unzip: fix CVE-2018-1000035

(From OE-Core rev: f75289b9215580030540245cd0b5f945bfb05ffa)

(From OE-Core rev: 97a52df900519b0c7fbb9e92a3168a542d68aba6)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 49 insertions, 0 deletions

diff --git a/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch b/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch
new file mode 100644
index 0000000000..37289d1a53
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch
@@ -0,0 +1,48 @@
+From 349f566e6e757458843fa164a0f0584280e1501e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 15 Aug 2018 16:20:53 +0800
+Subject: [PATCH] unzip: fix CVE-2018-1000035
+
+Upstream-Status: Backport
+
+CVE: CVE-2018-1000035
+
+backport from unzip6.10c23
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ fileio.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index 36bfea3..7605a29 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -1582,6 +1582,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
+     int r = IZ_PW_ENTERED;
+     char *m;
+     char *prompt;
++    char *ep;
++    char *zp;
+ 
+ #ifndef REENTRANT
+     /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,9 +1592,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
+ 
+     if (*rcnt == 0) {           /* First call for current entry */
+         *rcnt = 2;
+-        if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+-            sprintf(prompt, LoadFarString(PasswPrompt),
+-                    FnFilter1(zfn), FnFilter2(efn));
++        zp = FnFilter1( zfn);
++        ep = FnFilter2( efn);
++        prompt = (char *)malloc(    /* Slightly too long (2* "%s"). */
++         sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
++        if (prompt != (char *)NULL) {
++            sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+             m = prompt;
+         } else
+             m = (char *)LoadFarString(PasswPrompt2);
+-- 
+2.7.4
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index dbf4112a4c..a47491ea4a 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -20,6 +20,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
         file://18-cve-2014-9913-unzip-buffer-overflow.patch \
         file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
         file://symlink.patch \
+        file://0001-unzip-fix-CVE-2018-1000035.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"