-

backport-0005-CVE-2020-18442.patch

@@ -1,25 +0,0 @@
-From a34a96fbda1e58fbec5c79f4c0b5063e031ce11d Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:52:47 +0100
-Subject: [PATCH 05/35] #68 return value of zzip_fread is signed
-
----
- bins/unzzipcat-mix.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bins/unzzipcat-mix.c b/bins/unzzipcat-mix.c
-index e18987d..8f3d0b8 100644
---- a/bins/unzzipcat-mix.c
-+++ b/bins/unzzipcat-mix.c
-@@ -34,7 +34,7 @@ static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_fread (buffer, 1, 1024, file))) 
-+	while (0 < (len = zzip_fread (buffer, 1, 1024, file))) 
- 	{
- 	    fwrite (buffer, 1, len, out);
- 	}
--- 
-1.8.3.1
-

backport-0006-CVE-2020-18442.patch

@@ -1,34 +0,0 @@
-From fa1f78abe1b08544061204019016809664f2618c Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:53:50 +0100
-Subject: [PATCH 06/35] #68 return value of zzip_entry_fread is signed
-
----
- bins/unzzipshow.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/bins/unzzipshow.c b/bins/unzzipshow.c
-index 9d8c2ed..5672d3b 100644
---- a/bins/unzzipshow.c
-+++ b/bins/unzzipshow.c
-@@ -22,7 +22,7 @@ static void zzip_entry_fprint(ZZIP_ENTRY* entry, FILE* out)
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
-+	while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
- 	    fwrite (buffer, len, 1, out);
- 
- 	zzip_entry_fclose (file);
-@@ -35,7 +35,7 @@ static void zzip_cat_file(FILE* disk, char* name, FILE* out)
-     if (file) 
-     {
- 	char buffer[1024]; int len;
--	while ((len = zzip_entry_fread (buffer, 1024, 1, file)))
-+	while (0 < (len = zzip_entry_fread (buffer, 1024, 1, file)))
- 	    fwrite (buffer, len, 1, out);
- 	
- 	zzip_entry_fclose (file);
--- 
-1.8.3.1
-

backport-0007-CVE-2020-18442.patch

@@ -1,25 +0,0 @@
-From f7a6fa9f0c29aecb4c2299568ed2e6094c34aca7 Mon Sep 17 00:00:00 2001
-From: Guido Draheim <guidod@gmx.de>
-Date: Mon, 4 Jan 2021 21:55:08 +0100
-Subject: [PATCH 07/35] #68 return value of posix read(2) is signed
-
----
- bins/zzipmake-zip.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bins/zzipmake-zip.c b/bins/zzipmake-zip.c
-index 8e09c31..b37877c 100644
---- a/bins/zzipmake-zip.c
-+++ b/bins/zzipmake-zip.c
-@@ -57,7 +57,7 @@ int rezzip_make (int argc, char ** argv)
- 		continue;
- 	    }
- 
--	    while ((n = read (input, buf, 16)))
-+	    while (0 < (n = read (input, buf, 16)))
- 	    {
- 		zzip_write (output, buf, n);
- 	    }
--- 
-1.8.3.1
-

fix-CVE-2024-39134.patch

@@ -0,0 +1,45 @@
+From 2a84ae73e93b0c1f4f12f2c58104f8327d10e41b Mon Sep 17 00:00:00 2001
+From: vlefebvre <valentin.lefebvre@suse.com>
+Date: Wed, 7 Aug 2024 11:10:05 +0200
+Subject: [PATCH] fetch_disk_trailer: Don't truncate the size verif
+Reference:https://github.com/gdraheim/zziplib/commit/2a84ae73e93b0c1f4f12f2c58104f8327d10e41b
+
+* We must check if the tail obtained have the size of the zzip_disk_trailer
+  struct. end - tail should be at least >= of the size but not size - 2.
+  Where truncated by 2 was good for pre-C99 compilers.
+* Fix gdraheim#165
+
+---
+ zzip/zip.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/zzip/zip.c b/zzip/zip.c
+index dfa1c2f..8d9bc9b 100644
+--- a/zzip/zip.c
++++ b/zzip/zip.c
+@@ -293,7 +293,7 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+             for (tail = end - 1; (tail >= mapped); tail--)
+             {
+                 if ((*tail == 'P') &&   /* quick pre-check for trailer magic */
+-                    end - tail >= __sizeof(struct zzip_disk_trailer) - 2 &&
++                    end - tail >= __sizeof(struct zzip_disk_trailer) &&				
+                     zzip_disk_trailer_check_magic(tail))
+                 {
+ #                  ifndef ZZIP_DISK64_TRAILER
+@@ -329,10 +329,9 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ 		    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
+ 		        return(ZZIP_CORRUPTED);
+                     { return(0); }
+-                } else if ((*tail == 'P') &&
+-                           end - tail >=
+-                           __sizeof(struct zzip_disk64_trailer) - 2
+-                           && zzip_disk64_trailer_check_magic(tail))
++	        }
++	        else if ((*tail == 'P') && end - tail >= __sizeof(struct zzip_disk64_trailer) &&
++                           zzip_disk64_trailer_check_magic(tail))
+                 {
+ #                  ifndef ZZIP_DISK64_TRAILER
+                     return (ZZIP_DIR_LARGEFILE);
+-- 
+2.27.0
+

zziplib.spec

@@ -1,25 +1,17 @@
-%define disable_rpath \
-sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' */libtool \
-sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' */libtool
-
 Name:            zziplib
-Version:         0.13.71
-Release:         2
+Version:         0.13.72
+Release:         4
 Summary:         Lightweight library for zip compression
 License:         LGPLv2+ or MPLv1.1
 URL:             http://zziplib.sourceforge.net
-Source0:         https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz
+Source0:         https://github.com/gdraheim/zziplib/archive/refs/tags/v0.13.72.tar.gz
 
-Patch6000:       backport-0001-CVE-2020-18442.patch
-Patch6001:       backport-0002-CVE-2020-18442.patch
-Patch6002:       backport-0003-CVE-2020-18442.patch
-Patch6003:       backport-0004-CVE-2020-18442.patch
-Patch6004:       backport-0005-CVE-2020-18442.patch
-Patch6005:       backport-0006-CVE-2020-18442.patch
-Patch6006:       backport-0007-CVE-2020-18442.patch
+Patch0001:       fix-CVE-2024-39134.patch
+Patch0002:       0002-backport-disable-zzip_use_file_header_zip64_offset.patch
 
 BuildRequires:   perl-interpreter  zip xmlto
 BuildRequires:   zlib-devel SDL-devel pkgconfig autoconf automake gcc make
+BuildRequires:   cmake
 
 Provides:        zziplib-utils
 Obsoletes:       zziplib-utils
@@ -49,27 +41,17 @@ BuildArch:       noarch
 This package includes help documentation and manuals related to zziplib.
 
 %prep
-%setup -q
-sed -i -e 's:docs ::g' Makefile.am
-%patch6000 -p1
-%patch6001 -p1
-%patch6002 -p1
-%patch6003 -p1
-%patch6004 -p1
-%patch6005 -p1
-%patch6006 -p1
+%autosetup -p1 -n %{name}-%{version}
 
 %build
-%configure --disable-static --enable-sdl --enable-frame-pointer --enable-builddir=_builddir
-%make_build
+%cmake -B "%{_vpath_builddir}" -DZZIP_TESTCVE=OFF
+
+%make_build -C "%{_vpath_builddir}"
 
 %install
-%make_install
-rm -rf docs/Make* docs/zziplib-manpages.ar
-find %{buildroot} -type f -name "*.la" -delete -print
+%make_install -C "%{_vpath_builddir}"
 
 %post -p /sbin/ldconfig
-
 %postun -p /sbin/ldconfig
 
 %files
@@ -89,6 +71,21 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_mandir}/man3/*
 
 %changelog
+* Thu Aug 29 2024 yuanchao <1050706328@qq.com> - 0.13.72-4
+- backport:disable zzip_use_file_header_zip64_offset,and fix wrong format in changelog,to support clang build
+
+* Fri Aug 9 2024 baiguo <baiguo@kylinos.cn> - 0.13.72-3
+- fix CVE-2024-39134
+
+* Wed Jul  5 2023 dillon chen <dillon.chen@gmail.com> - 0.13.72-2
+- add -DZZIP_TESTCVE=OFF skip download test(curl github)
+
+* Tue Sep 27 2022 dillon chen <dillon.chen@gmail.com> - 0.13.72-1
+- update to 0.13.72
+
+* Sat Sep 04 2021 shixuantong <shixuantong@huawei.com> - 0.13.71-3
+- remove rpath
+
 * Fri Jun 25 2021 shixuantong <shixuantong@huawei.com> - 0.13.71-2
 - fix CVE-2020-18442