From: sms
Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
Bug-Debian: http://bugs.debian.org/773722

--- a/extract.c
+++ b/extract.c
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
 
   See the accompanying file LICENSE, version 2009-Jan-02 or later
   (the contents of which are also included in unzip.h) for terms of use.
@@ -298,6 +298,8 @@
 #ifndef SFX
    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
+     EF block length (%u bytes) invalid (< %d)\n";
    static ZCONST char Far InvalidComprDataEAs[] =
      " invalid compressed data for EAs\n";
 #  if (defined(WIN32) && defined(NTSD_EAS))
@@ -2023,7 +2025,8 @@
         ebID = makeword(ef);
         ebLen = (unsigned)makeword(ef+EB_LEN);
 
-        if (ebLen > (ef_len - EB_HEADSIZE)) {
+        if (ebLen > (ef_len - EB_HEADSIZE))
+        {
            /* Discovered some extra field inconsistency! */
             if (uO.qflag)
                 Info(slide, 1, ((char *)slide, "%-22s ",
@@ -2032,6 +2035,16 @@
               ebLen, (ef_len - EB_HEADSIZE)));
             return PK_ERR;
         }
+        else if (ebLen < EB_HEADSIZE)
+        {
+            /* Extra block length smaller than header length. */
+            if (uO.qflag)
+                Info(slide, 1, ((char *)slide, "%-22s ",
+                  FnFilter1(G.filename)));
+            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
+              ebLen, EB_HEADSIZE));
+            return PK_ERR;
+        }
 
         switch (ebID) {
             case EF_OS2:
ption>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=a9dc352e79453e145113d43c4df5e61b0085d299'>root</a>/<a href='/guix/log/gnu?id=a9dc352e79453e145113d43c4df5e61b0085d299'>gnu</a>/<a href='/guix/log/gnu/packages?id=a9dc352e79453e145113d43c4df5e61b0085d299'>packages</a>/<a href='/guix/log/gnu/packages/vulkan.scm?id=a9dc352e79453e145113d43c4df5e61b0085d299'>vulkan.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/vulkan.scm?id=a9dc352e79453e145113d43c4df5e61b0085d299&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-11-05 11:56:25 -0500'>2024-11-05</span></td><td><a href='/guix/commit/gnu/packages/vulkan.scm?id=8a602183ff40c02a88f5791427a93bf72b6463f0'>gnu: volk: Hard-code path of vulkan-loader for dynamic loading</a><span class='msg-avail'>...<span class='msg-tooltip'>Until now, we’d get:

  $ guix shell vulkan-tools -- vulkaninfo
  ERROR at /tmp/guix-build-vulkan-tools-1.3.280.0.drv-0/source/vulkaninfo/./vulkaninfo.h:412: Failed to initialize: Vulkan loader is not installed, not found, or failed to load.

This patch fixes it and potentially for other programs as well.

* gnu/packages/vulkan.scm (volk)[arguments]: use gexp.
&lt;#:phases&gt;: Patch dlopen with libvulkan.so.
[input]: Add vulkan-loader.

Change-Id: I5ef0eb13d35e517b8947faddace641882a775b80
Co-authored-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
Signed-off-by: John Kehayias &lt;john.kehayias@protonmail.com&gt;
</span></span></td><td>nathan</td></tr>
<tr><td><span title='2024-11-05 11:56:23 -0500'>2024-11-05</span></td><td><a href='/guix/commit/gnu/packages/vulkan.scm?id=f0bf6994b036259af2bb604a8c1aef21becd1d29'>gnu: vulkan-headers: Hard-code libvulkan.so file name.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/vulkan.scm (vulkan-headers): Rename to…
(vulkan-headers/no-loader): … this.
(vulkan-headers): New variable.
(vulkan-loader): Depend on ‘vulkan-headers/no-loader’.

Change-Id: Ic674a4d965d8049e388d75137111ed0253ca3b18
Co-authored-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
Signed-off-by: John Kehayias &lt;john.kehayias@protonmail.com&gt;
</span></span></td><td>nathan</td></tr>
<tr><td><span title='2024-08-31 10:45:42 +0200'>2024-08-31</span></td><td><a href='/guix/commit/gnu/packages/vulkan.scm?id=d10ab3d397d0d26fd832cbcb60d4756f2f65ce7c'>gnu: mesa: Fix building on aarch64-linux.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gl.scm (mesa)[inputs]: When building for aarch64-linux
use clang-18 and llvm-18 instead of llvm-for-mesa.
[native-inputs]: When building for aarch64-linux add libclc.
[arguments]: Adjust the 'disable-failing-test phase when building for
aarch64-linux to skip a test.
(mesa-opencl)[native-inputs]: When building for aarch64-linux don't add
clang-15.
* gnu/packages/check.scm (python-lit),
* gnu/packages/llvm.scm (libclc),
* gnu/packages/vulkan.scm (spirv-llvm-translator): Add a note about it
being a dependency for mesa.

Change-Id: I0bf5ab019ffd0626ad2d0c38bafceec401e3c886
</span></span></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2024-08-17 11:20:44 +0800'>2024-08-17</span></td><td><a href='/guix/commit/gnu/packages/vulkan.scm?id=6541d382cb5c18703152cbd0c5e5e93d671d6dab'>gnu: Add vkbasalt.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/vulkan.scm: (vkbasalt): New variable.

Change-Id: Ib5a39df0deabb166498e16e7359e7fa83a63b6c9
Signed-off-by: Zheng Junjie &lt;zhengjunjie@iscas.ac.cn&gt;
</span></span></td><td>James Smith via Guix-patches via</td></tr>
<tr><td><span title='2024-08-11 10:49:27 +0100'>2024-08-11</span></td><td><a href='/guix/commit/gnu/packages/vulkan.scm?id=0f82dfeb0abe2d1d7a0fc45d7e164c3842234820'>gnu: vulkan-loader: Fix cross-compilation.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/vulkan.scm (vulkan-loader)[arguments]&lt;#:configure&gt;: When
cross-compilation, set the PKG_CONFIG_EXECUTABLE variable.

Change-Id: Ie0466a64effa5c93f859ff872423f2403f23f5cb
Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>Zheng Junjie</td></tr>

Age	Commit message (Expand)	Author
2024-11-05	gnu: volk: Hard-code path of vulkan-loader for dynamic loading...Until now, we’d get: $ guix shell vulkan-tools -- vulkaninfo ERROR at /tmp/guix-build-vulkan-tools-1.3.280.0.drv-0/source/vulkaninfo/./vulkaninfo.h:412: Failed to initialize: Vulkan loader is not installed, not found, or failed to load. This patch fixes it and potentially for other programs as well. * gnu/packages/vulkan.scm (volk)[arguments]: use gexp. <#:phases>: Patch dlopen with libvulkan.so. [input]: Add vulkan-loader. Change-Id: I5ef0eb13d35e517b8947faddace641882a775b80 Co-authored-by: Ludovic Courtès <ludo@gnu.org> Signed-off-by: John Kehayias <john.kehayias@protonmail.com>	nathan
2024-11-05	gnu: vulkan-headers: Hard-code libvulkan.so file name....* gnu/packages/vulkan.scm (vulkan-headers): Rename to… (vulkan-headers/no-loader): … this. (vulkan-headers): New variable. (vulkan-loader): Depend on ‘vulkan-headers/no-loader’. Change-Id: Ic674a4d965d8049e388d75137111ed0253ca3b18 Co-authored-by: Ludovic Courtès <ludo@gnu.org> Signed-off-by: John Kehayias <john.kehayias@protonmail.com>	nathan
2024-08-31	gnu: mesa: Fix building on aarch64-linux....* gnu/packages/gl.scm (mesa)[inputs]: When building for aarch64-linux use clang-18 and llvm-18 instead of llvm-for-mesa. [native-inputs]: When building for aarch64-linux add libclc. [arguments]: Adjust the 'disable-failing-test phase when building for aarch64-linux to skip a test. (mesa-opencl)[native-inputs]: When building for aarch64-linux don't add clang-15. * gnu/packages/check.scm (python-lit), * gnu/packages/llvm.scm (libclc), * gnu/packages/vulkan.scm (spirv-llvm-translator): Add a note about it being a dependency for mesa. Change-Id: I0bf5ab019ffd0626ad2d0c38bafceec401e3c886	Efraim Flashner
2024-08-17	gnu: Add vkbasalt....* gnu/packages/vulkan.scm: (vkbasalt): New variable. Change-Id: Ib5a39df0deabb166498e16e7359e7fa83a63b6c9 Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>	James Smith via Guix-patches via
2024-08-11	gnu: vulkan-loader: Fix cross-compilation....* gnu/packages/vulkan.scm (vulkan-loader)[arguments]<#:configure>: When cross-compilation, set the PKG_CONFIG_EXECUTABLE variable. Change-Id: Ie0466a64effa5c93f859ff872423f2403f23f5cb Signed-off-by: Christopher Baines <mail@cbaines.net>	Zheng Junjie