diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-06-23 13:32:06 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-06-27 22:42:51 +0100 |
commit | d2a87aa86a3eaafb696a4223c761d47cf536231d (patch) | |
tree | 7de7bc96ea53245e34116137c8a97aa9e5848cec | |
parent | a1bac0f7dfe3e1a29c03f7e307ea6da355859409 (diff) | |
download | poky-d2a87aa86a3eaafb696a4223c761d47cf536231d.tar.gz |
unzip: fix four CVE defects
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
cve-2014-8139
cve-2014-8140
cve-2014-8141
cve-2014-9636
(From OE-Core rev: 5e9f29b1c212f7a067772699e7fc9b6e233baa34)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
5 files changed, 278 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch new file mode 100644 index 0000000000..e137f0dc76 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From: sms | ||
2 | Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow | ||
3 | Bug-Debian: http://bugs.debian.org/773722 | ||
4 | |||
5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
10 | |||
11 | --- a/extract.c | ||
12 | +++ b/extract.c | ||
13 | @@ -298,6 +298,8 @@ | ||
14 | #ifndef SFX | ||
15 | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ | ||
16 | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; | ||
17 | + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ | ||
18 | + EF block length (%u bytes) invalid (< %d)\n"; | ||
19 | static ZCONST char Far InvalidComprDataEAs[] = | ||
20 | " invalid compressed data for EAs\n"; | ||
21 | # if (defined(WIN32) && defined(NTSD_EAS)) | ||
22 | @@ -2023,7 +2025,8 @@ | ||
23 | ebID = makeword(ef); | ||
24 | ebLen = (unsigned)makeword(ef+EB_LEN); | ||
25 | |||
26 | - if (ebLen > (ef_len - EB_HEADSIZE)) { | ||
27 | + if (ebLen > (ef_len - EB_HEADSIZE)) | ||
28 | + { | ||
29 | /* Discovered some extra field inconsistency! */ | ||
30 | if (uO.qflag) | ||
31 | Info(slide, 1, ((char *)slide, "%-22s ", | ||
32 | @@ -2158,11 +2161,19 @@ | ||
33 | } | ||
34 | break; | ||
35 | case EF_PKVMS: | ||
36 | - if (makelong(ef+EB_HEADSIZE) != | ||
37 | + if (ebLen < 4) | ||
38 | + { | ||
39 | + Info(slide, 1, | ||
40 | + ((char *)slide, LoadFarString(TooSmallEBlength), | ||
41 | + ebLen, 4)); | ||
42 | + } | ||
43 | + else if (makelong(ef+EB_HEADSIZE) != | ||
44 | crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), | ||
45 | (extent)(ebLen-4))) | ||
46 | + { | ||
47 | Info(slide, 1, ((char *)slide, | ||
48 | LoadFarString(BadCRC_EAs))); | ||
49 | + } | ||
50 | break; | ||
51 | case EF_PKW32: | ||
52 | case EF_PKUNIX: | ||
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch new file mode 100644 index 0000000000..edc7d515b0 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From: sms | ||
2 | Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() | ||
3 | Bug-Debian: http://bugs.debian.org/773722 | ||
4 | |||
5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
10 | |||
11 | --- a/extract.c | ||
12 | +++ b/extract.c | ||
13 | @@ -2232,10 +2232,17 @@ | ||
14 | if (compr_offset < 4) /* field is not compressed: */ | ||
15 | return PK_OK; /* do nothing and signal OK */ | ||
16 | |||
17 | + /* Return no/bad-data error status if any problem is found: | ||
18 | + * 1. eb_size is too small to hold the uncompressed size | ||
19 | + * (eb_ucsize). (Else extract eb_ucsize.) | ||
20 | + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. | ||
21 | + * 3. eb_ucsize is positive, but eb_size is too small to hold | ||
22 | + * the compressed data header. | ||
23 | + */ | ||
24 | if ((eb_size < (EB_UCSIZE_P + 4)) || | ||
25 | - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && | ||
26 | - eb_size <= (compr_offset + EB_CMPRHEADLEN))) | ||
27 | - return IZ_EF_TRUNC; /* no compressed data! */ | ||
28 | + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || | ||
29 | + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
30 | + return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
31 | |||
32 | if ( | ||
33 | #ifdef INT_16BIT | ||
diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch new file mode 100644 index 0000000000..d0c1db3925 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch | |||
@@ -0,0 +1,144 @@ | |||
1 | From: sms | ||
2 | Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() | ||
3 | Bug-Debian: http://bugs.debian.org/773722 | ||
4 | |||
5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
10 | |||
11 | |||
12 | --- a/fileio.c | ||
13 | +++ b/fileio.c | ||
14 | @@ -176,6 +176,8 @@ | ||
15 | #endif | ||
16 | static ZCONST char Far ExtraFieldTooLong[] = | ||
17 | "warning: extra field too long (%d). Ignoring...\n"; | ||
18 | +static ZCONST char Far ExtraFieldCorrupt[] = | ||
19 | + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; | ||
20 | |||
21 | #ifdef WINDLL | ||
22 | static ZCONST char Far DiskFullQuery[] = | ||
23 | @@ -2295,7 +2297,12 @@ | ||
24 | if (readbuf(__G__ (char *)G.extra_field, length) == 0) | ||
25 | return PK_EOF; | ||
26 | /* Looks like here is where extra fields are read */ | ||
27 | - getZip64Data(__G__ G.extra_field, length); | ||
28 | + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | ||
29 | + { | ||
30 | + Info(slide, 0x401, ((char *)slide, | ||
31 | + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); | ||
32 | + error = PK_WARN; | ||
33 | + } | ||
34 | #ifdef UNICODE_SUPPORT | ||
35 | G.unipath_filename = NULL; | ||
36 | if (G.UzO.U_flag < 2) { | ||
37 | --- a/process.c | ||
38 | +++ b/process.c | ||
39 | @@ -1,5 +1,5 @@ | ||
40 | /* | ||
41 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. | ||
42 | + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. | ||
43 | |||
44 | See the accompanying file LICENSE, version 2009-Jan-02 or later | ||
45 | (the contents of which are also included in unzip.h) for terms of use. | ||
46 | @@ -1901,48 +1901,82 @@ | ||
47 | and a 4-byte version of disk start number. | ||
48 | Sets both local header and central header fields. Not terribly clever, | ||
49 | but it means that this procedure is only called in one place. | ||
50 | + | ||
51 | + 2014-12-05 SMS. | ||
52 | + Added checks to ensure that enough data are available before calling | ||
53 | + makeint64() or makelong(). Replaced various sizeof() values with | ||
54 | + simple ("4" or "8") constants. (The Zip64 structures do not depend | ||
55 | + on our variable sizes.) Error handling is crude, but we should now | ||
56 | + stay within the buffer. | ||
57 | ---------------------------------------------------------------------------*/ | ||
58 | |||
59 | +#define Z64FLGS 0xffff | ||
60 | +#define Z64FLGL 0xffffffff | ||
61 | + | ||
62 | if (ef_len == 0 || ef_buf == NULL) | ||
63 | return PK_COOL; | ||
64 | |||
65 | Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", | ||
66 | ef_len)); | ||
67 | |||
68 | - while (ef_len >= EB_HEADSIZE) { | ||
69 | + while (ef_len >= EB_HEADSIZE) | ||
70 | + { | ||
71 | eb_id = makeword(EB_ID + ef_buf); | ||
72 | eb_len = makeword(EB_LEN + ef_buf); | ||
73 | |||
74 | - if (eb_len > (ef_len - EB_HEADSIZE)) { | ||
75 | - /* discovered some extra field inconsistency! */ | ||
76 | + if (eb_len > (ef_len - EB_HEADSIZE)) | ||
77 | + { | ||
78 | + /* Extra block length exceeds remaining extra field length. */ | ||
79 | Trace((stderr, | ||
80 | "getZip64Data: block length %u > rest ef_size %u\n", eb_len, | ||
81 | ef_len - EB_HEADSIZE)); | ||
82 | break; | ||
83 | } | ||
84 | - if (eb_id == EF_PKSZ64) { | ||
85 | - | ||
86 | + if (eb_id == EF_PKSZ64) | ||
87 | + { | ||
88 | int offset = EB_HEADSIZE; | ||
89 | |||
90 | - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ | ||
91 | - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); | ||
92 | - offset += sizeof(G.crec.ucsize); | ||
93 | + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) | ||
94 | + { | ||
95 | + if (offset+ 8 > ef_len) | ||
96 | + return PK_ERR; | ||
97 | + | ||
98 | + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); | ||
99 | + offset += 8; | ||
100 | } | ||
101 | - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ | ||
102 | - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); | ||
103 | - offset += sizeof(G.crec.csize); | ||
104 | + | ||
105 | + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) | ||
106 | + { | ||
107 | + if (offset+ 8 > ef_len) | ||
108 | + return PK_ERR; | ||
109 | + | ||
110 | + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); | ||
111 | + offset += 8; | ||
112 | } | ||
113 | - if (G.crec.relative_offset_local_header == 0xffffffff){ | ||
114 | + | ||
115 | + if (G.crec.relative_offset_local_header == Z64FLGL) | ||
116 | + { | ||
117 | + if (offset+ 8 > ef_len) | ||
118 | + return PK_ERR; | ||
119 | + | ||
120 | G.crec.relative_offset_local_header = makeint64(offset + ef_buf); | ||
121 | - offset += sizeof(G.crec.relative_offset_local_header); | ||
122 | + offset += 8; | ||
123 | } | ||
124 | - if (G.crec.disk_number_start == 0xffff){ | ||
125 | + | ||
126 | + if (G.crec.disk_number_start == Z64FLGS) | ||
127 | + { | ||
128 | + if (offset+ 4 > ef_len) | ||
129 | + return PK_ERR; | ||
130 | + | ||
131 | G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); | ||
132 | - offset += sizeof(G.crec.disk_number_start); | ||
133 | + offset += 4; | ||
134 | } | ||
135 | +#if 0 | ||
136 | + break; /* Expect only one EF_PKSZ64 block. */ | ||
137 | +#endif /* 0 */ | ||
138 | } | ||
139 | |||
140 | - /* Skip this extra field block */ | ||
141 | + /* Skip this extra field block. */ | ||
142 | ef_buf += (eb_len + EB_HEADSIZE); | ||
143 | ef_len -= (eb_len + EB_HEADSIZE); | ||
144 | } | ||
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch new file mode 100644 index 0000000000..b64dd99244 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From: mancha <mancha1 AT zoho DOT com> | ||
2 | Date: Mon, 3 Nov 2014 | ||
3 | Subject: Info-ZIP UnZip buffer overflow | ||
4 | Bug-Debian: http://bugs.debian.org/776589 | ||
5 | |||
6 | By carefully crafting a corrupt ZIP archive with "extra fields" that | ||
7 | purport to have compressed blocks larger than the corresponding | ||
8 | uncompressed blocks in STORED no-compression mode, an attacker can | ||
9 | trigger a heap overflow that can result in application crash or | ||
10 | possibly have other unspecified impact. | ||
11 | |||
12 | This patch ensures that when extra fields use STORED mode, the | ||
13 | "compressed" and uncompressed block sizes match. | ||
14 | |||
15 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
20 | |||
21 | --- a/extract.c | ||
22 | +++ b/extract.c | ||
23 | @@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) | ||
24 | uch *eb_ucptr; | ||
25 | int r; | ||
26 | ush method; | ||
27 | + ush eb_compr_method; | ||
28 | |||
29 | if (compr_offset < 4) /* field is not compressed: */ | ||
30 | return PK_OK; /* do nothing and signal OK */ | ||
31 | @@ -2244,6 +2245,14 @@ | ||
32 | ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
33 | return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
34 | |||
35 | + /* 2014-11-03 Michal Zalewski, SMS. | ||
36 | + * For STORE method, compressed and uncompressed sizes must agree. | ||
37 | + * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 | ||
38 | + */ | ||
39 | + eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); | ||
40 | + if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize)) | ||
41 | + return PK_ERR; | ||
42 | + | ||
43 | if ( | ||
44 | #ifdef INT_16BIT | ||
45 | (((ulg)(extent)eb_ucsize) != eb_ucsize) || | ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 5060d35546..b022f21844 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
@@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \ | |||
11 | file://define-ldflags.patch \ | 11 | file://define-ldflags.patch \ |
12 | file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ | 12 | file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ |
13 | file://unzip-6.0_overflow3.diff \ | 13 | file://unzip-6.0_overflow3.diff \ |
14 | file://09-cve-2014-8139-crc-overflow.patch \ | ||
15 | file://10-cve-2014-8140-test-compr-eb.patch \ | ||
16 | file://11-cve-2014-8141-getzip64data.patch \ | ||
17 | file://12-cve-2014-9636-test-compr-eb.patch \ | ||
14 | " | 18 | " |
15 | 19 | ||
16 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" | 20 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" |