From: sms
Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
Bug-Debian: http://bugs.debian.org/773722

--- a/extract.c
+++ b/extract.c
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
 
   See the accompanying file LICENSE, version 2009-Jan-02 or later
   (the contents of which are also included in unzip.h) for terms of use.
@@ -298,6 +298,8 @@
 #ifndef SFX
    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
+     EF block length (%u bytes) invalid (< %d)\n";
    static ZCONST char Far InvalidComprDataEAs[] =
      " invalid compressed data for EAs\n";
 #  if (defined(WIN32) && defined(NTSD_EAS))
@@ -2023,7 +2025,8 @@
         ebID = makeword(ef);
         ebLen = (unsigned)makeword(ef+EB_LEN);
 
-        if (ebLen > (ef_len - EB_HEADSIZE)) {
+        if (ebLen > (ef_len - EB_HEADSIZE))
+        {
            /* Discovered some extra field inconsistency! */
             if (uO.qflag)
                 Info(slide, 1, ((char *)slide, "%-22s ",
@@ -2032,6 +2035,16 @@
               ebLen, (ef_len - EB_HEADSIZE)));
             return PK_ERR;
         }
+        else if (ebLen < EB_HEADSIZE)
+        {
+            /* Extra block length smaller than header length. */
+            if (uO.qflag)
+                Info(slide, 1, ((char *)slide, "%-22s ",
+                  FnFilter1(G.filename)));
+            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
+              ebLen, EB_HEADSIZE));
+            return PK_ERR;
+        }
 
         switch (ebID) {
             case EF_OS2:
ue='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=d86dd1e1db029ad9697415fc22af5c35979fc9bc'>root</a>/<a href='/guix/log/gnu?id=d86dd1e1db029ad9697415fc22af5c35979fc9bc'>gnu</a>/<a href='/guix/log/gnu/packages?id=d86dd1e1db029ad9697415fc22af5c35979fc9bc'>packages</a>/<a href='/guix/log/gnu/packages/chemistry.scm?id=d86dd1e1db029ad9697415fc22af5c35979fc9bc'>chemistry.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/chemistry.scm?id=d86dd1e1db029ad9697415fc22af5c35979fc9bc&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-02-13 11:04:48 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=e5bfc462dd695a570fe88c4c6d6efee808fd1a56'>gnu: rdkit: Update to 2023.09.4.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/chemistry.scm (rdkit): Update to 2023.09.4.
[arguments]: Skip testConrec test in check phase.
[native-inputs]: Replace catch2 with catch2-3.
* gnu/packages/patches/rdkit-unbundle-external-dependencies.patch: Adjust
patch.
[supported-systems]: New field.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-02-13 11:04:48 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=cc772e7f3172a8014e32c7ea3f6626963d4e9e16'>gnu: freesasa: Fix memerr tests.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/chemistry.scm (freesasa)[arguments]: Add
"CFLAGS=-fno-builtin-malloc" to #:configure-flags.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-02-13 11:04:48 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=52cca41c6fdb35d25c0543fef5fd90ebc855163c'>gnu: avalon-toolkit: Update to 2.0.5a.</a><span class='msg-avail'>...<span class='msg-tooltip'>The bug freeing static memory and the makefile have been improved upstream, so
we don't have to work around them anymore. Now, two static libraries are built
instead.

* gnu/packages/chemistry.scm (avalon-toolkit): Update to 2.0.5a.
[source]: Switch to git reference from GitHub. Adjust snippet. Add patch from
the RDKit fork.
[arguments]: Remove 'dont-free-static-memory phase. Use provided
makefile. Adjust 'install phase.
* gnu/packages/patches/avalon-toolkit-rdkit-fixes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-02-13 11:04:48 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=baa711441aae18d4855243af6e6c626aeefdeae0'>gnu: yaehmop: Update to 2023.03.1.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/chemistry.scm (yaehmop): Update to 2023.03.1.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-02-13 11:04:48 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=805ee7223720b00ad2556758c2d2c44ba6fb6d8a'>gnu: coordgenlibs: Update to 3.0.2.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/chemistry.scm (coordgenlibs): Update to 3.0.2.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-02-13 11:04:47 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=6ab278b2e78be294010d688e30b7bfd33d792584'>gnu: maeparser: Update to 1.3.1.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/chemistry.scm (maeparser): Update to 1.3.1.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-02-13 11:04:47 +0000'>2024-02-13</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=01ec7c388323723869b3d731025d3b2526dcb5d9'>gnu: gemmi: Update to 0.6.4.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/chemistry.scm (gemmi): Update to 0.6.4.
[arguments]: Adjust include/gemmi/sprintf.hpp -&gt; src/sprintf.cpp.
(freesasa)[arguments]: Link to gemmi_cpp explicitly.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>David Elsing</td></tr>
<tr><td><span title='2024-01-09 22:10:12 -0500'>2024-01-09</span></td><td><a href='/guix/commit/gnu/packages/chemistry.scm?id=edb03ceb60d2f44162332878b1d1a1a34b5fd6a3'>gnu: msgpack: Deprecate with msgpack-c.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/serialization.scm (msgpack-c): New variable.
(msgpack-cxx): New variable.
(msgpack): Rename to...
(msgpack-3): ... this, and inherit from msgpack-c.
* gnu/packages/vim.scm (eovim) [arguments]: Add help-cmake-find-msgpack-c
phase.
[inputs]: Replace msgpack with msgpack-c.
* gnu/packages/terminals.scm (tmate)
[inputs]: Replace msgpack with msgpack-3.
* gnu/packages/networking.scm (opendht)
[propagated-inputs]: Replace msgpack with msgpack-cxx.
* gnu/packages/chemistry.scm (mmtf-cpp) [propagated-inputs]: Likewise.
</span></span></td><td>Maxim Cournoyer</td></tr>

Age	Commit message (Expand)	Author
2024-02-13	gnu: rdkit: Update to 2023.09.4....* gnu/packages/chemistry.scm (rdkit): Update to 2023.09.4. [arguments]: Skip testConrec test in check phase. [native-inputs]: Replace catch2 with catch2-3. * gnu/packages/patches/rdkit-unbundle-external-dependencies.patch: Adjust patch. [supported-systems]: New field. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-02-13	gnu: freesasa: Fix memerr tests....* gnu/packages/chemistry.scm (freesasa)[arguments]: Add "CFLAGS=-fno-builtin-malloc" to #:configure-flags. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-02-13	gnu: avalon-toolkit: Update to 2.0.5a....The bug freeing static memory and the makefile have been improved upstream, so we don't have to work around them anymore. Now, two static libraries are built instead. * gnu/packages/chemistry.scm (avalon-toolkit): Update to 2.0.5a. [source]: Switch to git reference from GitHub. Adjust snippet. Add patch from the RDKit fork. [arguments]: Remove 'dont-free-static-memory phase. Use provided makefile. Adjust 'install phase. * gnu/packages/patches/avalon-toolkit-rdkit-fixes.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-02-13	gnu: yaehmop: Update to 2023.03.1....* gnu/packages/chemistry.scm (yaehmop): Update to 2023.03.1. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-02-13	gnu: coordgenlibs: Update to 3.0.2....* gnu/packages/chemistry.scm (coordgenlibs): Update to 3.0.2. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-02-13	gnu: maeparser: Update to 1.3.1....* gnu/packages/chemistry.scm (maeparser): Update to 1.3.1. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-02-13	gnu: gemmi: Update to 0.6.4....* gnu/packages/chemistry.scm (gemmi): Update to 0.6.4. [arguments]: Adjust include/gemmi/sprintf.hpp -> src/sprintf.cpp. (freesasa)[arguments]: Link to gemmi_cpp explicitly. Signed-off-by: Christopher Baines <mail@cbaines.net>	David Elsing
2024-01-09	gnu: msgpack: Deprecate with msgpack-c....* gnu/packages/serialization.scm (msgpack-c): New variable. (msgpack-cxx): New variable. (msgpack): Rename to... (msgpack-3): ... this, and inherit from msgpack-c. * gnu/packages/vim.scm (eovim) [arguments]: Add help-cmake-find-msgpack-c phase. [inputs]: Replace msgpack with msgpack-c. * gnu/packages/terminals.scm (tmate) [inputs]: Replace msgpack with msgpack-3. * gnu/packages/networking.scm (opendht) [propagated-inputs]: Replace msgpack with msgpack-cxx. * gnu/packages/chemistry.scm (mmtf-cpp) [propagated-inputs]: Likewise.	Maxim Cournoyer