unzip: CVE-2014-9913 CVE-2016-9844

Backport the patches for CVE-2014-9913 CVE-2016-9844

CVE-2016-9844:
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via a large compression method value in the central
directory file header.
CVE-2014-9913:
Buffer overflow in the list_files function in list.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via vectors related to the compression method.

Patches come from:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/  or
https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff

Bug-Debian: https://bugs.debian.org/847486
Bug-Ubuntu: https://launchpad.net/bugs/1643750

(LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222

(From OE-Core rev: fc386ed4afb76bd3e5a3afff54d7dc8dde14fe9c)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 3 insertions, 1 deletions

diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 547379c0dc..d4ee487417 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -16,7 +16,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
         file://11-cve-2014-8141-getzip64data.patch \
         file://CVE-2015-7696.patch \
         file://CVE-2015-7697.patch \
-        file://fix-security-format.patch \
+        file://fix-security-format.patch \
+        file://18-cve-2014-9913-unzip-buffer-overflow.patch \
+        file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
 "
 
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"