Support of MacPorts zip and unzip

catap commented 2 years ago

If a system has installed zip and unzip from MacPorts, tests are faild.

The log:

s.xxxx..........x...s
======================================================================
FAIL: test_59750_infozipdir_CVE_2017_5975 (__main__.ZZipTest)
run info-zip dir test0.zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 1854, in test_59750_infozipdir_CVE_2017_5975
    self.assertIn('file #1:  bad zipfile offset (local header sig):  127', run.errors)
AssertionError: 'file #1:  bad zipfile offset (local header sig):  127' not found in 'error [00151-zziplib-heapoverflow-__zzip_get64]:  missing 10 bytes in zipfile\n  (attempting to process anyway)\nerror [00151-zziplib-heapoverflow-__zzip_get64]:  reported length of central directory is\n  10 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1\n  zipfile?).  Compensating...\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_59800_infozipdir_CVE_2017_5980 (__main__.ZZipTest)
run info-zip dir test0.zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 2098, in test_59800_infozipdir_CVE_2017_5980
    self.assertIn('file #1:  bad zipfile offset (lseek)', run.errors)
AssertionError: 'file #1:  bad zipfile offset (lseek)' not found in 'error [00154-zziplib-nullptr-zzip_mem_entry_new]:  missing 6 bytes in zipfile\n  (attempting to process anyway)\nerror [00154-zziplib-nullptr-zzip_mem_entry_new]:  reported length of central directory is\n  6 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1\n  zipfile?).  Compensating...\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65430 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3196, in test_65430
    self.assertIn('expected central file header signature not found', run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [c006-unknown-add-main]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [c006-unknown-add-main]:  missing 18 bytes in zipfile\n  (attempting to process anyway)\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65440 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3241, in test_65440
    self.assertIn('expected central file header signature not found', run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [c008-main-unknown-de]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [c008-main-unknown-de]:  missing 18 bytes in zipfile\n  (attempting to process anyway)\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65470 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3463, in test_65470
    self.assertIn("expected central file header signature not found", run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [003-unknow-def-zip]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [003-unknow-def-zip]:  missing 5123 bytes in zipfile\n  (attempting to process anyway)\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

======================================================================
FAIL: test_65480 (__main__.ZZipTest)
info unzip -l $(CVE).zip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/local/var/macports/build/_Users_catap_src_macports-ports_archivers_libzzip/libzzip/work/zziplib-0.13.72/test/zziptests.py", line 3592, in test_65480
    self.assertIn('expected central file header signature not found', run.errors)
AssertionError: 'expected central file header signature not found' not found in '\ncaution:  zipfile comment truncated\nwarning [002-mem-leaks-zip]:  zipfile claims to be last disk of a multi-part archive;\n  attempting to process anyway, assuming all parts have been concatenated\n  together in order.  Expect "errors" and warnings...true multi-part support\n  doesn\'t exist yet (coming soon).\nerror [002-mem-leaks-zip]:  missing 21 bytes in zipfile\n  (attempting to process anyway)\nerror [002-mem-leaks-zip]:  reported length of central directory is\n  21 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1\n  zipfile?).  Compensating...\nerror: invalid zip file with overlapped components (possible zip bomb)\n'

----------------------------------------------------------------------
Ran 227 tests in 12.719s

The patch that adds the first wrong exit codes:

diff --git a/test/zziptests.py b/test/zziptests.py
index f315dc7..1c5fc39 100644
--- a/test/zziptests.py
+++ b/test/zziptests.py
@@ -1848,7 +1848,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 430)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [2])
+        returncodes = [2,12])
     self.assertLess(len(run.output), 90)
     self.assertLess(len(errors(run.errors)), 900)
     self.assertIn('file #1:  bad zipfile offset (local header sig):  127', run.errors)
@@ -2092,7 +2092,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 500)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertLess(len(run.output), 90)
     self.assertLess(len(errors(run.errors)), 900)
     self.assertIn('file #1:  bad zipfile offset (lseek)', run.errors)
@@ -3189,7 +3189,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertLess(len(run.output), 200)
     self.assertLess(len(errors(run.errors)), 800)
     self.assertIn("missing 18 bytes in zipfile", run.errors)
@@ -3232,7 +3232,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertGreater(len(run.output), 30)
     self.assertGreater(len(errors(run.errors)), 1)
     self.assertLess(len(run.output), 400)
@@ -3456,7 +3456,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertLess(len(run.output), 400)
     self.assertLess(len(errors(run.errors)), 800)
     self.assertIn("missing 5123 bytes in zipfile", run.errors)
@@ -3583,7 +3583,7 @@ class ZZipTest(unittest.TestCase):
     self.assertLess(len(errors(run.errors)), 800)
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.assertGreater(len(run.output), 20)
     self.assertGreater(len(errors(run.errors)), 1)
     self.assertLess(len(run.output), 2500)
@@ -3792,7 +3792,7 @@ class ZZipTest(unittest.TestCase):
     self.assertTrue(greps(run.errors, "missing 6 bytes in zipfile"))
     #
     run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()),
-        returncodes = [3])
+        returncodes = [3,12])
     self.rm_testdir()
   def test_65671(self):
     """ unzzip-big -l $(CVE).zip  """

gdraheim commented 2 years ago

ready for a pull request?

catap commented 2 years ago

@gdraheim I can convert patch to pull request, but it doesn't solve an issue. For example as soon as my patch is applied, the lines:

    self.assertLess(len(run.output), 90)
    self.assertLess(len(errors(run.errors)), 900)
    self.assertIn('file #1:  bad zipfile offset (local header sig):  127', run.errors)
    #self.assertEqual(os.path.getsize(tmpdir+"/test"), 3)
    self.assertFalse(os.path.exists(tmpdir+"/test"))

should be also adjusted.

I not sure how to write self.assertIn(A or B, someString)

catap commented 2 years ago

but... let me try something, maybe it won't be soo ugly

catap commented 2 years ago

@gdraheim here it is. A bit ugly, but I haven't got any idea how to make it better.

gdraheim / zziplib

Support of MacPorts zip and unzip #123