unzip: Patch for CVE-2014-81{39,40,41}.
This commit is contained in:
parent
d05329620f
commit
173f41cf0b
4 changed files with 214 additions and 1 deletions
47
pkgs/tools/archivers/unzip/CVE-2014-8139.diff
Normal file
47
pkgs/tools/archivers/unzip/CVE-2014-8139.diff
Normal file
|
@ -0,0 +1,47 @@
|
|||
From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=971984&action=diff&context=patch&collapsed=&headers=1&format=raw
|
||||
|
||||
--- unzip60/extract.c 2010-04-03 14:41:55 -0500
|
||||
+++ unzip60/extract.c 2014-12-03 15:33:35 -0600
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
|
||||
+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
|
||||
|
||||
See the accompanying file LICENSE, version 2009-Jan-02 or later
|
||||
(the contents of which are also included in unzip.h) for terms of use.
|
||||
@@ -298,6 +298,8 @@
|
||||
#ifndef SFX
|
||||
static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
|
||||
EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
|
||||
+ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
|
||||
+ EF block length (%u bytes) invalid (< %d)\n";
|
||||
static ZCONST char Far InvalidComprDataEAs[] =
|
||||
" invalid compressed data for EAs\n";
|
||||
# if (defined(WIN32) && defined(NTSD_EAS))
|
||||
@@ -2023,7 +2025,8 @@
|
||||
ebID = makeword(ef);
|
||||
ebLen = (unsigned)makeword(ef+EB_LEN);
|
||||
|
||||
- if (ebLen > (ef_len - EB_HEADSIZE)) {
|
||||
+ if (ebLen > (ef_len - EB_HEADSIZE))
|
||||
+ {
|
||||
/* Discovered some extra field inconsistency! */
|
||||
if (uO.qflag)
|
||||
Info(slide, 1, ((char *)slide, "%-22s ",
|
||||
@@ -2032,6 +2035,16 @@
|
||||
ebLen, (ef_len - EB_HEADSIZE)));
|
||||
return PK_ERR;
|
||||
}
|
||||
+ else if (ebLen < EB_HEADSIZE)
|
||||
+ {
|
||||
+ /* Extra block length smaller than header length. */
|
||||
+ if (uO.qflag)
|
||||
+ Info(slide, 1, ((char *)slide, "%-22s ",
|
||||
+ FnFilter1(G.filename)));
|
||||
+ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
|
||||
+ ebLen, EB_HEADSIZE));
|
||||
+ return PK_ERR;
|
||||
+ }
|
||||
|
||||
switch (ebID) {
|
||||
case EF_OS2:
|
26
pkgs/tools/archivers/unzip/CVE-2014-8140.diff
Normal file
26
pkgs/tools/archivers/unzip/CVE-2014-8140.diff
Normal file
|
@ -0,0 +1,26 @@
|
|||
From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969621&action=diff
|
||||
(unzip60/ path prefix added)
|
||||
|
||||
--- unzip60/extract.c 2009-03-14 02:32:52.000000000 +0100
|
||||
+++ unzip60/extract.c 2014-12-05 22:43:13.000000000 +0100
|
||||
@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
|
||||
if (compr_offset < 4) /* field is not compressed: */
|
||||
return PK_OK; /* do nothing and signal OK */
|
||||
|
||||
+ /* Return no/bad-data error status if any problem is found:
|
||||
+ * 1. eb_size is too small to hold the uncompressed size
|
||||
+ * (eb_ucsize). (Else extract eb_ucsize.)
|
||||
+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
|
||||
+ * 3. eb_ucsize is positive, but eb_size is too small to hold
|
||||
+ * the compressed data header.
|
||||
+ */
|
||||
if ((eb_size < (EB_UCSIZE_P + 4)) ||
|
||||
- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
|
||||
- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
|
||||
- return IZ_EF_TRUNC; /* no compressed data! */
|
||||
+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
|
||||
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
|
||||
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
|
||||
|
||||
if (
|
||||
#ifdef INT_16BIT
|
136
pkgs/tools/archivers/unzip/CVE-2014-8141.diff
Normal file
136
pkgs/tools/archivers/unzip/CVE-2014-8141.diff
Normal file
|
@ -0,0 +1,136 @@
|
|||
From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969625&action=diff
|
||||
(unzip60/ path prefix added)
|
||||
|
||||
--- unzip60/process.c 2009-03-06 02:25:10.000000000 +0100
|
||||
+++ unzip60/process.c 2014-12-05 22:42:39.000000000 +0100
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
|
||||
+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
|
||||
|
||||
See the accompanying file LICENSE, version 2009-Jan-02 or later
|
||||
(the contents of which are also included in unzip.h) for terms of use.
|
||||
@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
|
||||
and a 4-byte version of disk start number.
|
||||
Sets both local header and central header fields. Not terribly clever,
|
||||
but it means that this procedure is only called in one place.
|
||||
+
|
||||
+ 2014-12-05 SMS.
|
||||
+ Added checks to ensure that enough data are available before calling
|
||||
+ makeint64() or makelong(). Replaced various sizeof() values with
|
||||
+ simple ("4" or "8") constants. (The Zip64 structures do not depend
|
||||
+ on our variable sizes.) Error handling is crude, but we should now
|
||||
+ stay within the buffer.
|
||||
---------------------------------------------------------------------------*/
|
||||
|
||||
+#define Z64FLGS 0xffff
|
||||
+#define Z64FLGL 0xffffffff
|
||||
+
|
||||
if (ef_len == 0 || ef_buf == NULL)
|
||||
return PK_COOL;
|
||||
|
||||
Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
|
||||
ef_len));
|
||||
|
||||
- while (ef_len >= EB_HEADSIZE) {
|
||||
+ while (ef_len >= EB_HEADSIZE)
|
||||
+ {
|
||||
eb_id = makeword(EB_ID + ef_buf);
|
||||
eb_len = makeword(EB_LEN + ef_buf);
|
||||
|
||||
- if (eb_len > (ef_len - EB_HEADSIZE)) {
|
||||
- /* discovered some extra field inconsistency! */
|
||||
+ if (eb_len > (ef_len - EB_HEADSIZE))
|
||||
+ {
|
||||
+ /* Extra block length exceeds remaining extra field length. */
|
||||
Trace((stderr,
|
||||
"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
|
||||
ef_len - EB_HEADSIZE));
|
||||
break;
|
||||
}
|
||||
- if (eb_id == EF_PKSZ64) {
|
||||
-
|
||||
+ if (eb_id == EF_PKSZ64)
|
||||
+ {
|
||||
int offset = EB_HEADSIZE;
|
||||
|
||||
- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
|
||||
- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
|
||||
- offset += sizeof(G.crec.ucsize);
|
||||
+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
|
||||
+ {
|
||||
+ if (offset+ 8 > ef_len)
|
||||
+ return PK_ERR;
|
||||
+
|
||||
+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
|
||||
+ offset += 8;
|
||||
}
|
||||
- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
|
||||
- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
|
||||
- offset += sizeof(G.crec.csize);
|
||||
+
|
||||
+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
|
||||
+ {
|
||||
+ if (offset+ 8 > ef_len)
|
||||
+ return PK_ERR;
|
||||
+
|
||||
+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
|
||||
+ offset += 8;
|
||||
}
|
||||
- if (G.crec.relative_offset_local_header == 0xffffffff){
|
||||
+
|
||||
+ if (G.crec.relative_offset_local_header == Z64FLGL)
|
||||
+ {
|
||||
+ if (offset+ 8 > ef_len)
|
||||
+ return PK_ERR;
|
||||
+
|
||||
G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
|
||||
- offset += sizeof(G.crec.relative_offset_local_header);
|
||||
+ offset += 8;
|
||||
}
|
||||
- if (G.crec.disk_number_start == 0xffff){
|
||||
+
|
||||
+ if (G.crec.disk_number_start == Z64FLGS)
|
||||
+ {
|
||||
+ if (offset+ 4 > ef_len)
|
||||
+ return PK_ERR;
|
||||
+
|
||||
G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
|
||||
- offset += sizeof(G.crec.disk_number_start);
|
||||
+ offset += 4;
|
||||
}
|
||||
+#if 0
|
||||
+ break; /* Expect only one EF_PKSZ64 block. */
|
||||
+#endif /* 0 */
|
||||
}
|
||||
|
||||
- /* Skip this extra field block */
|
||||
+ /* Skip this extra field block. */
|
||||
ef_buf += (eb_len + EB_HEADSIZE);
|
||||
ef_len -= (eb_len + EB_HEADSIZE);
|
||||
}
|
||||
--- unzip60/fileio.c 2009-04-20 02:03:44.000000000 +0200
|
||||
+++ unzip60/fileio.c 2014-12-05 22:44:16.000000000 +0100
|
||||
@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
|
||||
#endif
|
||||
static ZCONST char Far ExtraFieldTooLong[] =
|
||||
"warning: extra field too long (%d). Ignoring...\n";
|
||||
+static ZCONST char Far ExtraFieldCorrupt[] =
|
||||
+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
|
||||
|
||||
#ifdef WINDLL
|
||||
static ZCONST char Far DiskFullQuery[] =
|
||||
@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /*
|
||||
if (readbuf(__G__ (char *)G.extra_field, length) == 0)
|
||||
return PK_EOF;
|
||||
/* Looks like here is where extra fields are read */
|
||||
- getZip64Data(__G__ G.extra_field, length);
|
||||
+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
|
||||
+ {
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
|
||||
+ error = PK_WARN;
|
||||
+ }
|
||||
#ifdef UNICODE_SUPPORT
|
||||
G.unipath_filename = NULL;
|
||||
if (G.UzO.U_flag < 2) {
|
|
@ -9,7 +9,11 @@ stdenv.mkDerivation {
|
|||
sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
|
||||
};
|
||||
|
||||
patches = stdenv.lib.optional enableNLS
|
||||
patches = [
|
||||
./CVE-2014-8139.diff
|
||||
./CVE-2014-8140.diff
|
||||
./CVE-2014-8141.diff
|
||||
] ++ stdenv.lib.optional enableNLS
|
||||
(fetchurl {
|
||||
url = "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/unzip/files/unzip-6.0-natspec.patch?revision=1.1";
|
||||
name = "unzip-6.0-natspec.patch";
|
||||
|
|
Loading…
Reference in a new issue