!36 CVE-2021-38291

From: @pang-qing Reviewed-by: @ut-layne-yang Signed-off-by: @ut-layne-yang
CVE-2021-38291
2024-09-09 09:20:34 +00:00 · 2024-09-06 18:02:43 +08:00 · 2023-08-23 03:02:15 +00:00 · 2023-08-16 10:50:46 +08:00 · 2023-04-10 03:11:36 +00:00 · 2023-04-06 10:35:50 +08:00
4 changed files with 72 additions and 7 deletions
--- a/backport-CVE-2021-38291.patch
+++ b/backport-CVE-2021-38291.patch
@ -0,0 +1,28 @@
+From 39b180455ffcb100c4b3269bac9bf119063fd38c Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Fri, 6 Sep 2024 16:32:43 +0800
+Subject: [PATCH] CVE-2021-38291
+
+---
+ 3rdparty/libzipplugin/libzipplugin.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/3rdparty/libzipplugin/libzipplugin.cpp b/3rdparty/libzipplugin/libzipplugin.cpp
+index 280378f..b9cab7f 100644
+--- a/3rdparty/libzipplugin/libzipplugin.cpp
+++ b/3rdparty/libzipplugin/libzipplugin.cpp
+@@ -741,6 +741,11 @@ ErrorType LibzipPlugin::extractEntry(zip_t *archive, zip_int64_t index, const Ex
+     }
+ 
+     strFileName = m_common->trans2uft8(statBuffer.name, m_mapFileCode[index]);    // 解压文件名（压缩包中）
+    //fix 232873
+    if(strFileName.indexOf("../") != -1) {
+        qInfo() << "skipped ../ path component(s) in " << strFileName;
+        strFileName = strFileName.replace("../", "");
+    }
+     QString strOriginName = strFileName;
+ 
+     // 针对文件夹名称过长的情况，直接提示解压失败，文件夹名称过长
+-- 
+2.39.3
+
--- a/deepin-compressor-5.10.5.tar.gz
+++ b/deepin-compressor-5.10.5.tar.gz
--- a/deepin-compressor-5.12.13.tar.gz
+++ b/deepin-compressor-5.12.13.tar.gz
--- a/deepin-compressor.spec
+++ b/deepin-compressor.spec
@ -1,15 +1,13 @@
-%define specrelease 1%{?dist}
-%if 0%{?openeuler}
-%define specrelease 1
-%endif
+%define specrelease 2

 Name:           deepin-compressor
-Version:        5.10.5
+Version:        5.12.13
 Release:        %{specrelease}
 Summary:        A fast and lightweight application for creating and extracting archives
 License:        GPLv3+
 URL:            https://github.com/linuxdeepin/deepin-devicemanager
 Source0:        %{name}-%{version}.tar.gz
+Patch0001:      backport-CVE-2021-38291.patch

 BuildRequires: gcc-c++
 BuildRequires: cmake
@ -30,18 +28,19 @@ BuildRequires: libarchive-devel
 BuildRequires: minizip-devel
 BuildRequires: poppler-cpp-devel
 BuildRequires: gtest-devel gmock
+BuildRequires: chrpath

 Requires: p7zip
 Requires: lz4-libs
-Requires: unrar
 Requires: deepin-shortcut-viewer
 Requires: lzop
+Recommends: unrar p7zip-plugins

 %description
 %{summary}.

 %prep
-%autosetup
+%autosetup -p1

 %build
 export PATH=%{_qt5_bindir}:$PATH
@ -56,6 +55,21 @@ popd
 %install
 %make_install -C build INSTALL_ROOT="%buildroot"

+# remove rpath info
+for file in $(find %{buildroot}/ -executable -type f -exec file {} ';' | grep "\<ELF\>" | awk -F ':' '{print $1}')
+do
+    if [ ! -u "$file" ]; then
+        if [ -w $file ]; then
+            chrpath -d $file
+        fi
+    fi
+done
+
+# add rpath path in ld.so.conf.d
+mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d
+echo "%{_bindir}/%{name}" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+echo "%{_libdir}/%{name}/plugins/" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+
 %files
 %doc README.md
 %license LICENSE
@ -68,8 +82,30 @@ popd
 %{_datadir}/mime/packages/%{name}.xml
 %{_datadir}/deepin-manual/manual-assets/application/deepin-compressor/archive-manager/*
 %{_datadir}/applications/context-menus/*.conf
+%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+
+%post
+/sbin/ldconfig
+
+%postun
+/sbin/ldconfig

 %changelog
+* Fri Sep 06 2024 pangqing <pangqing@uniontech.com> - 5.12.13-2
+- CVE-2021-38291 
+
+* Fri Jul 28 2023 leeffo <liweiganga@uniontech.com> - 5.12.13-1
+- upgrade to version 5.12.13
+
+* Thu Mar 30 2023 liweiganga <liweiganga@uniontech.com> - 5.10.11-1
+- update: update to 5.10.11
+
+* Tue Mar 14 2023 liweigang <liweiganga@uniontech.com> - 5.10.5-3
+- feat: remove rpath
+
+* Fri Aug 05 2022 liweigang <liweiganga@uniontech.com> - 5.10.5-2
+- fix nothing install requires
+
 * Mon Jul 18 2022 konglidong <konglidong@uniontech.com> - 5.10.5-1
 - update to 5.10.5

@ -87,3 +123,4 @@ popd

 * Thu Jul 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 5.6.9-1
 - Package init
+
Author	SHA1	Message	Date
openeuler-ci-bot	41b046f739	!36 CVE-2021-38291 From: @pang-qing Reviewed-by: @ut-layne-yang Signed-off-by: @ut-layne-yang	2024-09-09 09:20:34 +00:00
pangqing	f106c746e9	CVE-2021-38291 Signed-off-by: pangqing <pangqing@uniontech.com>	2024-09-06 18:02:43 +08:00
openeuler-ci-bot	0aefb46b31	!25 [sync] PR-24: upgrade to version 5.12.13 From: @openeuler-sync-bot Reviewed-by: @leeffo Signed-off-by: @leeffo	2023-08-23 03:02:15 +00:00
leeffo	6cbddb86f5	upgrade to version 5.12.13 (cherry picked from commit e6564e404a2362052adc0303fcc006242ecefc57)	2023-08-16 10:50:46 +08:00
openeuler-ci-bot	ac07c25d2f	!22 update to 5.10.11 From: @leeffo Reviewed-by: @HelloWorld_lvcongqing Signed-off-by: @HelloWorld_lvcongqing	2023-04-10 03:11:36 +00:00
liweiganga	338839c646	update: update to 5.10.11	2023-04-06 10:35:50 +08:00
openeuler-ci-bot	f64911302c	!18 enable debuginfo for fix strip From: @leeffo Reviewed-by: @HelloWorld_lvcongqing Signed-off-by: @HelloWorld_lvcongqing	2023-03-14 06:11:18 +00:00
liweiganga	53b0040877	feat: remove rapth	2023-03-14 13:59:39 +08:00
openeuler-ci-bot	525c3be0c8	!16 [sync] PR-15: fix nothing install requires From: @openeuler-sync-bot Reviewed-by: @panchenbo Signed-off-by: @panchenbo	2022-08-05 05:30:58 +00:00
loong_C	db8835b867	fix nothing install requires (cherry picked from commit 90aeb40bed8cf871dd189b9e87fff34cb853a89e)	2022-08-05 13:17:14 +08:00