From 7b531e28454412a68b68f821b3dd394e5ec4f141 Mon Sep 17 00:00:00 2001 From: mancha Date: Mon, 23 Feb 2015 23:13:00 +0000 Subject: [PATCH] unzip: fix CVE-2014-9636 patch Close #6544, fixes #6543. vcunat: no security impact; just fixes false rejections of some rarer inputs - a problem introduced by the CVE patch. --- pkgs/tools/archivers/unzip/CVE-2014-9636.diff | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/archivers/unzip/CVE-2014-9636.diff b/pkgs/tools/archivers/unzip/CVE-2014-9636.diff index aeaf3e70de6e..d4c7f752975e 100644 --- a/pkgs/tools/archivers/unzip/CVE-2014-9636.diff +++ b/pkgs/tools/archivers/unzip/CVE-2014-9636.diff @@ -1,6 +1,6 @@ -From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 +From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 From: mancha -Date: Mon, 3 Nov 2014 +Date: Wed, 11 Feb 2015 Subject: Info-ZIP UnZip buffer overflow By carefully crafting a corrupt ZIP archive with "extra fields" that @@ -26,12 +26,13 @@ This patch ensures that when extra fields use STORED mode, the if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ -@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si +@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si eb_size <= (compr_offset + EB_CMPRHEADLEN))) return IZ_EF_TRUNC; /* no compressed data! */ + method = makeword(eb + (EB_HEADSIZE + compr_offset)); -+ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ if ((method == STORED) && ++ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) + return PK_ERR; /* compressed & uncompressed + * should match in STORED + * method */