unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315 Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8. (From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Roy Li <rongqing.li@windriver.com> 2015-04-29 08:53:35 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-05-14 11:43:57 +0100
commit: c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1 (patch)
tree: 1149720206916b2ac494c113d064e91d57bc2906 /meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
parent: 654f3e57f9efe6917b41ceebb019debede989d02 (diff)
download: poky-c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1.tar.gz
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
new file mode 100644
index 0000000000..0a0bfbbb17
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
+From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 11 Feb 2015
+Subject: Info-ZIP UnZip buffer overflow
+Upstream-Status: Backport
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+Signed-off-by: mancha <mancha1 AT zoho DOT com>
+---
+ extract.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- a/extract.c
+++ b/extract.c
+@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
+    ush method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
+          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+         return IZ_EF_TRUNC;               /* no compressed data! */
+ 
+    method = makeword(eb + (EB_HEADSIZE + compr_offset));
+    if ((method == STORED) &&
+        (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
+       return PK_ERR;                    /* compressed & uncompressed
+                                          * should match in STORED
+                                          * method */
+
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
author	Roy Li <rongqing.li@windriver.com>	2015-04-29 08:53:35 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-05-14 11:43:57 +0100
commit	c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1 (patch)
tree	1149720206916b2ac494c113d064e91d57bc2906 /meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
parent	654f3e57f9efe6917b41ceebb019debede989d02 (diff)
download	poky-c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1.tar.gz

diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff new file mode 100644 index 0000000000..0a0bfbbb17 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
	1	From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
	2	From: mancha <mancha1 AT zoho DOT com>
	3	Date: Wed, 11 Feb 2015
	4	Subject: Info-ZIP UnZip buffer overflow
	5
	6	Upstream-Status: Backport
	7
	8	By carefully crafting a corrupt ZIP archive with "extra fields" that
	9	purport to have compressed blocks larger than the corresponding
	10	uncompressed blocks in STORED no-compression mode, an attacker can
	11	trigger a heap overflow that can result in application crash or
	12	possibly have other unspecified impact.
	13
	14	This patch ensures that when extra fields use STORED mode, the
	15	"compressed" and uncompressed block sizes match.
	16
	17	Signed-off-by: mancha <mancha1 AT zoho DOT com>
	18	---
	19	extract.c \| 8 ++++++++
	20	1 file changed, 8 insertions(+)
	21
	22	--- a/extract.c
	23	+++ b/extract.c
	24	@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
	25	ulg eb_ucsize;
	26	uch *eb_ucptr;
	27	int r;
	28	+ ush method;
	29
	30	if (compr_offset < 4) /* field is not compressed: */
	31	return PK_OK; /* do nothing and signal OK */
	32	@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
	33	eb_size <= (compr_offset + EB_CMPRHEADLEN)))
	34	return IZ_EF_TRUNC; /* no compressed data! */
	35
	36	+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
	37	+ if ((method == STORED) &&
	38	+ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
	39	+ return PK_ERR; /* compressed & uncompressed
	40	+ * should match in STORED
	41	+ * method */
	42	+
	43	if (
	44	#ifdef INT_16BIT
	45	(((ulg)(extent)eb_ucsize) != eb_ucsize) \|\|