diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-20 12:24:29 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-22 10:37:44 +0200 |
commit | 1a9d4e34862869cd3a82d1ce5c75be04b144229a (patch) | |
tree | e7d4181a1a0ba8cc679b40d059d0f9fd9850c606 | |
parent | d510fa929a7f6ede654295930273de33fd0e9b15 (diff) | |
download | alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.tar.bz2 alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.tar.xz alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.zip |
main/unzip: fix various CVEs
- CVE-2014-8139
- CVE-2014-8140
- CVE-2014-8141
- CVE-2014-9636
- CVE-2014-9913
- CVE-2016-9844
- CVE-2018-1000035
fixes #9289
-rw-r--r-- | main/unzip/APKBUILD | 43 | ||||
-rw-r--r-- | main/unzip/CVE-2014-8140.patch | 26 | ||||
-rw-r--r-- | main/unzip/CVE-2014-8141.patch | 136 | ||||
-rw-r--r-- | main/unzip/CVE-2014-9636.patch | 42 | ||||
-rw-r--r-- | main/unzip/CVE-2014-9913.patch | 29 | ||||
-rw-r--r-- | main/unzip/CVE-2016-9844.patch | 28 | ||||
-rw-r--r-- | main/unzip/CVE-2018-1000035.patch | 34 | ||||
-rw-r--r-- | main/unzip/fix-CVE-2014-8139.patch | 75 |
8 files changed, 401 insertions, 12 deletions
diff --git a/main/unzip/APKBUILD b/main/unzip/APKBUILD index 909e337f38..88e1929de6 100644 --- a/main/unzip/APKBUILD +++ b/main/unzip/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | # Maintainer: Timo Teräs <timo.teras@iki.fi> | 2 | # Maintainer: Timo Teräs <timo.teras@iki.fi> |
3 | pkgname=unzip | 3 | pkgname=unzip |
4 | pkgver=6.0 | 4 | pkgver=6.0 |
5 | pkgrel=2 | 5 | pkgrel=3 |
6 | pkgdesc="Extract PKZIP-compatible .zip files" | 6 | pkgdesc="Extract PKZIP-compatible .zip files" |
7 | url="http://www.info-zip.org/UnZip.html" | 7 | url="http://www.info-zip.org/UnZip.html" |
8 | arch="all" | 8 | arch="all" |
@@ -11,13 +11,33 @@ depends="" | |||
11 | makedepends="" | 11 | makedepends="" |
12 | subpackages="$pkgname-doc" | 12 | subpackages="$pkgname-doc" |
13 | # normally ftp://ftp.info-zip.org/pub/infozip/src/${pkgname}60.zip | 13 | # normally ftp://ftp.info-zip.org/pub/infozip/src/${pkgname}60.zip |
14 | source="http://distfiles.alpinelinux.org/distfiles/${pkgname}60.zip | 14 | source="https://dev.alpinelinux.org/archive/unzip/$pkgname${pkgver/./}.tgz |
15 | 10-unzip-handle-pkware-verify.patch | 15 | 10-unzip-handle-pkware-verify.patch |
16 | 20-unzip-uidgid-fix.patch | 16 | 20-unzip-uidgid-fix.patch |
17 | unzip-6.0-heap-overflow-infloop.patch | 17 | unzip-6.0-heap-overflow-infloop.patch |
18 | CVE-2014-8140.patch | ||
19 | CVE-2014-8141.patch | ||
20 | CVE-2014-9636.patch | ||
21 | CVE-2014-9913.patch | ||
22 | CVE-2016-9844.patch | ||
23 | CVE-2018-1000035.patch | ||
24 | fix-CVE-2014-8139.patch | ||
18 | " | 25 | " |
19 | 26 | ||
20 | builddir="$srcdir"/${pkgname}60 | 27 | builddir="$srcdir"/${pkgname}60 |
28 | # secfixes: | ||
29 | # 6.0-r3: | ||
30 | # - CVE-2014-8139 | ||
31 | # - CVE-2014-8140 | ||
32 | # - CVE-2014-8141 | ||
33 | # - CVE-2014-9636 | ||
34 | # - CVE-2014-9913 | ||
35 | # - CVE-2016-9844 | ||
36 | # - CVE-2018-1000035 | ||
37 | # 6.0-r1: | ||
38 | # - CVE-2015-7696 | ||
39 | # - CVE-2015-7697 | ||
40 | |||
21 | build() { | 41 | build() { |
22 | cd "$builddir" | 42 | cd "$builddir" |
23 | make -f unix/Makefile \ | 43 | make -f unix/Makefile \ |
@@ -34,15 +54,14 @@ package() { | |||
34 | "$pkgdir"/usr/share/licenses/$pkgname/LICENSE | 54 | "$pkgdir"/usr/share/licenses/$pkgname/LICENSE |
35 | } | 55 | } |
36 | 56 | ||
37 | md5sums="85da5203f01ab0b9403efef3b9bb4010 unzip60.zip | 57 | sha512sums="0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d unzip60.tgz |
38 | b860a1557b48b2c3fa52541f9260ed72 10-unzip-handle-pkware-verify.patch | ||
39 | 3de9dee957cb83615cdcb165375d00bd 20-unzip-uidgid-fix.patch | ||
40 | 4ff9673cf8337e80220e46c7eb95ac61 unzip-6.0-heap-overflow-infloop.patch" | ||
41 | sha256sums="2bc3e70d412447595ac3bed58c1c1fdae289d9a652e55fd0eaadddfe111aa9e4 unzip60.zip | ||
42 | 6829ce345b66d081cb1b8b5be37f092836fbcb71819594e45218fc03d8e80754 10-unzip-handle-pkware-verify.patch | ||
43 | 3650b53a49742d7ffb2c7d5db2ef1cdeaf3d34d21daa976dc7024ceb605a9dee 20-unzip-uidgid-fix.patch | ||
44 | 1a12fe030bb1127f54362c7023995d4b01528ef4f2d068497d390877d15aafea unzip-6.0-heap-overflow-infloop.patch" | ||
45 | sha512sums="4a455d45b2c33bc28cab74b82d13f2f1bc5f4a2c45de125345181d2e712079727e825d25e5b7765f9f9c16b7746cd5342897dc8502cb55b8a9f2329b138a1614 unzip60.zip | ||
46 | 9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch | 58 | 9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch |
47 | 57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch | 59 | 57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch |
48 | b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301 unzip-6.0-heap-overflow-infloop.patch" | 60 | b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301 unzip-6.0-heap-overflow-infloop.patch |
61 | 028a97e781fb4e277df331fd40b848bbc002f1a5ceeb40e74477cf68d2f063ac2623e24afbeddfa0456940ecc7694fdb66ecd031cbcecad63079e8427fb731c9 CVE-2014-8140.patch | ||
62 | 3dd21343d6e5ae7d19f2b2f9cf7310eac38dd7f598e1265e247559a48143c9dbffabd9fc0d7aff6d859ec9e646e85c2b7ee00a1b1a2e23bdf96192c22c58b058 CVE-2014-8141.patch | ||
63 | 281c524a9adb1c0f1cb861548d96115f55152c1d76adca34bbaabcca410c5aaf5dd53d99360d7ea8ee9d0ab9eb62031cb40c5de4b5ecfd91535ac178cd3e7098 CVE-2014-9636.patch | ||
64 | 9a62286acdbd5bf5f679d813017b93c25bdb06edaf48b2b53d3281ce3c30587158a777b07457c574d72350499f786dac6b4493092d7e08c17c07cb65ecc513b6 CVE-2014-9913.patch | ||
65 | 8c4a4313072ff0d87eadb0f5472eb48f2802b835dd282305811a96de87a41fed48be60fbdd434e6b6359418f0559f7793deaa1d68161a0c0ead9f8574bb9f14c CVE-2016-9844.patch | ||
66 | 6f757385a23fe6a034f676df6bf233243afa8743761e3d715e532d066fcd7dc8f8dcd6192be693258f3855837e5534490784378768abe7ce710fb869258d49b7 CVE-2018-1000035.patch | ||
67 | 13f9c54fcdde478c4afe391c8e7ef9c31b03228aaace5da38382612951cbfd60710fd3d931569297953be32b2c5906715aed4b1c05e28cc8fccbb27f38b57550 fix-CVE-2014-8139.patch" | ||
diff --git a/main/unzip/CVE-2014-8140.patch b/main/unzip/CVE-2014-8140.patch new file mode 100644 index 0000000000..81b96b8df7 --- /dev/null +++ b/main/unzip/CVE-2014-8140.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969621&action=diff | ||
2 | (unzip60/ path prefix added) | ||
3 | |||
4 | --- unzip60/extract.c 2009-03-14 02:32:52.000000000 +0100 | ||
5 | +++ unzip60/extract.c 2014-12-05 22:43:13.000000000 +0100 | ||
6 | @@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si | ||
7 | if (compr_offset < 4) /* field is not compressed: */ | ||
8 | return PK_OK; /* do nothing and signal OK */ | ||
9 | |||
10 | + /* Return no/bad-data error status if any problem is found: | ||
11 | + * 1. eb_size is too small to hold the uncompressed size | ||
12 | + * (eb_ucsize). (Else extract eb_ucsize.) | ||
13 | + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. | ||
14 | + * 3. eb_ucsize is positive, but eb_size is too small to hold | ||
15 | + * the compressed data header. | ||
16 | + */ | ||
17 | if ((eb_size < (EB_UCSIZE_P + 4)) || | ||
18 | - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && | ||
19 | - eb_size <= (compr_offset + EB_CMPRHEADLEN))) | ||
20 | - return IZ_EF_TRUNC; /* no compressed data! */ | ||
21 | + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || | ||
22 | + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
23 | + return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
24 | |||
25 | if ( | ||
26 | #ifdef INT_16BIT | ||
diff --git a/main/unzip/CVE-2014-8141.patch b/main/unzip/CVE-2014-8141.patch new file mode 100644 index 0000000000..11007195b1 --- /dev/null +++ b/main/unzip/CVE-2014-8141.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969625&action=diff | ||
2 | (unzip60/ path prefix added) | ||
3 | |||
4 | --- unzip60/process.c 2009-03-06 02:25:10.000000000 +0100 | ||
5 | +++ unzip60/process.c 2014-12-05 22:42:39.000000000 +0100 | ||
6 | @@ -1,5 +1,5 @@ | ||
7 | /* | ||
8 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. | ||
9 | + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. | ||
10 | |||
11 | See the accompanying file LICENSE, version 2009-Jan-02 or later | ||
12 | (the contents of which are also included in unzip.h) for terms of use. | ||
13 | @@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len) | ||
14 | and a 4-byte version of disk start number. | ||
15 | Sets both local header and central header fields. Not terribly clever, | ||
16 | but it means that this procedure is only called in one place. | ||
17 | + | ||
18 | + 2014-12-05 SMS. | ||
19 | + Added checks to ensure that enough data are available before calling | ||
20 | + makeint64() or makelong(). Replaced various sizeof() values with | ||
21 | + simple ("4" or "8") constants. (The Zip64 structures do not depend | ||
22 | + on our variable sizes.) Error handling is crude, but we should now | ||
23 | + stay within the buffer. | ||
24 | ---------------------------------------------------------------------------*/ | ||
25 | |||
26 | +#define Z64FLGS 0xffff | ||
27 | +#define Z64FLGL 0xffffffff | ||
28 | + | ||
29 | if (ef_len == 0 || ef_buf == NULL) | ||
30 | return PK_COOL; | ||
31 | |||
32 | Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", | ||
33 | ef_len)); | ||
34 | |||
35 | - while (ef_len >= EB_HEADSIZE) { | ||
36 | + while (ef_len >= EB_HEADSIZE) | ||
37 | + { | ||
38 | eb_id = makeword(EB_ID + ef_buf); | ||
39 | eb_len = makeword(EB_LEN + ef_buf); | ||
40 | |||
41 | - if (eb_len > (ef_len - EB_HEADSIZE)) { | ||
42 | - /* discovered some extra field inconsistency! */ | ||
43 | + if (eb_len > (ef_len - EB_HEADSIZE)) | ||
44 | + { | ||
45 | + /* Extra block length exceeds remaining extra field length. */ | ||
46 | Trace((stderr, | ||
47 | "getZip64Data: block length %u > rest ef_size %u\n", eb_len, | ||
48 | ef_len - EB_HEADSIZE)); | ||
49 | break; | ||
50 | } | ||
51 | - if (eb_id == EF_PKSZ64) { | ||
52 | - | ||
53 | + if (eb_id == EF_PKSZ64) | ||
54 | + { | ||
55 | int offset = EB_HEADSIZE; | ||
56 | |||
57 | - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ | ||
58 | - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); | ||
59 | - offset += sizeof(G.crec.ucsize); | ||
60 | + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) | ||
61 | + { | ||
62 | + if (offset+ 8 > ef_len) | ||
63 | + return PK_ERR; | ||
64 | + | ||
65 | + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); | ||
66 | + offset += 8; | ||
67 | } | ||
68 | - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ | ||
69 | - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); | ||
70 | - offset += sizeof(G.crec.csize); | ||
71 | + | ||
72 | + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) | ||
73 | + { | ||
74 | + if (offset+ 8 > ef_len) | ||
75 | + return PK_ERR; | ||
76 | + | ||
77 | + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); | ||
78 | + offset += 8; | ||
79 | } | ||
80 | - if (G.crec.relative_offset_local_header == 0xffffffff){ | ||
81 | + | ||
82 | + if (G.crec.relative_offset_local_header == Z64FLGL) | ||
83 | + { | ||
84 | + if (offset+ 8 > ef_len) | ||
85 | + return PK_ERR; | ||
86 | + | ||
87 | G.crec.relative_offset_local_header = makeint64(offset + ef_buf); | ||
88 | - offset += sizeof(G.crec.relative_offset_local_header); | ||
89 | + offset += 8; | ||
90 | } | ||
91 | - if (G.crec.disk_number_start == 0xffff){ | ||
92 | + | ||
93 | + if (G.crec.disk_number_start == Z64FLGS) | ||
94 | + { | ||
95 | + if (offset+ 4 > ef_len) | ||
96 | + return PK_ERR; | ||
97 | + | ||
98 | G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); | ||
99 | - offset += sizeof(G.crec.disk_number_start); | ||
100 | + offset += 4; | ||
101 | } | ||
102 | +#if 0 | ||
103 | + break; /* Expect only one EF_PKSZ64 block. */ | ||
104 | +#endif /* 0 */ | ||
105 | } | ||
106 | |||
107 | - /* Skip this extra field block */ | ||
108 | + /* Skip this extra field block. */ | ||
109 | ef_buf += (eb_len + EB_HEADSIZE); | ||
110 | ef_len -= (eb_len + EB_HEADSIZE); | ||
111 | } | ||
112 | --- unzip60/fileio.c 2009-04-20 02:03:44.000000000 +0200 | ||
113 | +++ unzip60/fileio.c 2014-12-05 22:44:16.000000000 +0100 | ||
114 | @@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr | ||
115 | #endif | ||
116 | static ZCONST char Far ExtraFieldTooLong[] = | ||
117 | "warning: extra field too long (%d). Ignoring...\n"; | ||
118 | +static ZCONST char Far ExtraFieldCorrupt[] = | ||
119 | + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; | ||
120 | |||
121 | #ifdef WINDLL | ||
122 | static ZCONST char Far DiskFullQuery[] = | ||
123 | @@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* | ||
124 | if (readbuf(__G__ (char *)G.extra_field, length) == 0) | ||
125 | return PK_EOF; | ||
126 | /* Looks like here is where extra fields are read */ | ||
127 | - getZip64Data(__G__ G.extra_field, length); | ||
128 | + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | ||
129 | + { | ||
130 | + Info(slide, 0x401, ((char *)slide, | ||
131 | + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); | ||
132 | + error = PK_WARN; | ||
133 | + } | ||
134 | #ifdef UNICODE_SUPPORT | ||
135 | G.unipath_filename = NULL; | ||
136 | if (G.UzO.U_flag < 2) { | ||
diff --git a/main/unzip/CVE-2014-9636.patch b/main/unzip/CVE-2014-9636.patch new file mode 100644 index 0000000000..d4c7f75297 --- /dev/null +++ b/main/unzip/CVE-2014-9636.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 | ||
2 | From: mancha <mancha1 AT zoho DOT com> | ||
3 | Date: Wed, 11 Feb 2015 | ||
4 | Subject: Info-ZIP UnZip buffer overflow | ||
5 | |||
6 | By carefully crafting a corrupt ZIP archive with "extra fields" that | ||
7 | purport to have compressed blocks larger than the corresponding | ||
8 | uncompressed blocks in STORED no-compression mode, an attacker can | ||
9 | trigger a heap overflow that can result in application crash or | ||
10 | possibly have other unspecified impact. | ||
11 | |||
12 | This patch ensures that when extra fields use STORED mode, the | ||
13 | "compressed" and uncompressed block sizes match. | ||
14 | |||
15 | --- | ||
16 | extract.c | 8 ++++++++ | ||
17 | 1 file changed, 8 insertions(+) | ||
18 | |||
19 | --- a/extract.c | ||
20 | +++ b/extract.c | ||
21 | @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si | ||
22 | ulg eb_ucsize; | ||
23 | uch *eb_ucptr; | ||
24 | int r; | ||
25 | + ush method; | ||
26 | |||
27 | if (compr_offset < 4) /* field is not compressed: */ | ||
28 | return PK_OK; /* do nothing and signal OK */ | ||
29 | @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si | ||
30 | eb_size <= (compr_offset + EB_CMPRHEADLEN))) | ||
31 | return IZ_EF_TRUNC; /* no compressed data! */ | ||
32 | |||
33 | + method = makeword(eb + (EB_HEADSIZE + compr_offset)); | ||
34 | + if ((method == STORED) && | ||
35 | + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) | ||
36 | + return PK_ERR; /* compressed & uncompressed | ||
37 | + * should match in STORED | ||
38 | + * method */ | ||
39 | + | ||
40 | if ( | ||
41 | #ifdef INT_16BIT | ||
42 | (((ulg)(extent)eb_ucsize) != eb_ucsize) || | ||
diff --git a/main/unzip/CVE-2014-9913.patch b/main/unzip/CVE-2014-9913.patch new file mode 100644 index 0000000000..a5675f4fb7 --- /dev/null +++ b/main/unzip/CVE-2014-9913.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From: "Steven M. Schweda" <sms@antinode.info> | ||
2 | Subject: Fix CVE-2014-9913, buffer overflow in unzip | ||
3 | Bug: https://sourceforge.net/p/infozip/bugs/27/ | ||
4 | Bug-Debian: https://bugs.debian.org/847485 | ||
5 | Bug-Ubuntu: https://launchpad.net/bugs/387350 | ||
6 | X-Debian-version: 6.0-21 | ||
7 | |||
8 | --- a/list.c | ||
9 | +++ b/list.c | ||
10 | @@ -339,7 +339,18 @@ | ||
11 | G.crec.compression_method == ENHDEFLATED) { | ||
12 | methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; | ||
13 | } else if (methnum >= NUM_METHODS) { | ||
14 | - sprintf(&methbuf[4], "%03u", G.crec.compression_method); | ||
15 | + /* 2013-02-26 SMS. | ||
16 | + * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913. | ||
17 | + * Unexpectedly large compression methods overflow | ||
18 | + * &methbuf[]. Use the old, three-digit decimal format | ||
19 | + * for values which fit. Otherwise, sacrifice the | ||
20 | + * colon, and use four-digit hexadecimal. | ||
21 | + */ | ||
22 | + if (G.crec.compression_method <= 999) { | ||
23 | + sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); | ||
24 | + } else { | ||
25 | + sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); | ||
26 | + } | ||
27 | } | ||
28 | |||
29 | #if 0 /* GRR/Euro: add this? */ | ||
diff --git a/main/unzip/CVE-2016-9844.patch b/main/unzip/CVE-2016-9844.patch new file mode 100644 index 0000000000..52d07987b3 --- /dev/null +++ b/main/unzip/CVE-2016-9844.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From: "Steven M. Schweda" <sms@antinode.info> | ||
2 | Subject: Fix CVE-2016-9844, buffer overflow in zipinfo | ||
3 | Bug-Debian: https://bugs.debian.org/847486 | ||
4 | Bug-Ubuntu: https://launchpad.net/bugs/1643750 | ||
5 | X-Debian-version: 6.0-21 | ||
6 | |||
7 | --- a/zipinfo.c | ||
8 | +++ b/zipinfo.c | ||
9 | @@ -1921,7 +1921,18 @@ | ||
10 | ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); | ||
11 | methbuf[3] = dtype[dnum]; | ||
12 | } else if (methnum >= NUM_METHODS) { /* unknown */ | ||
13 | - sprintf(&methbuf[1], "%03u", G.crec.compression_method); | ||
14 | + /* 2016-12-05 SMS. | ||
15 | + * https://launchpad.net/bugs/1643750 | ||
16 | + * Unexpectedly large compression methods overflow | ||
17 | + * &methbuf[]. Use the old, three-digit decimal format | ||
18 | + * for values which fit. Otherwise, sacrifice the "u", | ||
19 | + * and use four-digit hexadecimal. | ||
20 | + */ | ||
21 | + if (G.crec.compression_method <= 999) { | ||
22 | + sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); | ||
23 | + } else { | ||
24 | + sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); | ||
25 | + } | ||
26 | } | ||
27 | |||
28 | for (k = 0; k < 15; ++k) | ||
diff --git a/main/unzip/CVE-2018-1000035.patch b/main/unzip/CVE-2018-1000035.patch new file mode 100644 index 0000000000..8ca713865c --- /dev/null +++ b/main/unzip/CVE-2018-1000035.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | --- a/fileio.c 2014-12-05 05:06:05 -0600 | ||
2 | +++ b/fileio.c 2017-11-14 01:06:28 -0600 | ||
3 | @@ -1,5 +1,5 @@ | ||
4 | /* | ||
5 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. | ||
6 | + Copyright (c) 1990-2017 Info-ZIP. All rights reserved. | ||
7 | |||
8 | See the accompanying file LICENSE, version 2009-Jan-02 or later | ||
9 | (the contents of which are also included in unzip.h) for terms of use. | ||
10 | @@ -1582,6 +1582,8 @@ | ||
11 | int r = IZ_PW_ENTERED; | ||
12 | char *m; | ||
13 | char *prompt; | ||
14 | + char *ep; | ||
15 | + char *zp; | ||
16 | |||
17 | #ifndef REENTRANT | ||
18 | /* tell picky compilers to shut up about "unused variable" warnings */ | ||
19 | @@ -1590,9 +1592,12 @@ | ||
20 | |||
21 | if (*rcnt == 0) { /* First call for current entry */ | ||
22 | *rcnt = 2; | ||
23 | - if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { | ||
24 | - sprintf(prompt, LoadFarString(PasswPrompt), | ||
25 | - FnFilter1(zfn), FnFilter2(efn)); | ||
26 | + zp = FnFilter1( zfn); | ||
27 | + ep = FnFilter2( efn); | ||
28 | + prompt = (char *)malloc( /* Slightly too long (2* "%s"). */ | ||
29 | + sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep)); | ||
30 | + if (prompt != (char *)NULL) { | ||
31 | + sprintf(prompt, LoadFarString(PasswPrompt), zp, ep); | ||
32 | m = prompt; | ||
33 | } else | ||
34 | m = (char *)LoadFarString(PasswPrompt2); | ||
diff --git a/main/unzip/fix-CVE-2014-8139.patch b/main/unzip/fix-CVE-2014-8139.patch new file mode 100644 index 0000000000..2465af0328 --- /dev/null +++ b/main/unzip/fix-CVE-2014-8139.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | --- a/extract.c | ||
2 | +++ b/extract.c | ||
3 | @@ -1,5 +1,5 @@ | ||
4 | /* | ||
5 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. | ||
6 | + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. | ||
7 | |||
8 | See the accompanying file LICENSE, version 2009-Jan-02 or later | ||
9 | (the contents of which are also included in unzip.h) for terms of use. | ||
10 | @@ -298,6 +298,8 @@ | ||
11 | #ifndef SFX | ||
12 | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ | ||
13 | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; | ||
14 | + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ | ||
15 | + EF block length (%u bytes) invalid (< %d)\n"; | ||
16 | static ZCONST char Far InvalidComprDataEAs[] = | ||
17 | " invalid compressed data for EAs\n"; | ||
18 | # if (defined(WIN32) && defined(NTSD_EAS)) | ||
19 | @@ -2032,7 +2034,8 @@ | ||
20 | ebID = makeword(ef); | ||
21 | ebLen = (unsigned)makeword(ef+EB_LEN); | ||
22 | |||
23 | - if (ebLen > (ef_len - EB_HEADSIZE)) { | ||
24 | + if (ebLen > (ef_len - EB_HEADSIZE)) | ||
25 | + { | ||
26 | /* Discovered some extra field inconsistency! */ | ||
27 | if (uO.qflag) | ||
28 | Info(slide, 1, ((char *)slide, "%-22s ", | ||
29 | @@ -2167,11 +2170,29 @@ | ||
30 | } | ||
31 | break; | ||
32 | case EF_PKVMS: | ||
33 | - if (makelong(ef+EB_HEADSIZE) != | ||
34 | - crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), | ||
35 | - (extent)(ebLen-4))) | ||
36 | - Info(slide, 1, ((char *)slide, | ||
37 | - LoadFarString(BadCRC_EAs))); | ||
38 | + /* 2015-01-30 SMS. Added sufficient-bytes test/message | ||
39 | + * here. (Removed defective ebLen test above.) | ||
40 | + * | ||
41 | + * If sufficient bytes (EB_PKVMS_MINLEN) are available, | ||
42 | + * then compare the stored CRC value with the calculated | ||
43 | + * CRC for the remainder of the data (and complain about | ||
44 | + * a mismatch). | ||
45 | + */ | ||
46 | + if (ebLen < EB_PKVMS_MINLEN) | ||
47 | + { | ||
48 | + /* Insufficient bytes available. */ | ||
49 | + Info( slide, 1, | ||
50 | + ((char *)slide, LoadFarString( TooSmallEBlength), | ||
51 | + ebLen, EB_PKVMS_MINLEN)); | ||
52 | + } | ||
53 | + else if (makelong(ef+ EB_HEADSIZE) != | ||
54 | + crc32(CRCVAL_INITIAL, | ||
55 | + (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN), | ||
56 | + (extent)(ebLen- EB_PKVMS_MINLEN))) | ||
57 | + { | ||
58 | + Info(slide, 1, ((char *)slide, | ||
59 | + LoadFarString(BadCRC_EAs))); | ||
60 | + } | ||
61 | break; | ||
62 | case EF_PKW32: | ||
63 | case EF_PKUNIX: | ||
64 | --- a/unzpriv.h | ||
65 | +++ b/unzpriv.h | ||
66 | @@ -1806,6 +1806,8 @@ | ||
67 | #define EB_NTSD_VERSION 4 /* offset of NTSD version byte */ | ||
68 | #define EB_NTSD_MAX_VER (0) /* maximum version # we know how to handle */ | ||
69 | |||
70 | +#define EB_PKVMS_MINLEN 4 /* minimum data length of PKVMS extra block */ | ||
71 | + | ||
72 | #define EB_ASI_CRC32 0 /* offset of ASI Unix field's crc32 checksum */ | ||
73 | #define EB_ASI_MODE 4 /* offset of ASI Unix permission mode field */ | ||
74 | |||
75 | |||