diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-06-23 13:32:06 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-07-20 20:54:34 +0100 |
commit | fcd25c6d2e4f398dd641888fcb6dbcdf54ce6a4c (patch) | |
tree | cecec1b5d5a90dbdcc13a8cef891603ccbe4bca0 /meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch | |
parent | 9f363a9c8a12f01c38ffb968fc727f6942aabb57 (diff) | |
download | poky-fcd25c6d2e4f398dd641888fcb6dbcdf54ce6a4c.tar.gz |
unzip: fix four CVE defects
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
cve-2014-8139
cve-2014-8140
cve-2014-8141
cve-2014-9636
(From OE-Core rev: 429ab46f975c05f65120beddf50099c7cb0b2f86)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch new file mode 100644 index 0000000000..edc7d515b0 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From: sms | ||
2 | Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() | ||
3 | Bug-Debian: http://bugs.debian.org/773722 | ||
4 | |||
5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
10 | |||
11 | --- a/extract.c | ||
12 | +++ b/extract.c | ||
13 | @@ -2232,10 +2232,17 @@ | ||
14 | if (compr_offset < 4) /* field is not compressed: */ | ||
15 | return PK_OK; /* do nothing and signal OK */ | ||
16 | |||
17 | + /* Return no/bad-data error status if any problem is found: | ||
18 | + * 1. eb_size is too small to hold the uncompressed size | ||
19 | + * (eb_ucsize). (Else extract eb_ucsize.) | ||
20 | + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. | ||
21 | + * 3. eb_ucsize is positive, but eb_size is too small to hold | ||
22 | + * the compressed data header. | ||
23 | + */ | ||
24 | if ((eb_size < (EB_UCSIZE_P + 4)) || | ||
25 | - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && | ||
26 | - eb_size <= (compr_offset + EB_CMPRHEADLEN))) | ||
27 | - return IZ_EF_TRUNC; /* no compressed data! */ | ||
28 | + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || | ||
29 | + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
30 | + return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
31 | |||
32 | if ( | ||
33 | #ifdef INT_16BIT | ||