# # spec file for package zziplib # # Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define lname libzzip-0-13 Name: zziplib Version: 0.13.78 Release: 3.1 Summary: ZIP Compression Library License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ URL: http://zziplib.sourceforge.net Source0: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: baselibs.conf BuildRequires: cmake >= 3.5 BuildRequires: pkgconfig BuildRequires: xmlto BuildRequires: zip BuildRequires: pkgconfig(zlib) %description ZZipLib is a library for dealing with ZIP and ZIP-like archives by using algorithms of zlib. %package -n %{lname} Summary: ZIP compression library Group: System/Libraries Obsoletes: zziplib < %{version}-%{release} Provides: zziplib = %{version}-%{release} %description -n %{lname} ZZipLib is a library for dealing with ZIP and ZIP-like archives by using algorithms of zlib. %package devel Summary: Development files for zziplib, a ZIP compression library Group: Development/Libraries/C and C++ Requires: %{lname} = %{version} Requires: pkgconfig(zlib) %description devel That are the header files needed for developing applications using ZZipLib. %prep %autosetup -p1 # do not bother with html docs saving us python2 dependency sed -i -e 's:docs ::g' Makefile.am %build # Workaround for boo#1225959 %global optflags %{optflags} -fpermissive %(getconf LFS_CFLAGS) -DPIC %cmake -DZZIP_TESTCVE=OFF -DZZIP_LARGEFILE_SENSITIVE=ON -DZZIP_LARGEFILE_RENAME=ON -DPIC=ON -DCMAKE_POLICY_VERSION_MINIMUM=3.5 %cmake_build %install %cmake_install rm -f docs/Make* docs/zziplib-manpages.ar find %{buildroot} -type f -name "*.la" -delete -print # Remove uneeded .cmake files rm -rf %{buildroot}%{_libdir}/cmake %post -n %{lname} -p /sbin/ldconfig %postun -n %{lname} -p /sbin/ldconfig %files -n %{lname} %license COPYING.LIB %{_libdir}/libzzip*.so.* %files devel %doc docs/README.SDL ChangeLog README TODO %{_bindir}/unzzip* %{_bindir}/zz* %{_bindir}/unzip-mem %{_libdir}/libzzip*.so %{_includedir}/* %{_libdir}/pkgconfig/*.pc %{_datadir}/aclocal/*.m4 %{_mandir}/man3/__zzip_*.3%{?ext_man} %{_mandir}/man3/zzip_*.3%{?ext_man} %changelog * Fri Mar 21 2025 Shawn Dunn - Add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to clear FTBFS with cmake4 * Wed Mar 19 2025 Dr. Werner Fink - Fix dumb cmake handling and enable ZZIP_LARGEFILE_RENAME as well and set -DPIC in the CFLAGS to have both 32bit and 64bit file support on 32bit architecures * Mon Mar 17 2025 Dr. Werner Fink - Support large file access on 32bit architectures as well (boo#1239672) * Thu Aug 8 2024 Valentin Lefebvre - Removing patches merged upstream: [- CVE-2020-18770.patch] [- bsc1154002-prevent-unnecessary-perror.patch] [- zziplib-0.13.62.patch] - Release to v0.13.78 * fix windows crossgcc builds * fix ZIP64 trailer and ZIP64 extras being too short sometimes #169 #170 (bsc#1227178, CVE-2024-39134) (bsc#1227175, CVE-2024-39133) - Release to v0.13.77 * make afl to check for fuzzer bugs * update os versions to latest from docker_mirror.py * add missing tests scenarios for later os releases * fix Coverage include hack * integrate mxe/src/zziplib-2-prefer-win32-mmap.patch * make crossgcc/windows a working example for mingw * `./testbuilds.py clean` will drop test-related docker images * `./testbuilds.py` will automatically run clean if everything successful * `./testbuilds.py help` shows the available tests and commands * in test_2xx create /external bins and compile them by linking via cmake-configs * fix bins/CMakeLists.txt to show realistic usage of cmake find_package * note: it seems bins/unzzip*.c use internal headers which external programs can't - Release to v0.13.76 * add DEVGUIDE.md and prep release process * add -DCOVERAGE=ON cmake option * allow for 'make coverage' summary * change zzipdoc to python3 typehints * allow for make types check on python * remove unused make-doc.py make-doc.pl * add bins/*.c and test/*.c to make format * for bins/ --version shorten the automatic binary name #156 * simplify bins/ ssize_t construction * tested 'make nextversion' to ensure version number is increased * note: last 0.13.74 was internally still named 0.13.72 * integrate opensuse patch for -Wwrite-strings for GCC4.1+ * switch to mypy minimum of python3.8 * fix dbk2man regression (from typehints changes) * fixed again cmake bug - parallel builds can lead to race condition * removed ubuntu1604 testbuilds - python3.5 is too old * ubuntu2404 is ready - was waiting for sdl-dev in universe * move definitions form zzip/stdint.h to zzip/cstdint.h * note: some includepaths made zzip/stdint.h be found as stdint.h * move some definitions from zzip/__hints.h to zzip/cdecl.h * make zzip/cdecl.h use gcc's ansidecl.h definitions if found * remove zzip/__hints.h in public headers - use zzip/cdecl.h instead * the __*.h files were not meant to be installed * some distros have installed them anyway - that should be dropped * the "make format" will check for __*.h in public headers as well * note: this should help to avoide it creep in again * add "make bins" to ensure testing compilation of those binaries * add PACKAGE_NAME and PACKAGE_VERSION to _msvc.h - Release to v0.13.75 * add DEVGUIDE.md and prep release process * add -DCOVERAGE=ON cmake option * allow for 'make coverage' summary * change zzipdoc to python3 typehints * allow for make types check on python * remove unused make-doc.py make-doc.pl * add bins/*.c and test/*.c to make format * for bins/ --version shorten the automatic binary name #156 * simplify bins/ ssize_t construction * tested 'make nextversion' to ensure version number is increased * note: last 0.13.74 was internally still named 0.13.72 * integrate opensuse patch for -Wwrite-strings for GCC4.1+ * switch to mypy minimum of python3.8 * fix dbk2man regression (from typehints changes) * fixed again cmake bug - parallel builds can lead to race condition * removed ubuntu1604 testbuilds - python3.5 is too old * ubuntu2404 is ready - was waiting for sdl-dev in universe * disabled local file header offset64 * allowed to 'make fortify' for extended debugging * fixed all memleak bugs from address sanitizer * fixed ZIP64 bugs - but the support is still incomplete * fixed remaining failures as they were recorded in testsuite - Release to v0.13.74 * fixed last cmake bug - parallel builds can lead to race condition * abolished centos8 testbuilds and prepared ubuntu24 * integrated some github patches * prepare autoformat with clang-format (not yet enforced) - Release to v0.13.73 * Switched docs from .htm to .md format. The mksite to .html is retained. * Some cmake patches were included. Specifically MacOS seems to be special. * Automated builds changed from azure-pipelines to github/workflows * Added typehints and pep8 check for the python parts of the tools and tests * Can still update automake for now. Continues the testbuilds.py comparison. * Mon Jul 15 2024 Martin Jambor - Add -fpermissive to %%{optflags} to workaround C99 violations which cause GCC14 to throw an error by default. [boo#1225959] * Tue Feb 27 2024 Valentin Lefebvre - assert full zzip_file_header. [bsc#1214577, CVE-2020-18770, CVE-2020-18770.patch] - Use autosetup * Tue Feb 20 2024 Dominique Leuenberger - Use %%patch -P N instead of deprecated %%patchN. * Sun Feb 7 2021 Dirk Müller - update to 0.13.72: * The testbuilds were fixed to make cmake install and automake install the same * The cmake install did need patches for man3 installation on Unix * The cmake install did need patches for dll installation on Windows * The cmake install did need patches for dylib installation on MacOS * The cmake install did need patches for pkgconfig generation * Bump testbuilds to modern distro versions (ubuntu 20.04 centos 7.9 / 8.3) * Takeover docker_mirror.py for air-gap testings (for testbuilds.py) * handle UNZZIP-NOTFOUND in cmake and mark Ubuntu 'unzip' to be broken * merge patches for zzip_pread feature from Max Kellermann * merge patches for some bugs being found and reported via GitHub issues * run azure-pipelines with -DZZIP_TESTCVE=OFF to skip CVE *.zip downloads * use zziptests.py --downloadonly to get the CVE zip files for local storage * switch to cmake build system - remove zziplib-0.13.62-wronglinking.patch zziplib-largefile.patch: obsolete with switch to cmake * Tue Apr 28 2020 Paolo Stivanin - Update to 0.13.71: * testbuilds fixes * fixes to bring base, sdl, manpages and site docs to same level * Tue Apr 14 2020 Josef Möllers - Update to 1.13.70: * there have been tons of bugfixes over the last two years ... * Thanks go to Patrick Steinhardt (then at Aservo) for python3 updates * Thanks go to Josef Moellers (working at SUSE Labs) for many CVE fixes * and of course all the other patches that came in via github issues. * I have cleaned up sources to only uses Python3 (as needed by 2020). * !!! The old automake/autconf/libtool system will be dumped soon!!! * The build system was ported to 'cmake' .. (last tested cmake 3.10.2) Obsoletes patches - CVE-2018-7726.patch - CVE-2018-7725.patch - CVE-2018-16548.patch - CVE-2018-17828.patch - bsc1129403-prevent-division-by-zero.patch [zziplib-0.13.70.tar.gz, CVE-2018-7726.patch, CVE-2018-7725.patch, CVE-2018-16548.patch, CVE-2018-17828.patch, bsc1129403-prevent-division-by-zero.patch] * Mon Feb 24 2020 Josef Möllers - Corrected control flow in zzip_mem_entry_make() to gain correct exit status. [bsc#1154002, bsc1154002-prevent-unnecessary-perror.patch] * Fri Dec 13 2019 Josef Möllers - Make an unconditional error message conditional by checking the return value of a function call. Also removed an unwanted debug output. [bsc#154002, bsc1154002-prevent-unnecessary-perror.patch, CVE-2018-7725.patch] * Thu Oct 17 2019 Josef Möllers - Fixed another instance where division by 0 may occur. [bsc#1129403, bsc1129403-prevent-division-by-zero.patch] * Thu Jun 13 2019 josef.moellers@suse.com - Prevent division by zero by first checking if uncompressed size is 0. This may happen with directories which have a compressed and uncompressed size of 0. [bsc#1129403, bsc1129403-prevent-division-by-zero.patch] * Thu Oct 4 2018 josef.moellers@suse.com - Remove any "../" components from pathnames of extracted files. [bsc#1110687, CVE-2018-17828, CVE-2018-17828.patch] * Fri Sep 7 2018 josef.moellers@suse.com - Avoid memory leak from __zzip_parse_root_directory(). Free allocated structure if its address is not passed back. [bsc#1107424, CVE-2018-16548, CVE-2018-16548.patch] * Mon Mar 19 2018 josef.moellers@suse.com - Check if data from End of central directory record makes sense. Especially the Offset of start of central directory must not a) be negative or b) point behind the end-of-file. - Check if compressed size in Central directory file header makes sense, i.e. the file's data does not extend beyond the end of the file. [bsc#1084517, CVE-2018-7726, CVE-2018-7726.patch, bsc#1084519, CVE-2018-7725, CVE-2018-7725.patch] * Sat Mar 17 2018 avindra@opensuse.org - Update to 0.13.69: * fix a number of CVEs reported with special *.zip PoC files * completing some doc strings while checking the new man-pages to look good * update refs to point to github instead of sf.net * man-pages are generated with new dbk2man.py - docbook xmlto is optional now * a zip-program is still required for testing, but some errors are gone when not present - run spec-cleaner - don't ship Windows only file, README.MSVC6 * Mon Feb 19 2018 adam.majer@suse.de - Drop BR: fdupes since it does nothing. * Mon Feb 19 2018 jengelh@inai.de - Fix RPM groups. Remove ineffective --with-pic. Trim redundancies from description. Do not let fdupes run across partitions. * Sun Feb 18 2018 avindra@opensuse.org - Update to 0.13.68: * fix a number of CVEs reported with special *.zip files * minor doc updates referencing GitHub instead of sf.net - drop CVE-2018-6381.patch * merged in a803559fa9194be895422ba3684cf6309b6bb598 - drop CVE-2018-6484.patch * merged in 0c0c9256b0903f664bca25dd8d924211f81e01d3 - drop CVE-2018-6540.patch * merged in 15b8c969df962a444dfa07b3d5bd4b27dc0dbba7 - drop CVE-2018-6542.patch * merged in 938011cd60f5a8a2a16a49e5f317aca640cf4110 * Wed Feb 14 2018 josef.moellers@suse.com - Changed %%license to %%doc in SPEC file. * Mon Feb 12 2018 josef.moellers@suse.com - If the size of the central directory is too big, reject the file. Then, if loading the ZIP file fails, display an error message. [CVE-2018-6542.patch, CVE-2018-6542, bsc#1079094] * Tue Feb 6 2018 josef.moellers@suse.com - If an extension block is too small to hold an extension, do not use the information therein. - If the End of central directory record (EOCD) contains an Offset of start of central directory which is beyond the end of the file, reject the file. [CVE-2018-6540, bsc#1079096, CVE-2018-6540.patch] * Fri Feb 2 2018 josef.moellers@suse.com - Reject the ZIP file and report it as corrupt if the size of the central directory and/or the offset of start of central directory point beyond the end of the ZIP file. [CVE-2018-6484, boo#1078701, CVE-2018-6484.patch] * Thu Feb 1 2018 josef.moellers@suse.com - If a file is uncompressed, compressed and uncompressed sizes should be identical. [CVE-2018-6381, bsc#1078497, CVE-2018-6381.patch] * Tue Jan 23 2018 tchvatal@suse.com - Drop tests as they fail completely anyway, not finding lib needing zip command, this should allow us to kill python dependency - Also drop docs subdir avoiding python dependency for it * The generated xmls were used for mans too but we shipped those only in devel pkg and as such we will live without them * Tue Jan 23 2018 tchvatal@suse.com - Version update to 0.13.67: * Various fixes found by fuzzing * Merged bellow patches - Remove merged patches: * zziplib-CVE-2017-5974.patch * zziplib-CVE-2017-5975.patch * zziplib-CVE-2017-5976.patch * zziplib-CVE-2017-5978.patch * zziplib-CVE-2017-5979.patch * zziplib-CVE-2017-5981.patch - Switch to github tarball as upstream seem no longer pull it to sourceforge - Remove no longer applying patch zziplib-unzipcat-NULL-name.patch * The sourcecode was quite changed for this to work this way anymore, lets hope this is fixed too * Wed Nov 1 2017 mpluskal@suse.com - Packaking changes: * Depend on python2 explicitly * Cleanup with spec-cleaner * Thu Mar 23 2017 josef.moellers@suse.com - Several bugs fixed: * heap-based buffer overflows (bsc#1024517, CVE-2017-5974, zziplib-CVE-2017-5974.patch) * check if "relative offset of local header" in "central directory header" really points to a local header (ZZIP_FILE_HEADER_MAGIC) (bsc#1024528, CVE-2017-5975, zziplib-CVE-2017-5975.patch) * protect against bad formatted data in extra blocks (bsc#1024531, CVE-2017-5976, zziplib-CVE-2017-5976.patch) * NULL pointer dereference in main (unzzipcat-mem.c) (bsc#1024532, bsc#1024536, CVE-2017-5975, zziplib-CVE-2017-5975.patch) * protect against huge values of "extra field length" in local file header and central file header (bsc#1024533, CVE-2017-5978, zziplib-CVE-2017-5978.patch) * clear ZZIP_ENTRY record before use. (bsc#1024534, bsc#1024535, CVE-2017-5979, CVE-2017-5977, zziplib-CVE-2017-5979.patch) * prevent unzzipcat.c from trying to print a NULL name (bsc#1024537, zziplib-unzipcat-NULL-name.patch) * Replace assert() by going to error exit. (bsc#1034539, CVE-2017-5981, zziplib-CVE-2017-5981.patch) * Sat Mar 16 2013 schwab@linux-m68k.org - zziplib-largefile.patch: Enable largefile support - Enable debug information * Sat Dec 15 2012 p.drouand@gmail.com - Update to 0.13.62 version: * configure.ac: fallback to libtool -export-dynamic unless being sure to use gnu-ld --export-dynamic. The darwin case is a bit special here as the c-compiler and linker might be from different worlds. * Makefile.am: allow nonstaic build * wrap fd.open like in the Fedora patch - Remove the package name on summary - Add dos2unix as build dependencie to fix a wrong file encoding * Sat Nov 19 2011 coolo@suse.com - add libtool as buildrequire to avoid implicit dependency * Fri Sep 16 2011 jengelh@medozas.de - Implement shlib policy/packaging for package, add baselibs.conf and resolve redundant constructs * Sat Apr 30 2011 crrodriguez@opensuse.org - Fix build with gcc 4.6 * Mon Feb 15 2010 dimstar@opensuse.org - Update to version 0.13.58: + Some bugs fixed, see ChangeLog * Mon Jul 27 2009 coolo@novell.com - update to version 0.13.56 - fixes many smaller issues (see Changelog) * Wed Jun 17 2009 coolo@novell.com - fix build with automake 1.11 * Mon Jan 26 2009 crrodriguez@suse.de - remove "la" files * Fri Oct 24 2008 wgottwalt@suse.de - removed ./msvc7/pkzip.exe and ./msvc8/zip.exe to avoid license problems * Wed Aug 15 2007 crrodriguez@suse.de - update to version 0.13.49 fixes #260734 buffer overflow due to wrong usage of strcpy() * Thu Mar 29 2007 dmueller@suse.de - adjust buildrequires * Mon Dec 4 2006 dmueller@suse.de - don't build as root * Tue Oct 3 2006 aj@suse.de - Fix build. * Fri Aug 18 2006 aj@suse.de - Fix build. * Mon May 22 2006 wgottwalt@suse.de - initial release - still problems with the "make check" build option