Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update libzip to v1.3.0 #863

Merged
merged 1 commit into from
Sep 16, 2017
Merged

Update libzip to v1.3.0 #863

merged 1 commit into from
Sep 16, 2017

Conversation

grendello
Copy link
Contributor

The new version fixes CVE-2017-12858 and CVE-2017-14107

@jonpryor
Copy link
Member

I wonder if this PR should -- can? -- update .gitmodules and change the branch for libzip from master to rel-1-3-0.

I can't easily tell if that will work as desired. I'm seeing conflicting answers in stackoverflow.

@jonpryor
Copy link
Member

The emulator hung in macOS+xbuild PR Build 1618.

I've restarted it.

@jonpryor jonpryor merged commit fa9f62a into dotnet:master Sep 16, 2017
grendello added a commit to grendello/xamarin-android that referenced this pull request Sep 18, 2017
@jonpryor jonpryor mentioned this pull request Sep 18, 2017
jonpryor added a commit that referenced this pull request Sep 18, 2017
jonpryor added a commit that referenced this pull request Sep 18, 2017
This reverts commit fa9f62a.

Commit fa9f62a [broke the master build][b630]:

[b630]: https://jenkins.mono-project.com/view/Xamarin.Android/job/xamarin-android/630/

	Linking C executable hole.exe
	CMakeFiles/hole.dir/objects.a(hole.c.obj):hole.c:(.text+0x77): undefined reference to `__imp_zip_error_init'
	...

Revert commit fa9f62a until we figure out how to properly fix it.
grendello added a commit to grendello/xamarin-android that referenced this pull request Sep 19, 2017
jonathanpeppers added a commit to jonathanpeppers/xamarin-android that referenced this pull request Sep 19, 2017
When bumping libzip in dotnet#874 or dotnet#863 libzip is no longer building under
mxe. We can switch to using the NuGet packages instead.

Also switched to using `<Content />` to link in the files, which works
better if `<ProjectReference />` is used with `libzip-windows.mdproj`.
jonathanpeppers added a commit to jonathanpeppers/xamarin-android that referenced this pull request Sep 19, 2017
When bumping libzip in dotnet#874 or dotnet#863 libzip is no longer building under
mxe. We can switch to using the NuGet packages instead.
grendello added a commit to grendello/xamarin-android that referenced this pull request May 23, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

    * 1.3.0
       * Support bzip2 compressed zip archives
       * Improve file progress callback code
       * Fix zip_fdopen()
       * CVE-2017-12858: Fix double free().
       * CVE-2017-14107: Improve EOCD64 parsing.
    * 1.3.1
       * Install zipconf.h into ${PREFIX}/include
       * Add zip_libzip_version()
       * Fix AES tests on Linux
    * 1.3.2
       * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
         failed.
    * 1.4.0
       * Improve build with cmake
       * Retire autoconf/automake build system
       * Add zip_source_buffer_fragment().
       * Add support to clone unchanged beginning of archive (instead of
         rewriting it). Supported for buffer sources and on Apple File System.
       * Add support for Microsoft Universal Windows Platform.
    * 1.5.0
       * Use standard cryptographic library instead of custom AES
         implementation. This also simplifies the license.
       * Use clang-format to format the source code.
       * More Windows improvements.
    * 1.5.1
       * Choose format of installed documentation based on available tools.
       * Fix visibility of symbols.
       * Fix zipcmp directory support.
       * Don’t set RPATH on Linux.
       * Use Libs.private for link dependencies in pkg-config file.
       * Fix build with LibreSSL.
       * Various bugfixes.
grendello added a commit to grendello/xamarin-android that referenced this pull request May 23, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

    * 1.3.0
       * Support bzip2 compressed zip archives
       * Improve file progress callback code
       * Fix zip_fdopen()
       * CVE-2017-12858: Fix double free().
       * CVE-2017-14107: Improve EOCD64 parsing.
    * 1.3.1
       * Install zipconf.h into ${PREFIX}/include
       * Add zip_libzip_version()
       * Fix AES tests on Linux
    * 1.3.2
       * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
         failed.
    * 1.4.0
       * Improve build with cmake
       * Retire autoconf/automake build system
       * Add zip_source_buffer_fragment().
       * Add support to clone unchanged beginning of archive (instead of
         rewriting it). Supported for buffer sources and on Apple File System.
       * Add support for Microsoft Universal Windows Platform.
    * 1.5.0
       * Use standard cryptographic library instead of custom AES
         implementation. This also simplifies the license.
       * Use clang-format to format the source code.
       * More Windows improvements.
    * 1.5.1
       * Choose format of installed documentation based on available tools.
       * Fix visibility of symbols.
       * Fix zipcmp directory support.
       * Don’t set RPATH on Linux.
       * Use Libs.private for link dependencies in pkg-config file.
       * Fix build with LibreSSL.
       * Various bugfixes.

Additionally, make it possible to build Windows version of libzip on Linux with
mingw (no mxe required)
grendello added a commit to grendello/xamarin-android that referenced this pull request May 23, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

    * 1.3.0
       * Support bzip2 compressed zip archives
       * Improve file progress callback code
       * Fix zip_fdopen()
       * CVE-2017-12858: Fix double free().
       * CVE-2017-14107: Improve EOCD64 parsing.
    * 1.3.1
       * Install zipconf.h into ${PREFIX}/include
       * Add zip_libzip_version()
       * Fix AES tests on Linux
    * 1.3.2
       * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
         failed.
    * 1.4.0
       * Improve build with cmake
       * Retire autoconf/automake build system
       * Add zip_source_buffer_fragment().
       * Add support to clone unchanged beginning of archive (instead of
         rewriting it). Supported for buffer sources and on Apple File System.
       * Add support for Microsoft Universal Windows Platform.
    * 1.5.0
       * Use standard cryptographic library instead of custom AES
         implementation. This also simplifies the license.
       * Use clang-format to format the source code.
       * More Windows improvements.
    * 1.5.1
       * Choose format of installed documentation based on available tools.
       * Fix visibility of symbols.
       * Fix zipcmp directory support.
       * Don’t set RPATH on Linux.
       * Use Libs.private for link dependencies in pkg-config file.
       * Fix build with LibreSSL.
       * Various bugfixes.

Additionally, make it possible to build Windows version of libzip on Linux with
mingw (no mxe required)
grendello added a commit to grendello/xamarin-android that referenced this pull request May 23, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

    * 1.3.0
       * Support bzip2 compressed zip archives
       * Improve file progress callback code
       * Fix zip_fdopen()
       * CVE-2017-12858: Fix double free().
       * CVE-2017-14107: Improve EOCD64 parsing.
    * 1.3.1
       * Install zipconf.h into ${PREFIX}/include
       * Add zip_libzip_version()
       * Fix AES tests on Linux
    * 1.3.2
       * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
         failed.
    * 1.4.0
       * Improve build with cmake
       * Retire autoconf/automake build system
       * Add zip_source_buffer_fragment().
       * Add support to clone unchanged beginning of archive (instead of
         rewriting it). Supported for buffer sources and on Apple File System.
       * Add support for Microsoft Universal Windows Platform.
    * 1.5.0
       * Use standard cryptographic library instead of custom AES
         implementation. This also simplifies the license.
       * Use clang-format to format the source code.
       * More Windows improvements.
    * 1.5.1
       * Choose format of installed documentation based on available tools.
       * Fix visibility of symbols.
       * Fix zipcmp directory support.
       * Don’t set RPATH on Linux.
       * Use Libs.private for link dependencies in pkg-config file.
       * Fix build with LibreSSL.
       * Various bugfixes.

Additionally, make it possible to build Windows version of libzip on Linux with
mingw (no mxe required)
grendello added a commit to grendello/xamarin-android that referenced this pull request May 24, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

 * 1.3.0
   * Support bzip2 compressed zip archives
   * Improve file progress callback code
   * Fix zip_fdopen()
   * CVE-2017-12858: Fix double free().
   * CVE-2017-14107: Improve EOCD64 parsing.
 * 1.3.1
   * Install zipconf.h into ${PREFIX}/include
   * Add zip_libzip_version()
   * Fix AES tests on Linux
 * 1.3.2
   * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
     failed.
 * 1.4.0
   * Improve build with cmake
   * Retire autoconf/automake build system
   * Add zip_source_buffer_fragment().
   * Add support to clone unchanged beginning of archive (instead of
     rewriting it). Supported for buffer sources and on Apple File System.
   * Add support for Microsoft Universal Windows Platform.
 * 1.5.0
   * Use standard cryptographic library instead of custom AES
     implementation. This also simplifies the license.
   * Use clang-format to format the source code.
   * More Windows improvements.
 * 1.5.1
   * Choose format of installed documentation based on available tools.
   * Fix visibility of symbols.
   * Fix zipcmp directory support.
   * Don’t set RPATH on Linux.
   * Use Libs.private for link dependencies in pkg-config file.
   * Fix build with LibreSSL.
   * Various bugfixes.

Additionally:

 * make it possible to build Windows version of libzip on Linux with mingw (no
   mxe required)
 * build on macOS for Windows with system/brew cmake
grendello added a commit to grendello/xamarin-android that referenced this pull request May 24, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

 * 1.3.0
   * Support bzip2 compressed zip archives
   * Improve file progress callback code
   * Fix zip_fdopen()
   * CVE-2017-12858: Fix double free().
   * CVE-2017-14107: Improve EOCD64 parsing.
 * 1.3.1
   * Install zipconf.h into ${PREFIX}/include
   * Add zip_libzip_version()
   * Fix AES tests on Linux
 * 1.3.2
   * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
     failed.
 * 1.4.0
   * Improve build with cmake
   * Retire autoconf/automake build system
   * Add zip_source_buffer_fragment().
   * Add support to clone unchanged beginning of archive (instead of
     rewriting it). Supported for buffer sources and on Apple File System.
   * Add support for Microsoft Universal Windows Platform.
 * 1.5.0
   * Use standard cryptographic library instead of custom AES
     implementation. This also simplifies the license.
   * Use clang-format to format the source code.
   * More Windows improvements.
 * 1.5.1
   * Choose format of installed documentation based on available tools.
   * Fix visibility of symbols.
   * Fix zipcmp directory support.
   * Don’t set RPATH on Linux.
   * Use Libs.private for link dependencies in pkg-config file.
   * Fix build with LibreSSL.
   * Various bugfixes.

Additionally:

 * make it possible to build Windows version of libzip on Linux with mingw (no
   mxe required)
 * build on macOS for Windows with system/brew cmake
grendello added a commit to grendello/xamarin-android that referenced this pull request May 24, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

 * 1.3.0
   * Support bzip2 compressed zip archives
   * Improve file progress callback code
   * Fix zip_fdopen()
   * CVE-2017-12858: Fix double free().
   * CVE-2017-14107: Improve EOCD64 parsing.
 * 1.3.1
   * Install zipconf.h into ${PREFIX}/include
   * Add zip_libzip_version()
   * Fix AES tests on Linux
 * 1.3.2
   * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
     failed.
 * 1.4.0
   * Improve build with cmake
   * Retire autoconf/automake build system
   * Add zip_source_buffer_fragment().
   * Add support to clone unchanged beginning of archive (instead of
     rewriting it). Supported for buffer sources and on Apple File System.
   * Add support for Microsoft Universal Windows Platform.
 * 1.5.0
   * Use standard cryptographic library instead of custom AES
     implementation. This also simplifies the license.
   * Use clang-format to format the source code.
   * More Windows improvements.
 * 1.5.1
   * Choose format of installed documentation based on available tools.
   * Fix visibility of symbols.
   * Fix zipcmp directory support.
   * Don’t set RPATH on Linux.
   * Use Libs.private for link dependencies in pkg-config file.
   * Fix build with LibreSSL.
   * Various bugfixes.

Additionally:

 * make it possible to build Windows version of libzip on Linux with mingw (no
   mxe required)
 * build on macOS for Windows with system/brew cmake
grendello added a commit to grendello/xamarin-android that referenced this pull request May 25, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

 * 1.3.0
   * Support bzip2 compressed zip archives
   * Improve file progress callback code
   * Fix zip_fdopen()
   * CVE-2017-12858: Fix double free().
   * CVE-2017-14107: Improve EOCD64 parsing.
 * 1.3.1
   * Install zipconf.h into ${PREFIX}/include
   * Add zip_libzip_version()
   * Fix AES tests on Linux
 * 1.3.2
   * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
     failed.
 * 1.4.0
   * Improve build with cmake
   * Retire autoconf/automake build system
   * Add zip_source_buffer_fragment().
   * Add support to clone unchanged beginning of archive (instead of
     rewriting it). Supported for buffer sources and on Apple File System.
   * Add support for Microsoft Universal Windows Platform.
 * 1.5.0
   * Use standard cryptographic library instead of custom AES
     implementation. This also simplifies the license.
   * Use clang-format to format the source code.
   * More Windows improvements.
 * 1.5.1
   * Choose format of installed documentation based on available tools.
   * Fix visibility of symbols.
   * Fix zipcmp directory support.
   * Don’t set RPATH on Linux.
   * Use Libs.private for link dependencies in pkg-config file.
   * Fix build with LibreSSL.
   * Various bugfixes.

Additionally:

 * make it possible to build Windows version of libzip on Linux with mingw (no
   mxe required)
 * build on macOS for Windows with system/brew cmake
 * export MACOSX_DEPLOYMENT_TARGET=10.11 in the top-level makefile to specify
   the minimum version of macOS we support. Without this it is possible that
   code built on 10.11 with Xcode targeting a newer version of the system will
   not work on macOS older than the version targetted by Xcode being used. For
   instance, if we build on macOS 10.11 with Xcode 8.2 (which targets macOS
   10.12) then the code which just built on 10.11 may not work on this very
   system - because it may use APIs available only starting from 10.12
grendello added a commit to grendello/xamarin-android that referenced this pull request May 26, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

 * 1.3.0
   * Support bzip2 compressed zip archives
   * Improve file progress callback code
   * Fix zip_fdopen()
   * CVE-2017-12858: Fix double free().
   * CVE-2017-14107: Improve EOCD64 parsing.
 * 1.3.1
   * Install zipconf.h into ${PREFIX}/include
   * Add zip_libzip_version()
   * Fix AES tests on Linux
 * 1.3.2
   * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
     failed.
 * 1.4.0
   * Improve build with cmake
   * Retire autoconf/automake build system
   * Add zip_source_buffer_fragment().
   * Add support to clone unchanged beginning of archive (instead of
     rewriting it). Supported for buffer sources and on Apple File System.
   * Add support for Microsoft Universal Windows Platform.
 * 1.5.0
   * Use standard cryptographic library instead of custom AES
     implementation. This also simplifies the license.
   * Use clang-format to format the source code.
   * More Windows improvements.
 * 1.5.1
   * Choose format of installed documentation based on available tools.
   * Fix visibility of symbols.
   * Fix zipcmp directory support.
   * Don’t set RPATH on Linux.
   * Use Libs.private for link dependencies in pkg-config file.
   * Fix build with LibreSSL.
   * Various bugfixes.

Additionally:

 * make it possible to build Windows version of libzip on Linux with mingw (no
   mxe required)
 * build on macOS for Windows with system/brew cmake
 * export MACOSX_DEPLOYMENT_TARGET=10.11 in the top-level makefile to specify
   the minimum version of macOS we support. Without this it is possible that
   code built on 10.11 with Xcode targeting a newer version of the system will
   not work on macOS older than the version targetted by Xcode being used. For
   instance, if we build on macOS 10.11 with Xcode 8.2 (which targets macOS
   10.12) then the code which just built on 10.11 may not work on this very
   system - because it may use APIs available only starting from 10.12
grendello added a commit to grendello/xamarin-android that referenced this pull request May 28, 2018
…tnet#863)

Main reason is to include fixes for a couple CVEs. Changes:

 * 1.3.0
   * Support bzip2 compressed zip archives
   * Improve file progress callback code
   * Fix zip_fdopen()
   * CVE-2017-12858: Fix double free().
   * CVE-2017-14107: Improve EOCD64 parsing.
 * 1.3.1
   * Install zipconf.h into ${PREFIX}/include
   * Add zip_libzip_version()
   * Fix AES tests on Linux
 * 1.3.2
   * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
     failed.
 * 1.4.0
   * Improve build with cmake
   * Retire autoconf/automake build system
   * Add zip_source_buffer_fragment().
   * Add support to clone unchanged beginning of archive (instead of
     rewriting it). Supported for buffer sources and on Apple File System.
   * Add support for Microsoft Universal Windows Platform.
 * 1.5.0
   * Use standard cryptographic library instead of custom AES
     implementation. This also simplifies the license.
   * Use clang-format to format the source code.
   * More Windows improvements.
 * 1.5.1
   * Choose format of installed documentation based on available tools.
   * Fix visibility of symbols.
   * Fix zipcmp directory support.
   * Don’t set RPATH on Linux.
   * Use Libs.private for link dependencies in pkg-config file.
   * Fix build with LibreSSL.
   * Various bugfixes.

Additionally:

 * make it possible to build Windows version of libzip on Linux with mingw (no
   mxe required)
 * build on macOS for Windows with system/brew cmake
 * export MACOSX_DEPLOYMENT_TARGET=10.11 in the top-level makefile to specify
   the minimum version of macOS we support. Without this it is possible that
   code built on 10.11 with Xcode targeting a newer version of the system will
   not work on macOS older than the version targetted by Xcode being used. For
   instance, if we build on macOS 10.11 with Xcode 8.2 (which targets macOS
   10.12) then the code which just built on 10.11 may not work on this very
   system - because it may use APIs available only starting from 10.12
@github-actions github-actions bot locked and limited conversation to collaborators Feb 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants