Add patches to unzip to fix CVEs
This commit is contained in:
parent
dc0f454eec
commit
cefd5b1b69
|
@ -0,0 +1,18 @@
|
|||
diff --git a/unzip.c b/unzip.c
|
||||
index 8dbfc95..954b204 100644
|
||||
--- a/unzip.c
|
||||
+++ b/unzip.c
|
||||
@@ -570,8 +570,11 @@ Send bug reports using //www.info-zip.org/zip-bug.html; see README for details.\
|
||||
#else /* !VMS */
|
||||
# ifdef COPYRIGHT_CLEAN
|
||||
static ZCONST char Far UnzipUsageLine1[] = "\
|
||||
-UnZip %d.%d%d%s of %s, by Info-ZIP. Maintained by C. Spieler. Send\n\
|
||||
-bug reports using http://www.info-zip.org/zip-bug.html; see README for details.\
|
||||
+UnZip %d.%d%d%s of %s, by GitLab Inc. The original UnZip sources are available\n\
|
||||
+from Info-ZIP's home site at http://www.info-zip.org/pub/infozip/UnZip.html.\n\
|
||||
+Our patches are available from\n\
|
||||
+https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/config/patches/unzip.\n\
|
||||
+Send any bug reports on this port to support@gitlab.com.\
|
||||
\n\n";
|
||||
# else
|
||||
static ZCONST char Far UnzipUsageLine1[] = "\
|
|
@ -0,0 +1,40 @@
|
|||
From: mancha <mancha1 AT zoho DOT com>
|
||||
Date: Wed, 11 Feb 2015
|
||||
Subject: Info-ZIP UnZip buffer overflow
|
||||
Bug-Debian: https://bugs.debian.org/776589
|
||||
|
||||
By carefully crafting a corrupt ZIP archive with "extra fields" that
|
||||
purport to have compressed blocks larger than the corresponding
|
||||
uncompressed blocks in STORED no-compression mode, an attacker can
|
||||
trigger a heap overflow that can result in application crash or
|
||||
possibly have other unspecified impact.
|
||||
|
||||
This patch ensures that when extra fields use STORED mode, the
|
||||
"compressed" and uncompressed block sizes match.
|
||||
|
||||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -2228,6 +2228,7 @@
|
||||
ulg eb_ucsize;
|
||||
uch *eb_ucptr;
|
||||
int r;
|
||||
+ ush eb_compr_method;
|
||||
|
||||
if (compr_offset < 4) /* field is not compressed: */
|
||||
return PK_OK; /* do nothing and signal OK */
|
||||
@@ -2244,6 +2245,15 @@
|
||||
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
|
||||
return IZ_EF_TRUNC; /* no/bad compressed data! */
|
||||
|
||||
+ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
|
||||
+ * For STORE method, compressed and uncompressed sizes must agree.
|
||||
+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
|
||||
+ */
|
||||
+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
|
||||
+ if ((eb_compr_method == STORED) &&
|
||||
+ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
|
||||
+ return PK_ERR;
|
||||
+
|
||||
if (
|
||||
#ifdef INT_16BIT
|
||||
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||
|
|
@ -0,0 +1,33 @@
|
|||
From: Petr Stodulka <pstodulk@redhat.com>
|
||||
Date: Mon, 14 Sep 2015 18:23:17 +0200
|
||||
Subject: Upstream fix for heap overflow
|
||||
Bug-Debian: https://bugs.debian.org/802162
|
||||
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
|
||||
Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002
|
||||
Forwarded: yes
|
||||
|
||||
---
|
||||
crypt.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/crypt.c
|
||||
+++ b/crypt.c
|
||||
@@ -465,7 +465,17 @@
|
||||
GLOBAL(pInfo->encrypted) = FALSE;
|
||||
defer_leftover_input(__G);
|
||||
for (n = 0; n < RAND_HEAD_LEN; n++) {
|
||||
- b = NEXTBYTE;
|
||||
+ /* 2012-11-23 SMS. (OUSPG report.)
|
||||
+ * Quit early if compressed size < HEAD_LEN. The resulting
|
||||
+ * error message ("unable to get password") could be improved,
|
||||
+ * but it's better than trying to read nonexistent data, and
|
||||
+ * then continuing with a negative G.csize. (See
|
||||
+ * fileio.c:readbyte()).
|
||||
+ */
|
||||
+ if ((b = NEXTBYTE) == (ush)EOF)
|
||||
+ {
|
||||
+ return PK_ERR;
|
||||
+ }
|
||||
h[n] = (uch)b;
|
||||
Trace((stdout, " (%02x)", h[n]));
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Mon, 14 Sep 2015 18:24:56 +0200
|
||||
Subject: fix infinite loop when extracting empty bzip2 data
|
||||
Bug-Debian: https://bugs.debian.org/802160
|
||||
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
|
||||
Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339
|
||||
|
||||
---
|
||||
extract.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -2729,6 +2729,12 @@
|
||||
int repeated_buf_err;
|
||||
bz_stream bstrm;
|
||||
|
||||
+ if (G.incnt <= 0 && G.csize <= 0L) {
|
||||
+ /* avoid an infinite loop */
|
||||
+ Trace((stderr, "UZbunzip2() got empty input\n"));
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
#if (defined(DLL) && !defined(NO_SLIDE_REDIR))
|
||||
if (G.redirect_slide)
|
||||
wsize = G.redirect_size, redirSlide = G.redirect_buffer;
|
|
@ -0,0 +1,29 @@
|
|||
From: "Steven M. Schweda" <sms@antinode.info>
|
||||
Subject: Fix CVE-2014-9913, buffer overflow in unzip
|
||||
Bug: https://sourceforge.net/p/infozip/bugs/27/
|
||||
Bug-Debian: https://bugs.debian.org/847485
|
||||
Bug-Ubuntu: https://launchpad.net/bugs/387350
|
||||
X-Debian-version: 6.0-21
|
||||
|
||||
--- a/list.c
|
||||
+++ b/list.c
|
||||
@@ -339,7 +339,18 @@
|
||||
G.crec.compression_method == ENHDEFLATED) {
|
||||
methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
|
||||
} else if (methnum >= NUM_METHODS) {
|
||||
- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
|
||||
+ /* 2013-02-26 SMS.
|
||||
+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
|
||||
+ * Unexpectedly large compression methods overflow
|
||||
+ * &methbuf[]. Use the old, three-digit decimal format
|
||||
+ * for values which fit. Otherwise, sacrifice the
|
||||
+ * colon, and use four-digit hexadecimal.
|
||||
+ */
|
||||
+ if (G.crec.compression_method <= 999) {
|
||||
+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
|
||||
+ } else {
|
||||
+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
|
||||
+ }
|
||||
}
|
||||
|
||||
#if 0 /* GRR/Euro: add this? */
|
|
@ -0,0 +1,28 @@
|
|||
From: "Steven M. Schweda" <sms@antinode.info>
|
||||
Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
|
||||
Bug-Debian: https://bugs.debian.org/847486
|
||||
Bug-Ubuntu: https://launchpad.net/bugs/1643750
|
||||
X-Debian-version: 6.0-21
|
||||
|
||||
--- a/zipinfo.c
|
||||
+++ b/zipinfo.c
|
||||
@@ -1921,7 +1921,18 @@
|
||||
ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
|
||||
methbuf[3] = dtype[dnum];
|
||||
} else if (methnum >= NUM_METHODS) { /* unknown */
|
||||
- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
|
||||
+ /* 2016-12-05 SMS.
|
||||
+ * https://launchpad.net/bugs/1643750
|
||||
+ * Unexpectedly large compression methods overflow
|
||||
+ * &methbuf[]. Use the old, three-digit decimal format
|
||||
+ * for values which fit. Otherwise, sacrifice the "u",
|
||||
+ * and use four-digit hexadecimal.
|
||||
+ */
|
||||
+ if (G.crec.compression_method <= 999) {
|
||||
+ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
|
||||
+ } else {
|
||||
+ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
|
||||
+ }
|
||||
}
|
||||
|
||||
for (k = 0; k < 15; ++k)
|
|
@ -30,6 +30,12 @@ relative_path 'unzip60'
|
|||
build do
|
||||
env = with_standard_compiler_flags(with_embedded_path)
|
||||
|
||||
patch source: '0-gitlab-source.patch'
|
||||
patch source: '1-cve-2014-9636-test-compr-eb.patch'
|
||||
patch source: '2-cve-2015-7696.patch'
|
||||
patch source: '3-cve-2015-7697.patch'
|
||||
patch source: '4-cve-2014-9913-unzip-buffer-overflow.patch'
|
||||
patch source: '5-cve-2016-9844-zipinfo-buffer-overflow.patch'
|
||||
make '-f unix/Makefile clean', env: env
|
||||
make "-j #{workers} -f unix/Makefile generic", env: env
|
||||
make "-f unix/Makefile prefix=#{install_dir}/embedded install", env: env
|
||||
|
|
Loading…
Reference in New Issue