diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-04-29 08:53:35 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-14 11:43:57 +0100 |
commit | c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1 (patch) | |
tree | 1149720206916b2ac494c113d064e91d57bc2906 /meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff | |
parent | 654f3e57f9efe6917b41ceebb019debede989d02 (diff) | |
download | poky-c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1.tar.gz |
unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636
unzip 6.0 allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via an extra field with
an uncompressed size smaller than the compressed field size in a
zip archive that advertises STORED method compression.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315
Buffer overflow in the charset_to_intern function in unix/unix.c in
Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code
via a crafted string, as demonstrated by converting a string from CP866
to UTF-8.
(From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff new file mode 100644 index 0000000000..0a0bfbbb17 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff | |||
@@ -0,0 +1,45 @@ | |||
1 | From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 | ||
2 | From: mancha <mancha1 AT zoho DOT com> | ||
3 | Date: Wed, 11 Feb 2015 | ||
4 | Subject: Info-ZIP UnZip buffer overflow | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | By carefully crafting a corrupt ZIP archive with "extra fields" that | ||
9 | purport to have compressed blocks larger than the corresponding | ||
10 | uncompressed blocks in STORED no-compression mode, an attacker can | ||
11 | trigger a heap overflow that can result in application crash or | ||
12 | possibly have other unspecified impact. | ||
13 | |||
14 | This patch ensures that when extra fields use STORED mode, the | ||
15 | "compressed" and uncompressed block sizes match. | ||
16 | |||
17 | Signed-off-by: mancha <mancha1 AT zoho DOT com> | ||
18 | --- | ||
19 | extract.c | 8 ++++++++ | ||
20 | 1 file changed, 8 insertions(+) | ||
21 | |||
22 | --- a/extract.c | ||
23 | +++ b/extract.c | ||
24 | @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si | ||
25 | ulg eb_ucsize; | ||
26 | uch *eb_ucptr; | ||
27 | int r; | ||
28 | + ush method; | ||
29 | |||
30 | if (compr_offset < 4) /* field is not compressed: */ | ||
31 | return PK_OK; /* do nothing and signal OK */ | ||
32 | @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si | ||
33 | eb_size <= (compr_offset + EB_CMPRHEADLEN))) | ||
34 | return IZ_EF_TRUNC; /* no compressed data! */ | ||
35 | |||
36 | + method = makeword(eb + (EB_HEADSIZE + compr_offset)); | ||
37 | + if ((method == STORED) && | ||
38 | + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) | ||
39 | + return PK_ERR; /* compressed & uncompressed | ||
40 | + * should match in STORED | ||
41 | + * method */ | ||
42 | + | ||
43 | if ( | ||
44 | #ifdef INT_16BIT | ||
45 | (((ulg)(extent)eb_ucsize) != eb_ucsize) || | ||