From 91c29ce66d493b1b2f28073f8a714a81eab3094c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Feb 26 2018 17:06:06 +0000
Subject: import gcab-0.7-4.el7_4


---

diff --git a/SOURCES/0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch b/SOURCES/0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch
new file mode 100644
index 0000000..a98a34d
--- /dev/null
+++ b/SOURCES/0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch
@@ -0,0 +1,47 @@
+diff --git a/libgcab/cabinet.c b/libgcab/cabinet.c
+index a675d1b..9847f1c 100644
+--- a/libgcab/cabinet.c
++++ b/libgcab/cabinet.c
+@@ -460,18 +460,38 @@ cdata_read (cdata_t *cd, u1 res_data, gint comptype,
+     gboolean success = FALSE;
+     int ret, zret = Z_OK;
+     gint compression = comptype & GCAB_COMPRESSION_MASK;
+-    guint8 *buf = compression == GCAB_COMPRESSION_NONE ? cd->out : cd->in;
++    gsize buf_sz;
++    guint8 *buf = NULL;
+     CHECKSUM datacsum;
+ 
+-    if (compression > GCAB_COMPRESSION_MSZIP &&
+-        compression != GCAB_COMPRESSION_LZX) {
++    /* decompress directly into ->out for no decompression */
++    switch (compression) {
++    case GCAB_COMPRESSION_NONE:
++        buf = cd->out;
++        buf_sz = sizeof(cd->out);
++        break;
++    case GCAB_COMPRESSION_MSZIP:
++    case GCAB_COMPRESSION_LZX:
++        buf = cd->in;
++        buf_sz = sizeof(cd->in);
++        break;
++    default:
+         g_set_error (error, GCAB_ERROR, GCAB_ERROR_FAILED,
+                      _("unsupported compression method %d"), compression);
+-        return FALSE;
++        break;
+     }
++    if (buf == NULL)
++        return FALSE;
+ 
+     R4 (cd->checksum);
+     R2 (cd->ncbytes);
++    if (cd->ncbytes > buf_sz) {
++        g_set_error (error, GCAB_ERROR, GCAB_ERROR_FAILED,
++                     "tried to decompress %" G_GUINT16_FORMAT " bytes "
++                     "into buffer of size %" G_GSIZE_FORMAT,
++                     cd->ncbytes, buf_sz);
++        return FALSE;
++    }
+     R2 (cd->nubytes);
+     cd->reserved = g_malloc (res_data);
+     RN (cd->reserved, res_data);
diff --git a/SPECS/gcab.spec b/SPECS/gcab.spec
index 2d2fd6a..1386690 100644
--- a/SPECS/gcab.spec
+++ b/SPECS/gcab.spec
@@ -1,6 +1,6 @@
 Name:           gcab
 Version:        0.7
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Cabinet file library and tool
 
 License:        LGPLv2+
@@ -13,6 +13,7 @@ Patch1:         0001-Fix-a-few-Dereference-of-null-pointer-warnings.patch
 Patch2:         0002-Always-check-the-return-value-when-writing-to-the-st.patch
 Patch3:         0003-Fix-a-theoretical-crash-when-building-the-table-entr.patch
 Patch4:         0004-Fix-buffer-overrun-when-generating-Huffman-codes.patch
+Patch5:         0001-Do-not-crash-when-ncbytes-is-larger-than-the-buffer-.patch
 
 BuildRequires:  intltool
 BuildRequires:  vala-tools
@@ -48,6 +49,7 @@ Libraries, includes, etc. to compile with the gcab library.
 %patch2 -p1 -b .coverity2
 %patch3 -p1 -b .coverity3
 %patch4 -p1 -b .coverity4
+%patch5 -p1 -b .cve20185345
 
 %build
 %configure --disable-silent-rules --disable-static
@@ -84,6 +86,10 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_libdir}/pkgconfig/libgcab-1.0.pc
 
 %changelog
+* Wed Feb 14 2018 Richard Hughes <rhughes@redhat.com> - 0.7-4
+- Fixes the security issue known as CVE-2018-5345
+- Resolves: #1533174
+
 * Mon Mar 06 2017 Richard Hughes <rhughes@redhat.com> - 0.7-3
 - Fix some more bugs spotted by coverity and RPMDiff.
 - Resolves: #1388476