[Git][java-team/zip4j][master] 4 commits: Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)

Mon Jan 16 20:17:31 GMT 2023


Tony Mancill pushed to branch master at Debian Java Maintainers / zip4j


Commits:
a0c10886 by tony mancill at 2023-01-16T12:10:51-08:00
Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)

- - - - -
b1b77797 by tony mancill at 2023-01-16T12:12:12-08:00
Freshen years in debian/copyright

- - - - -
9df4a943 by tony mancill at 2023-01-16T12:12:35-08:00
Bump Standards-Version to 4.6.2

- - - - -
2b9b7f84 by tony mancill at 2023-01-16T12:15:03-08:00
Prepare changelog for upload

- - - - -


5 changed files:

- debian/changelog
- debian/control
- debian/copyright
- + debian/patches/CVE-2023-22899.patch
- + debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+zip4j (2.11.2-3) unstable; urgency=high
+
+  * Team upload.
+
+  [ Debian Janitor ]
+  * Remove constraints unnecessary since buster (oldstable)
+
+  [ tony mancill ]
+  * Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)
+  * Freshen years in debian/copyright
+  * Bump Standards-Version to 4.6.2
+
+ -- tony mancill <tmancill at debian.org>  Mon, 16 Jan 2023 12:12:37 -0800
+
 zip4j (2.11.2-2) unstable; urgency=medium
 
   * Update debian/watch to watch GitHub tags.


=====================================
debian/control
=====================================
@@ -9,7 +9,7 @@ Build-Depends:
  default-jdk,
  libmaven-bundle-plugin-java,
  maven-debian-helper,
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/java-team/zip4j.git
 Vcs-Browser: https://salsa.debian.org/java-team/zip4j
 Homepage: http://www.lingala.net/zip4j


=====================================
debian/copyright
=====================================
@@ -3,11 +3,11 @@ Upstream-Name: zip4j
 Source: https://github.com/srikanth-lingala/zip4j/releases
 
 Files: *
-Copyright: 2019-2022, Srikanth Reddy Lingala <srikanth.mailbox at gmail.com>
+Copyright: 2019-2023, Srikanth Reddy Lingala <srikanth.mailbox at gmail.com>
 License: Apache-2.0
 
 Files: debian/*
-Copyright: 2019-2022, Andrius Merkys <merkys at debian.org>
+Copyright: 2019-2023, Andrius Merkys <merkys at debian.org>
 License: Apache-2.0
 
 License: Apache-2.0


=====================================
debian/patches/CVE-2023-22899.patch
=====================================
@@ -0,0 +1,43 @@
+Description: Check for MAC even when DataDescritor exists
+ Addresses vulnerability CVE-2023-22899
+ Zip4j through 2.11.2, as used in Threema and other products, does not
+ always check the MAC when decrypting a ZIP archive.
+Source: https://github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3.patch
+From: Srikanth Reddy Lingala <srikanth.mailbox at gmail.com>
+Date: Sun, 15 Jan 2023 11:19:55 -0500
+Bug-Vendor: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029038
+Forwarded: not-needed
+
+---
+ .../zip4j/io/inputstream/AesCipherInputStream.java   | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/src/main/java/net/lingala/zip4j/io/inputstream/AesCipherInputStream.java
++++ b/src/main/java/net/lingala/zip4j/io/inputstream/AesCipherInputStream.java
+@@ -4,9 +4,7 @@
+ import net.lingala.zip4j.exception.ZipException;
+ import net.lingala.zip4j.model.AESExtraDataRecord;
+ import net.lingala.zip4j.model.LocalFileHeader;
+-import net.lingala.zip4j.model.enums.CompressionMethod;
+ import net.lingala.zip4j.util.InternalZipConstants;
+-import net.lingala.zip4j.util.Zip4jUtil;
+ 
+ import java.io.IOException;
+ import java.io.InputStream;
+@@ -124,16 +122,6 @@
+   }
+ 
+   private void verifyContent(byte[] storedMac) throws IOException {
+-    if (getLocalFileHeader().isDataDescriptorExists()
+-        && CompressionMethod.DEFLATE.equals(Zip4jUtil.getCompressionMethod(getLocalFileHeader()))) {
+-      // Skip content verification in case of Deflate compression and if data descriptor exists.
+-      // In this case, we do not know the exact size of compressed data before hand and it is possible that we read
+-      // and pass more than required data into inflater, thereby corrupting the aes mac bytes.
+-      // See usage of PushBackInputStream in the project for how this push back of data is done
+-      // Unfortunately, in this case we cannot perform a content verification and have to skip
+-      return;
+-    }
+-
+     byte[] calculatedMac = getDecrypter().getCalculatedAuthenticationBytes();
+     byte[] first10BytesOfCalculatedMac = new byte[AES_AUTH_LENGTH];
+     System.arraycopy(calculatedMac, 0, first10BytesOfCalculatedMac, 0, InternalZipConstants.AES_AUTH_LENGTH);


=====================================
debian/patches/series
=====================================
@@ -0,0 +1 @@
+CVE-2023-22899.patch



View it on GitLab: https://salsa.debian.org/java-team/zip4j/-/compare/14d20c213d1d152445e49e6625f9a3bbedbfe442...2b9b7f84c3fcd9d012e1a11637fcf6c563d51baf

-- 
View it on GitLab: https://salsa.debian.org/java-team/zip4j/-/compare/14d20c213d1d152445e49e6625f9a3bbedbfe442...2b9b7f84c3fcd9d012e1a11637fcf6c563d51baf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230116/963059a2/attachment.htm>
