Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support of MacPorts zip and unzip #123

Closed
catap opened this issue Sep 20, 2021 · 4 comments · Fixed by #124
Closed

Support of MacPorts zip and unzip #123

catap opened this issue Sep 20, 2021 · 4 comments · Fixed by #124

Comments

@catap
Copy link
Contributor

catap commented Sep 20, 2021

If a system has installed zip and unzip from MacPorts, tests are faild.

The log:

s.xxxx..........x...s
======================================================================
FAIL: test_59750_infozipdir_CVE_2017_5975 (__main__.ZZipTest)
run info-zip dir test0.zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 1854, in test_59750_infozipdir_CVE_2017_5975
    self.assertIn('file #1:  bad zipfile offset (local header sig):  127', run.errors)
AssertionError: 'file #1:  bad zipfile offset (local header sig):  127' not found in 'error [00151-zziplib-heapoverflow-__zzip_get64]:  missing 10 bytes in zipfile\n  (attempting to process anyway)\nerror [00151-zziplib-heapoverflow-__zzip_get64]:  reported length of central directory is\n  10 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1\n  zipfile?).  Compensating...\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_59800_infozipdir_CVE_2017_5980 (__main__.ZZipTest)
run info-zip dir test0.zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 2098, in test_59800_infozipdir_CVE_2017_5980
    self.assertIn('file #1:  bad zipfile offset (lseek)', run.errors)
AssertionError: 'file #1:  bad zipfile offset (lseek)' not found in 'error [00154-zziplib-nullptr-zzip_mem_entry_new]:  missing 6 bytes in zipfile\n  (attempting to process anyway)\nerror [00154-zziplib-nullptr-zzip_mem_entry_new]:  reported length of central directory is\n  6 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1\n  zipfile?).  Compensating...\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65430 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3196, in test_65430
    self.assertIn('expected central file header signature not found', run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [c006-unknown-add-main]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [c006-unknown-add-main]:  missing 18 bytes in zipfile\n  (attempting to process anyway)\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65440 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3241, in test_65440
    self.assertIn('expected central file header signature not found', run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [c008-main-unknown-de]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [c008-main-unknown-de]:  missing 18 bytes in zipfile\n  (attempting to process anyway)\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65470 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3463, in test_65470
    self.assertIn("expected central file header signature not found", run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [003-unknow-def-zip]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [003-unknow-def-zip]:  missing 5123 bytes in zipfile\n  (attempting to process anyway)\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65480 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3592, in test_65480
    self.assertIn('expected central file header signature not found', run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [002-mem-leaks-zip]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [002-mem-leaks-zip]:  missing 21 bytes in zipfile\n  (attempting to process anyway)\nerror [002-mem-leaks-zip]:  reported length of central directory is\n  21 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1\n  zipfile?).  Compensating...\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

----------------------------------------------------------------------
Ran 227 tests in 12.719s

The patch that adds the first wrong exit codes:

diff --git a/test/zziptests.py b/test/zziptests.py
index f315dc7..1c5fc39 100644
--- a/test/zziptests.py
+++ b/test/zziptests.py
@@ -1848,7 +1848,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 430)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [2])
+        returncodes = [2,12])
     self.assertLess(len(run.output), 90)
     self.assertLess(len(errors(run.errors)), 900)
     self.assertIn('file #1:  bad zipfile offset (local header sig):  127', run.errors)
@@ -2092,7 +2092,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 500)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertLess(len(run.output), 90)
     self.assertLess(len(errors(run.errors)), 900)
     self.assertIn('file #1:  bad zipfile offset (lseek)', run.errors)
@@ -3189,7 +3189,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertLess(len(run.output), 200)
     self.assertLess(len(errors(run.errors)), 800)
     self.assertIn("missing 18 bytes in zipfile", run.errors)
@@ -3232,7 +3232,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertGreater(len(run.output), 30)
     self.assertGreater(len(errors(run.errors)), 1)
     self.assertLess(len(run.output), 400)
@@ -3456,7 +3456,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertLess(len(run.output), 400)
     self.assertLess(len(errors(run.errors)), 800)
     self.assertIn("missing 5123 bytes in zipfile", run.errors)
@@ -3583,7 +3583,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertGreater(len(run.output), 20)
     self.assertGreater(len(errors(run.errors)), 1)
     self.assertLess(len(run.output), 2500)
@@ -3792,7 +3792,7 @@ class ZZipTest(unittest.TestCase):
     self.assertTrue(greps(run.errors, "missing 6 bytes in zipfile"))
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.rm_testdir()
   def test_65671(self):
     """ unzzip-big -l $(CVE).zip  """
@catap catap mentioned this issue Sep 20, 2021
Closed
@gdraheim
Copy link
Owner

ready for a pull request?

@catap
Copy link
Contributor Author

catap commented Sep 20, 2021

@gdraheim I can convert patch to pull request, but it doesn't solve an issue. For example as soon as my patch is applied, the lines:

    self.assertLess(len(run.output), 90)
    self.assertLess(len(errors(run.errors)), 900)
    self.assertIn('file #1:  bad zipfile offset (local header sig):  127', run.errors)
    #self.assertEqual(os.path.getsize(tmpdir+"/test"), 3)
    self.assertFalse(os.path.exists(tmpdir+"/test"))

should be also adjusted.

I not sure how to write self.assertIn(A or B, someString)

@catap
Copy link
Contributor Author

catap commented Sep 20, 2021

but... let me try something, maybe it won't be soo ugly

catap added a commit to catap/zziplib that referenced this issue Sep 20, 2021
@catap
support of MacPort's zip and unzip
40a99a0 
MacPorts ships different version of `unzip` and `zip`. This small
pull request adjusts tests to supporting them.

Closes gdraheim#123
@catap catap mentioned this issue Sep 20, 2021
Merged
@catap
Copy link
Contributor Author

catap commented Sep 20, 2021

@gdraheim here it is. A bit ugly, but I haven't got any idea how to make it better.

gdraheim pushed a commit that referenced this issue Sep 21, 2021
@catap @gdraheim
support of MacPort's zip and unzip
6de7a41 
MacPorts ships different version of `unzip` and `zip`. This small
pull request adjusts tests to supporting them.

Closes #123
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support of MacPort's zip and unzip catap/zziplib
2 participants
@catap @gdraheim