summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-04-29 08:53:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-14 11:43:57 +0100
commitc9ec5427609f084d9cbfb7336777fe1e3d0f3ef1 (patch)
tree1149720206916b2ac494c113d064e91d57bc2906 /meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
parent654f3e57f9efe6917b41ceebb019debede989d02 (diff)
downloadpoky-c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1.tar.gz
unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315 Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8. (From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff')
-rw-r--r--meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff45
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
new file mode 100644
index 0000000000..0a0bfbbb17
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
1From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
2From: mancha <mancha1 AT zoho DOT com>
3Date: Wed, 11 Feb 2015
4Subject: Info-ZIP UnZip buffer overflow
5
6Upstream-Status: Backport
7
8By carefully crafting a corrupt ZIP archive with "extra fields" that
9purport to have compressed blocks larger than the corresponding
10uncompressed blocks in STORED no-compression mode, an attacker can
11trigger a heap overflow that can result in application crash or
12possibly have other unspecified impact.
13
14This patch ensures that when extra fields use STORED mode, the
15"compressed" and uncompressed block sizes match.
16
17Signed-off-by: mancha <mancha1 AT zoho DOT com>
18---
19 extract.c | 8 ++++++++
20 1 file changed, 8 insertions(+)
21
22--- a/extract.c
23+++ b/extract.c
24@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
25 ulg eb_ucsize;
26 uch *eb_ucptr;
27 int r;
28+ ush method;
29
30 if (compr_offset < 4) /* field is not compressed: */
31 return PK_OK; /* do nothing and signal OK */
32@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
33 eb_size <= (compr_offset + EB_CMPRHEADLEN)))
34 return IZ_EF_TRUNC; /* no compressed data! */
35
36+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
37+ if ((method == STORED) &&
38+ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
39+ return PK_ERR; /* compressed & uncompressed
40+ * should match in STORED
41+ * method */
42+
43 if (
44 #ifdef INT_16BIT
45 (((ulg)(extent)eb_ucsize) != eb_ucsize) ||