summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-06-23 13:32:06 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-06-27 22:42:51 +0100
commitd2a87aa86a3eaafb696a4223c761d47cf536231d (patch)
tree7de7bc96ea53245e34116137c8a97aa9e5848cec
parenta1bac0f7dfe3e1a29c03f7e307ea6da355859409 (diff)
downloadpoky-d2a87aa86a3eaafb696a4223c761d47cf536231d.tar.gz
unzip: fix four CVE defects
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix: cve-2014-8139 cve-2014-8140 cve-2014-8141 cve-2014-9636 (From OE-Core rev: 5e9f29b1c212f7a067772699e7fc9b6e233baa34) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch52
-rw-r--r--meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch33
-rw-r--r--meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch144
-rw-r--r--meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch45
-rw-r--r--meta/recipes-extended/unzip/unzip_6.0.bb4
5 files changed, 278 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
new file mode 100644
index 0000000000..e137f0dc76
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
@@ -0,0 +1,52 @@
1From: sms
2Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
3Bug-Debian: http://bugs.debian.org/773722
4
5The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
6
7Upstream-Status: Backport
8
9Signed-off-by: Roy Li <rongqing.li@windriver.com>
10
11--- a/extract.c
12+++ b/extract.c
13@@ -298,6 +298,8 @@
14 #ifndef SFX
15 static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
16 EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
17+ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
18+ EF block length (%u bytes) invalid (< %d)\n";
19 static ZCONST char Far InvalidComprDataEAs[] =
20 " invalid compressed data for EAs\n";
21 # if (defined(WIN32) && defined(NTSD_EAS))
22@@ -2023,7 +2025,8 @@
23 ebID = makeword(ef);
24 ebLen = (unsigned)makeword(ef+EB_LEN);
25
26- if (ebLen > (ef_len - EB_HEADSIZE)) {
27+ if (ebLen > (ef_len - EB_HEADSIZE))
28+ {
29 /* Discovered some extra field inconsistency! */
30 if (uO.qflag)
31 Info(slide, 1, ((char *)slide, "%-22s ",
32@@ -2158,11 +2161,19 @@
33 }
34 break;
35 case EF_PKVMS:
36- if (makelong(ef+EB_HEADSIZE) !=
37+ if (ebLen < 4)
38+ {
39+ Info(slide, 1,
40+ ((char *)slide, LoadFarString(TooSmallEBlength),
41+ ebLen, 4));
42+ }
43+ else if (makelong(ef+EB_HEADSIZE) !=
44 crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
45 (extent)(ebLen-4)))
46+ {
47 Info(slide, 1, ((char *)slide,
48 LoadFarString(BadCRC_EAs)));
49+ }
50 break;
51 case EF_PKW32:
52 case EF_PKUNIX:
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
new file mode 100644
index 0000000000..edc7d515b0
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
@@ -0,0 +1,33 @@
1From: sms
2Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
3Bug-Debian: http://bugs.debian.org/773722
4
5The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
6
7Upstream-Status: Backport
8
9Signed-off-by: Roy Li <rongqing.li@windriver.com>
10
11--- a/extract.c
12+++ b/extract.c
13@@ -2232,10 +2232,17 @@
14 if (compr_offset < 4) /* field is not compressed: */
15 return PK_OK; /* do nothing and signal OK */
16
17+ /* Return no/bad-data error status if any problem is found:
18+ * 1. eb_size is too small to hold the uncompressed size
19+ * (eb_ucsize). (Else extract eb_ucsize.)
20+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
21+ * 3. eb_ucsize is positive, but eb_size is too small to hold
22+ * the compressed data header.
23+ */
24 if ((eb_size < (EB_UCSIZE_P + 4)) ||
25- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
26- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
27- return IZ_EF_TRUNC; /* no compressed data! */
28+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
29+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
30+ return IZ_EF_TRUNC; /* no/bad compressed data! */
31
32 if (
33 #ifdef INT_16BIT
diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
new file mode 100644
index 0000000000..d0c1db3925
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
1From: sms
2Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
3Bug-Debian: http://bugs.debian.org/773722
4
5The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
6
7Upstream-Status: Backport
8
9Signed-off-by: Roy Li <rongqing.li@windriver.com>
10
11
12--- a/fileio.c
13+++ b/fileio.c
14@@ -176,6 +176,8 @@
15 #endif
16 static ZCONST char Far ExtraFieldTooLong[] =
17 "warning: extra field too long (%d). Ignoring...\n";
18+static ZCONST char Far ExtraFieldCorrupt[] =
19+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
20
21 #ifdef WINDLL
22 static ZCONST char Far DiskFullQuery[] =
23@@ -2295,7 +2297,12 @@
24 if (readbuf(__G__ (char *)G.extra_field, length) == 0)
25 return PK_EOF;
26 /* Looks like here is where extra fields are read */
27- getZip64Data(__G__ G.extra_field, length);
28+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
29+ {
30+ Info(slide, 0x401, ((char *)slide,
31+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
32+ error = PK_WARN;
33+ }
34 #ifdef UNICODE_SUPPORT
35 G.unipath_filename = NULL;
36 if (G.UzO.U_flag < 2) {
37--- a/process.c
38+++ b/process.c
39@@ -1,5 +1,5 @@
40 /*
41- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
42+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
43
44 See the accompanying file LICENSE, version 2009-Jan-02 or later
45 (the contents of which are also included in unzip.h) for terms of use.
46@@ -1901,48 +1901,82 @@
47 and a 4-byte version of disk start number.
48 Sets both local header and central header fields. Not terribly clever,
49 but it means that this procedure is only called in one place.
50+
51+ 2014-12-05 SMS.
52+ Added checks to ensure that enough data are available before calling
53+ makeint64() or makelong(). Replaced various sizeof() values with
54+ simple ("4" or "8") constants. (The Zip64 structures do not depend
55+ on our variable sizes.) Error handling is crude, but we should now
56+ stay within the buffer.
57 ---------------------------------------------------------------------------*/
58
59+#define Z64FLGS 0xffff
60+#define Z64FLGL 0xffffffff
61+
62 if (ef_len == 0 || ef_buf == NULL)
63 return PK_COOL;
64
65 Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
66 ef_len));
67
68- while (ef_len >= EB_HEADSIZE) {
69+ while (ef_len >= EB_HEADSIZE)
70+ {
71 eb_id = makeword(EB_ID + ef_buf);
72 eb_len = makeword(EB_LEN + ef_buf);
73
74- if (eb_len > (ef_len - EB_HEADSIZE)) {
75- /* discovered some extra field inconsistency! */
76+ if (eb_len > (ef_len - EB_HEADSIZE))
77+ {
78+ /* Extra block length exceeds remaining extra field length. */
79 Trace((stderr,
80 "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
81 ef_len - EB_HEADSIZE));
82 break;
83 }
84- if (eb_id == EF_PKSZ64) {
85-
86+ if (eb_id == EF_PKSZ64)
87+ {
88 int offset = EB_HEADSIZE;
89
90- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
91- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
92- offset += sizeof(G.crec.ucsize);
93+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
94+ {
95+ if (offset+ 8 > ef_len)
96+ return PK_ERR;
97+
98+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
99+ offset += 8;
100 }
101- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
102- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
103- offset += sizeof(G.crec.csize);
104+
105+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
106+ {
107+ if (offset+ 8 > ef_len)
108+ return PK_ERR;
109+
110+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
111+ offset += 8;
112 }
113- if (G.crec.relative_offset_local_header == 0xffffffff){
114+
115+ if (G.crec.relative_offset_local_header == Z64FLGL)
116+ {
117+ if (offset+ 8 > ef_len)
118+ return PK_ERR;
119+
120 G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
121- offset += sizeof(G.crec.relative_offset_local_header);
122+ offset += 8;
123 }
124- if (G.crec.disk_number_start == 0xffff){
125+
126+ if (G.crec.disk_number_start == Z64FLGS)
127+ {
128+ if (offset+ 4 > ef_len)
129+ return PK_ERR;
130+
131 G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
132- offset += sizeof(G.crec.disk_number_start);
133+ offset += 4;
134 }
135+#if 0
136+ break; /* Expect only one EF_PKSZ64 block. */
137+#endif /* 0 */
138 }
139
140- /* Skip this extra field block */
141+ /* Skip this extra field block. */
142 ef_buf += (eb_len + EB_HEADSIZE);
143 ef_len -= (eb_len + EB_HEADSIZE);
144 }
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
new file mode 100644
index 0000000000..b64dd99244
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
@@ -0,0 +1,45 @@
1From: mancha <mancha1 AT zoho DOT com>
2Date: Mon, 3 Nov 2014
3Subject: Info-ZIP UnZip buffer overflow
4Bug-Debian: http://bugs.debian.org/776589
5
6By carefully crafting a corrupt ZIP archive with "extra fields" that
7purport to have compressed blocks larger than the corresponding
8uncompressed blocks in STORED no-compression mode, an attacker can
9trigger a heap overflow that can result in application crash or
10possibly have other unspecified impact.
11
12This patch ensures that when extra fields use STORED mode, the
13"compressed" and uncompressed block sizes match.
14
15The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
16
17Upstream-Status: Backport
18
19Signed-off-by: Roy Li <rongqing.li@windriver.com>
20
21--- a/extract.c
22+++ b/extract.c
23@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
24 uch *eb_ucptr;
25 int r;
26 ush method;
27+ ush eb_compr_method;
28
29 if (compr_offset < 4) /* field is not compressed: */
30 return PK_OK; /* do nothing and signal OK */
31@@ -2244,6 +2245,14 @@
32 ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
33 return IZ_EF_TRUNC; /* no/bad compressed data! */
34
35+ /* 2014-11-03 Michal Zalewski, SMS.
36+ * For STORE method, compressed and uncompressed sizes must agree.
37+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
38+ */
39+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
40+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
41+ return PK_ERR;
42+
43 if (
44 #ifdef INT_16BIT
45 (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 5060d35546..b022f21844 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
11 file://define-ldflags.patch \ 11 file://define-ldflags.patch \
12 file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ 12 file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
13 file://unzip-6.0_overflow3.diff \ 13 file://unzip-6.0_overflow3.diff \
14 file://09-cve-2014-8139-crc-overflow.patch \
15 file://10-cve-2014-8140-test-compr-eb.patch \
16 file://11-cve-2014-8141-getzip64data.patch \
17 file://12-cve-2014-9636-test-compr-eb.patch \
14" 18"
15 19
16SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" 20SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"