[libcommons-compress-java] 01/02: Apply patch for CVE-2018-1324 (Closes: #893174)

tony mancill tmancill at debian.org
Mon Apr 9 13:44:34 UTC 2018 

This is an automated email from the git hooks/post-receive script.

tmancill pushed a commit to branch stretch
in repository libcommons-compress-java.

commit 68fba1efd66fa1d22ca4bc139f864205d9528478
Author: tony mancill <tmancill at debian.org>
Date:   Sun Apr 8 20:52:42 2018 -0700

    Apply patch for CVE-2018-1324 (Closes: #893174)
---
 debian/patches/CVE-2018-1324.patch | 17 +++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 18 insertions(+)

diff --git a/debian/patches/CVE-2018-1324.patch b/debian/patches/CVE-2018-1324.patch
new file mode 100644
index 0000000..7ab678f
--- /dev/null
+++ b/debian/patches/CVE-2018-1324.patch
@@ -0,0 +1,17 @@
+Description: CVE-2018-1324
+Author: Stefan Bodewig <bodewig at apache.org>
+Forwarded: not-needed
+Source: https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893174
+
+--- a/src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java
++++ b/src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java
+@@ -310,7 +310,7 @@ public class X0017_StrongEncryptionHeader extends PKWareExtraHeader {
+             this.hashAlg = HashAlgorithm.getAlgorithmByCode(ZipShort.getValue(data, offset + 12));
+             this.hashSize = ZipShort.getValue(data, offset + 14);
+             // srlist... hashed public keys
+-            for (int i = 0; i < this.rcount; i++) {
++            for (long i = 0; i < this.rcount; i++) {
+                 for (int j = 0; j < this.hashSize; j++) {
+                     //  ZipUtil.signedByteToUnsignedInt(data[offset + 16 + (i * this.hashSize) + j]));
+                 }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..3df6607
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-1324.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libcommons-compress-java.git

More information about the pkg-java-commits mailing list