Add patch to fix validation issues in cpl_zipOpenNewFileInZip3() (CVE…

…-2023-45853) (#833)

automerged PR by conda-forge/automerge-action

recipe/0001-cpl_zipOpenNewFileInZip3-validate-length-of-filename.patch

@@ -0,0 +1,36 @@
+From 725070cc38cd47d870bc1ed394b9275013aab79e Mon Sep 17 00:00:00 2001
+From: Even Rouault <[email protected]>
+Date: Fri, 3 Nov 2023 16:41:11 +0100
+Subject: [PATCH] cpl_zipOpenNewFileInZip3(): validate length of filename,
+ comment and extrafields (CVE-2023-45853)
+
+Backport of https://github.com/madler/zlib/pull/843
+---
+ port/cpl_minizip_zip.cpp | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/port/cpl_minizip_zip.cpp b/port/cpl_minizip_zip.cpp
+index 52ba371a2a..6fa4e324f0 100644
+--- a/port/cpl_minizip_zip.cpp
++++ b/port/cpl_minizip_zip.cpp
+@@ -1134,6 +1134,17 @@ extern int ZEXPORT cpl_zipOpenNewFileInZip3(
+     if (filename == nullptr)
+         filename = "-";
+
++    // The filename and comment length must fit in 16 bits.
++    if ((filename != nullptr) && (strlen(filename) > 0xffff))
++        return ZIP_PARAMERROR;
++    if ((comment != nullptr) && (strlen(comment) > 0xffff))
++        return ZIP_PARAMERROR;
++    // The extra field length must fit in 16 bits. If the member also requires
++    // a Zip64 extra block, that will also need to fit within that 16-bit
++    // length, but that will be checked for later.
++    if ((size_extrafield_local > 0xffff) || (size_extrafield_global > 0xffff))
++        return ZIP_PARAMERROR;
++
+     if (comment == nullptr)
+         size_comment = 0;
+     else
+-- 
+2.25.1
+

recipe/meta.yaml

@@ -7,9 +7,11 @@ package:
 source:
   url: http://download.osgeo.org/gdal/{{ version }}/gdal-{{ version }}.tar.xz
   sha256: e0a6f0c453ea7eb7c09967f50ac49426808fcd8f259dbc9888140eb69d7ffee6
+  patches:
+    - 0001-cpl_zipOpenNewFileInZip3-validate-length-of-filename.patch
 
 build:
-  number: 1
+  number: 2
   skip_compile_pyc:
     - share/bash-completion/completions/*.py