unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315 Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8. (From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802) (From OE-Core rev: 7c667c6aa0302649c125b0325a2e6f641810cb09) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Roy Li <rongqing.li@windriver.com> 2015-04-29 08:53:35 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 20:54:33 +0100
commit: 9f363a9c8a12f01c38ffb968fc727f6942aabb57 (patch)
tree: 1434f23760f308516b3b177d0a328bfe3f87db23 /meta
parent: 19bce8f5c6dc7148535ecfac42fa048415fe1e82 (diff)
download: poky-9f363a9c8a12f01c38ffb968fc727f6942aabb57.tar.gz
3 files changed, 451 insertions, 1 deletions
diff --git a/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
new file mode 100644
index 0000000000..9ba3c1dc62
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
@@ -0,0 +1,402 @@
+From: Giovanni Scafora <giovanni.archlinux.org>
+Subject: unzip files encoded with non-latin, non-unicode file names
+Last-Update: 2015-02-11
+Upstream-Status: Backport
+Updated 2015-02-11 by Marc Deslauriers <marc.deslauriers@canonical.com>
+to fix buffer overflow in charset_to_intern()
+Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
+Index: unzip-6.0/unix/unix.c
+===================================================================
+--- unzip-6.0.orig/unix/unix.c  2015-02-11 08:46:43.675324290 -0500
+++ unzip-6.0/unix/unix.c       2015-02-11 09:18:04.902081319 -0500
+@@ -30,6 +30,9 @@
+ #define UNZIP_INTERNAL
+ #include "unzip.h"
+ 
+#include <iconv.h>
+#include <langinfo.h>
+
+ #ifdef SCO_XENIX
+ #  define SYSNDIR
+ #else  /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
+@@ -1874,3 +1877,102 @@
+     }
+ }
+ #endif /* QLZIP */
+
+
+typedef struct {
+    char *local_charset;
+    char *archive_charset;
+} CHARSET_MAP;
+
+/* A mapping of local <-> archive charsets used by default to convert filenames
+ * of DOS/Windows Zip archives. Currently very basic. */
+static CHARSET_MAP dos_charset_map[] = {
+    { "ANSI_X3.4-1968", "CP850" },
+    { "ISO-8859-1", "CP850" },
+    { "CP1252", "CP850" },
+    { "UTF-8", "CP866" },
+    { "KOI8-R", "CP866" },
+    { "KOI8-U", "CP866" },
+    { "ISO-8859-5", "CP866" }
+};
+
+char OEM_CP[MAX_CP_NAME] = "";
+char ISO_CP[MAX_CP_NAME] = "";
+
+/* Try to guess the default value of OEM_CP based on the current locale.
+ * ISO_CP is left alone for now. */
+void init_conversion_charsets()
+{
+    const char *local_charset;
+    int i;
+
+    /* Make a guess only if OEM_CP not already set. */ 
+    if(*OEM_CP == '\0') {
+       local_charset = nl_langinfo(CODESET);
+       for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
+               if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
+                       strncpy(OEM_CP, dos_charset_map[i].archive_charset,
+                                       sizeof(OEM_CP));
+                       break;
+               }
+    }
+}
+
+/* Convert a string from one encoding to the current locale using iconv().
+ * Be as non-intrusive as possible. If error is encountered during covertion
+ * just leave the string intact. */
+static void charset_to_intern(char *string, char *from_charset)
+{
+    iconv_t cd;
+    char *s,*d, *buf;
+    size_t slen, dlen, buflen;
+    const char *local_charset;
+
+    if(*from_charset == '\0')
+       return;
+
+    buf = NULL;
+    local_charset = nl_langinfo(CODESET);
+
+    if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
+        return;
+
+    slen = strlen(string);
+    s = string;
+
+    /*  Make sure OUTBUFSIZ + 1 never ends up smaller than FILNAMSIZ
+     *  as this function also gets called with G.outbuf in fileio.c
+     */
+    buflen = FILNAMSIZ;
+    if (OUTBUFSIZ + 1 < FILNAMSIZ)
+    {
+        buflen = OUTBUFSIZ + 1;
+    }
+
+    d = buf = malloc(buflen);
+    if(!d)
+       goto cleanup;
+
+    bzero(buf,buflen);
+    dlen = buflen - 1;
+
+    if(iconv(cd, &s, &slen, &d, &dlen) == (size_t)-1)
+       goto cleanup;
+    strncpy(string, buf, buflen);
+
+    cleanup:
+    free(buf);
+    iconv_close(cd);
+}
+
+/* Convert a string from OEM_CP to the current locale charset. */
+inline void oem_intern(char *string)
+{
+    charset_to_intern(string, OEM_CP);
+}
+
+/* Convert a string from ISO_CP to the current locale charset. */
+inline void iso_intern(char *string)
+{
+    charset_to_intern(string, ISO_CP);
+}
+Index: unzip-6.0/unix/unxcfg.h
+===================================================================
+--- unzip-6.0.orig/unix/unxcfg.h        2015-02-11 08:46:43.675324290 -0500
+++ unzip-6.0/unix/unxcfg.h     2015-02-11 08:46:43.671324260 -0500
+@@ -228,4 +228,30 @@
+ /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
+ /*    and notfirstcall are used by do_wild().                          */
+ 
+
+#define MAX_CP_NAME 25 
+   
+#ifdef SETLOCALE
+#  undef SETLOCALE
+#endif
+#define SETLOCALE(category, locale) setlocale(category, locale)
+#include <locale.h>
+   
+#ifdef _ISO_INTERN
+#  undef _ISO_INTERN
+#endif
+#define _ISO_INTERN(str1) iso_intern(str1)
+
+#ifdef _OEM_INTERN
+#  undef _OEM_INTERN
+#endif
+#ifndef IZ_OEM2ISO_ARRAY
+#  define IZ_OEM2ISO_ARRAY
+#endif
+#define _OEM_INTERN(str1) oem_intern(str1)
+
+void iso_intern(char *);
+void oem_intern(char *);
+void init_conversion_charsets(void);
+   
+ #endif /* !__unxcfg_h */
+Index: unzip-6.0/unzip.c
+===================================================================
+--- unzip-6.0.orig/unzip.c      2015-02-11 08:46:43.675324290 -0500
+++ unzip-6.0/unzip.c   2015-02-11 08:46:43.675324290 -0500
+@@ -327,11 +327,21 @@
+   -2  just filenames but allow -h/-t/-z  -l  long Unix \"ls -l\" format\n\
+                                          -v  verbose, multi-page format\n";
+ 
+#ifndef UNIX
+ static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
+   -h  print header line       -t  print totals for listed files or for all\n\
+   -z  print zipfile comment   -T  print file times in sortable decimal format\
+ \n  -C  be case-insensitive   %s\
+   -x  exclude filenames that follow from listing\n";
+#else /* UNIX */
+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
+  -h  print header line       -t  print totals for listed files or for all\n\
+  -z  print zipfile comment  %c-T%c print file times in sortable decimal format\
+\n %c-C%c be case-insensitive   %s\
+  -x  exclude filenames that follow from listing\n\
+  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
+  -I CHARSET  specify a character encoding for UNIX and other archives\n";
+#endif /* !UNIX */
+ #ifdef MORE
+    static ZCONST char Far ZipInfoUsageLine4[] =
+      "  -M  page output through built-in \"more\"\n";
+@@ -664,6 +674,17 @@
+   -U  use escapes for all non-ASCII Unicode  -UU ignore any Unicode fields\n\
+   -C  match filenames case-insensitively     -L  make (some) names \
+ lowercase\n %-42s  -V  retain VMS version numbers\n%s";
+#elif (defined UNIX)
+static ZCONST char Far UnzipUsageLine4[] = "\
+modifiers:\n\
+  -n  never overwrite existing files         -q  quiet mode (-qq => quieter)\n\
+  -o  overwrite files WITHOUT prompting      -a  auto-convert any text files\n\
+  -j  junk paths (do not make directories)   -aa treat ALL files as text\n\
+  -U  use escapes for all non-ASCII Unicode  -UU ignore any Unicode fields\n\
+  -C  match filenames case-insensitively     -L  make (some) names \
+lowercase\n %-42s  -V  retain VMS version numbers\n%s\
+  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
+  -I CHARSET  specify a character encoding for UNIX and other archives\n\n";
+ #else /* !VMS */
+ static ZCONST char Far UnzipUsageLine4[] = "\
+ modifiers:\n\
+@@ -802,6 +823,10 @@
+ #endif /* UNICODE_SUPPORT */
+ 
+ 
+#ifdef UNIX
+    init_conversion_charsets();
+#endif
+
+ #if (defined(__IBMC__) && defined(__DEBUG_ALLOC__))
+     extern void DebugMalloc(void);
+ 
+@@ -1335,6 +1360,11 @@
+     argc = *pargc;
+     argv = *pargv;
+ 
+#ifdef UNIX
+    extern char OEM_CP[MAX_CP_NAME];
+    extern char ISO_CP[MAX_CP_NAME];
+#endif
+    
+     while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
+         s = *argv + 1;
+         while ((c = *s++) != 0) {    /* "!= 0":  prevent Turbo C warning */
+@@ -1516,6 +1546,35 @@
+                     }
+                     break;
+ #endif  /* MACOS */
+#ifdef UNIX
+                       case ('I'):
+                    if (negative) {
+                        Info(slide, 0x401, ((char *)slide,
+                          "error:  encodings can't be negated"));
+                        return(PK_PARAM);
+                               } else {
+                                       if(*s) { /* Handle the -Icharset case */
+                                               /* Assume that charsets can't start with a dash to spot arguments misuse */
+                                               if(*s == '-') { 
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -I argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               strncpy(ISO_CP, s, sizeof(ISO_CP));
+                                       } else { /* -I charset */
+                                               ++argv;
+                                               if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -I argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               s = *argv;
+                                               strncpy(ISO_CP, s, sizeof(ISO_CP));
+                                       }
+                                       while(*(++s)); /* No params straight after charset name */
+                               }
+                               break;
+#endif /* ?UNIX */
+                 case ('j'):    /* junk pathnames/directory structure */
+                     if (negative)
+                         uO.jflag = FALSE, negative = 0;
+@@ -1591,6 +1650,35 @@
+                     } else
+                         ++uO.overwrite_all;
+                     break;
+#ifdef UNIX
+                       case ('O'):
+                    if (negative) {
+                        Info(slide, 0x401, ((char *)slide,
+                          "error:  encodings can't be negated"));
+                        return(PK_PARAM);
+                               } else {
+                                       if(*s) { /* Handle the -Ocharset case */
+                                               /* Assume that charsets can't start with a dash to spot arguments misuse */
+                                               if(*s == '-') { 
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -I argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               strncpy(OEM_CP, s, sizeof(OEM_CP));
+                                       } else { /* -O charset */
+                                               ++argv;
+                                               if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -O argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               s = *argv;
+                                               strncpy(OEM_CP, s, sizeof(OEM_CP));
+                                       }
+                                       while(*(++s)); /* No params straight after charset name */
+                               }
+                               break;
+#endif /* ?UNIX */
+                 case ('p'):    /* pipes:  extract to stdout, no messages */
+                     if (negative) {
+                         uO.cflag = FALSE;
+Index: unzip-6.0/unzpriv.h
+===================================================================
+--- unzip-6.0.orig/unzpriv.h    2015-02-11 08:46:43.675324290 -0500
+++ unzip-6.0/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
+@@ -3008,7 +3008,7 @@
+          !(((islochdr) || (isuxatt)) && \
+            ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
+         (hostnum) == FS_HPFS_ || \
+-        ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \
+        ((hostnum) == FS_NTFS_ /* && (hostver) == 50 */ )) { \
+         _OEM_INTERN((string)); \
+     } else { \
+         _ISO_INTERN((string)); \
+Index: unzip-6.0/zipinfo.c
+===================================================================
+--- unzip-6.0.orig/zipinfo.c    2015-02-11 08:46:43.675324290 -0500
+++ unzip-6.0/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
+@@ -457,6 +457,10 @@
+     int    tflag_slm=TRUE, tflag_2v=FALSE;
+     int    explicit_h=FALSE, explicit_t=FALSE;
+ 
+#ifdef UNIX
+    extern char OEM_CP[MAX_CP_NAME];
+    extern char ISO_CP[MAX_CP_NAME];
+#endif
+ 
+ #ifdef MACOS
+     uO.lflag = LFLAG;         /* reset default on each call */
+@@ -501,6 +505,35 @@
+                             uO.lflag = 0;
+                     }
+                     break;
+#ifdef UNIX
+                       case ('I'):
+                    if (negative) {
+                        Info(slide, 0x401, ((char *)slide,
+                          "error:  encodings can't be negated"));
+                        return(PK_PARAM);
+                               } else {
+                                       if(*s) { /* Handle the -Icharset case */
+                                               /* Assume that charsets can't start with a dash to spot arguments misuse */
+                                               if(*s == '-') { 
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -I argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               strncpy(ISO_CP, s, sizeof(ISO_CP));
+                                       } else { /* -I charset */
+                                               ++argv;
+                                               if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -I argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               s = *argv;
+                                               strncpy(ISO_CP, s, sizeof(ISO_CP));
+                                       }
+                                       while(*(++s)); /* No params straight after charset name */
+                               }
+                               break;
+#endif /* ?UNIX */
+                 case 'l':      /* longer form of "ls -l" type listing */
+                     if (negative)
+                         uO.lflag = -2, negative = 0;
+@@ -521,6 +554,35 @@
+                         G.M_flag = TRUE;
+                     break;
+ #endif
+#ifdef UNIX
+                       case ('O'):
+                    if (negative) {
+                        Info(slide, 0x401, ((char *)slide,
+                          "error:  encodings can't be negated"));
+                        return(PK_PARAM);
+                               } else {
+                                       if(*s) { /* Handle the -Ocharset case */
+                                               /* Assume that charsets can't start with a dash to spot arguments misuse */
+                                               if(*s == '-') { 
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -I argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               strncpy(OEM_CP, s, sizeof(OEM_CP));
+                                       } else { /* -O charset */
+                                               ++argv;
+                                               if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+                               Info(slide, 0x401, ((char *)slide,
+                                         "error:  a valid character encoding should follow the -O argument"));
+                               return(PK_PARAM); 
+                                               }
+                                               s = *argv;
+                                               strncpy(OEM_CP, s, sizeof(OEM_CP));
+                                       }
+                                       while(*(++s)); /* No params straight after charset name */
+                               }
+                               break;
+#endif /* ?UNIX */
+                 case 's':      /* default:  shorter "ls -l" type listing */
+                     if (negative)
+                         uO.lflag = -2, negative = 0;
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
new file mode 100644
index 0000000000..0a0bfbbb17
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
+From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 11 Feb 2015
+Subject: Info-ZIP UnZip buffer overflow
+Upstream-Status: Backport
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+Signed-off-by: mancha <mancha1 AT zoho DOT com>
+---
+ extract.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- a/extract.c
+++ b/extract.c
+@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
+    ush method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
+          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+         return IZ_EF_TRUNC;               /* no compressed data! */
+ 
+    method = makeword(eb + (EB_HEADSIZE + compr_offset));
+    if ((method == STORED) &&
+        (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
+       return PK_ERR;                    /* compressed & uncompressed
+                                          * should match in STORED
+                                          * method */
+
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 33c20f8b4c..9653bee1be 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -8,7 +8,10 @@ PR = "r5"
 SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
        file://avoid-strip.patch \
-        file://define-ldflags.patch"
+        file://define-ldflags.patch \
+        file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
+        file://unzip-6.0_overflow3.diff \
+"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
author	Roy Li <rongqing.li@windriver.com>	2015-04-29 08:53:35 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 20:54:33 +0100
commit	9f363a9c8a12f01c38ffb968fc727f6942aabb57 (patch)
tree	1434f23760f308516b3b177d0a328bfe3f87db23 /meta
parent	19bce8f5c6dc7148535ecfac42fa048415fe1e82 (diff)
download	poky-9f363a9c8a12f01c38ffb968fc727f6942aabb57.tar.gz

diff --git a/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch new file mode 100644 index 0000000000..9ba3c1dc62 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
@@ -0,0 +1,402 @@
		1	From: Giovanni Scafora <giovanni.archlinux.org>
		2	Subject: unzip files encoded with non-latin, non-unicode file names
		3	Last-Update: 2015-02-11
		4
		5	Upstream-Status: Backport
		6
		7	Updated 2015-02-11 by Marc Deslauriers <marc.deslauriers@canonical.com>
		8	to fix buffer overflow in charset_to_intern()
		9
		10	Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
		11
		12	Index: unzip-6.0/unix/unix.c
		13	===================================================================
		14	--- unzip-6.0.orig/unix/unix.c 2015-02-11 08:46:43.675324290 -0500
		15	+++ unzip-6.0/unix/unix.c 2015-02-11 09:18:04.902081319 -0500
		16	@@ -30,6 +30,9 @@
		17	#define UNZIP_INTERNAL
		18	#include "unzip.h"
		19
		20	+#include <iconv.h>
		21	+#include <langinfo.h>
		22	+
		23	#ifdef SCO_XENIX
		24	# define SYSNDIR
		25	#else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
		26	@@ -1874,3 +1877,102 @@
		27	}
		28	}
		29	#endif /* QLZIP */
		30	+
		31	+
		32	+typedef struct {
		33	+ char *local_charset;
		34	+ char *archive_charset;
		35	+} CHARSET_MAP;
		36	+
		37	+/* A mapping of local <-> archive charsets used by default to convert filenames
		38	+ * of DOS/Windows Zip archives. Currently very basic. */
		39	+static CHARSET_MAP dos_charset_map[] = {
		40	+ { "ANSI_X3.4-1968", "CP850" },
		41	+ { "ISO-8859-1", "CP850" },
		42	+ { "CP1252", "CP850" },
		43	+ { "UTF-8", "CP866" },
		44	+ { "KOI8-R", "CP866" },
		45	+ { "KOI8-U", "CP866" },
		46	+ { "ISO-8859-5", "CP866" }
		47	+};
		48	+
		49	+char OEM_CP[MAX_CP_NAME] = "";
		50	+char ISO_CP[MAX_CP_NAME] = "";
		51	+
		52	+/* Try to guess the default value of OEM_CP based on the current locale.
		53	+ * ISO_CP is left alone for now. */
		54	+void init_conversion_charsets()
		55	+{
		56	+ const char *local_charset;
		57	+ int i;
		58	+
		59	+ /* Make a guess only if OEM_CP not already set. */
		60	+ if(*OEM_CP == '\0') {
		61	+ local_charset = nl_langinfo(CODESET);
		62	+ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
		63	+ if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
		64	+ strncpy(OEM_CP, dos_charset_map[i].archive_charset,
		65	+ sizeof(OEM_CP));
		66	+ break;
		67	+ }
		68	+ }
		69	+}
		70	+
		71	+/* Convert a string from one encoding to the current locale using iconv().
		72	+ * Be as non-intrusive as possible. If error is encountered during covertion
		73	+ * just leave the string intact. */
		74	+static void charset_to_intern(char string, char from_charset)
		75	+{
		76	+ iconv_t cd;
		77	+ char s,d, *buf;
		78	+ size_t slen, dlen, buflen;
		79	+ const char *local_charset;
		80	+
		81	+ if(*from_charset == '\0')
		82	+ return;
		83	+
		84	+ buf = NULL;
		85	+ local_charset = nl_langinfo(CODESET);
		86	+
		87	+ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
		88	+ return;
		89	+
		90	+ slen = strlen(string);
		91	+ s = string;
		92	+
		93	+ /* Make sure OUTBUFSIZ + 1 never ends up smaller than FILNAMSIZ
		94	+ * as this function also gets called with G.outbuf in fileio.c
		95	+ */
		96	+ buflen = FILNAMSIZ;
		97	+ if (OUTBUFSIZ + 1 < FILNAMSIZ)
		98	+ {
		99	+ buflen = OUTBUFSIZ + 1;
		100	+ }
		101	+
		102	+ d = buf = malloc(buflen);
		103	+ if(!d)
		104	+ goto cleanup;
		105	+
		106	+ bzero(buf,buflen);
		107	+ dlen = buflen - 1;
		108	+
		109	+ if(iconv(cd, &s, &slen, &d, &dlen) == (size_t)-1)
		110	+ goto cleanup;
		111	+ strncpy(string, buf, buflen);
		112	+
		113	+ cleanup:
		114	+ free(buf);
		115	+ iconv_close(cd);
		116	+}
		117	+
		118	+/* Convert a string from OEM_CP to the current locale charset. */
		119	+inline void oem_intern(char *string)
		120	+{
		121	+ charset_to_intern(string, OEM_CP);
		122	+}
		123	+
		124	+/* Convert a string from ISO_CP to the current locale charset. */
		125	+inline void iso_intern(char *string)
		126	+{
		127	+ charset_to_intern(string, ISO_CP);
		128	+}
		129	Index: unzip-6.0/unix/unxcfg.h
		130	===================================================================
		131	--- unzip-6.0.orig/unix/unxcfg.h 2015-02-11 08:46:43.675324290 -0500
		132	+++ unzip-6.0/unix/unxcfg.h 2015-02-11 08:46:43.671324260 -0500
		133	@@ -228,4 +228,30 @@
		134	/* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
		135	/* and notfirstcall are used by do_wild(). */
		136
		137	+
		138	+#define MAX_CP_NAME 25
		139	+
		140	+#ifdef SETLOCALE
		141	+# undef SETLOCALE
		142	+#endif
		143	+#define SETLOCALE(category, locale) setlocale(category, locale)
		144	+#include <locale.h>
		145	+
		146	+#ifdef _ISO_INTERN
		147	+# undef _ISO_INTERN
		148	+#endif
		149	+#define _ISO_INTERN(str1) iso_intern(str1)
		150	+
		151	+#ifdef _OEM_INTERN
		152	+# undef _OEM_INTERN
		153	+#endif
		154	+#ifndef IZ_OEM2ISO_ARRAY
		155	+# define IZ_OEM2ISO_ARRAY
		156	+#endif
		157	+#define _OEM_INTERN(str1) oem_intern(str1)
		158	+
		159	+void iso_intern(char *);
		160	+void oem_intern(char *);
		161	+void init_conversion_charsets(void);
		162	+
		163	#endif /* !__unxcfg_h */
		164	Index: unzip-6.0/unzip.c
		165	===================================================================
		166	--- unzip-6.0.orig/unzip.c 2015-02-11 08:46:43.675324290 -0500
		167	+++ unzip-6.0/unzip.c 2015-02-11 08:46:43.675324290 -0500
		168	@@ -327,11 +327,21 @@
		169	-2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\
		170	-v verbose, multi-page format\n";
		171
		172	+#ifndef UNIX
		173	static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
		174	-h print header line -t print totals for listed files or for all\n\
		175	-z print zipfile comment -T print file times in sortable decimal format\
		176	\n -C be case-insensitive %s\
		177	-x exclude filenames that follow from listing\n";
		178	+#else /* UNIX */
		179	+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
		180	+ -h print header line -t print totals for listed files or for all\n\
		181	+ -z print zipfile comment %c-T%c print file times in sortable decimal format\
		182	+\n %c-C%c be case-insensitive %s\
		183	+ -x exclude filenames that follow from listing\n\
		184	+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
		185	+ -I CHARSET specify a character encoding for UNIX and other archives\n";
		186	+#endif /* !UNIX */
		187	#ifdef MORE
		188	static ZCONST char Far ZipInfoUsageLine4[] =
		189	" -M page output through built-in \"more\"\n";
		190	@@ -664,6 +674,17 @@
		191	-U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
		192	-C match filenames case-insensitively -L make (some) names \
		193	lowercase\n %-42s -V retain VMS version numbers\n%s";
		194	+#elif (defined UNIX)
		195	+static ZCONST char Far UnzipUsageLine4[] = "\
		196	+modifiers:\n\
		197	+ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
		198	+ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\
		199	+ -j junk paths (do not make directories) -aa treat ALL files as text\n\
		200	+ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
		201	+ -C match filenames case-insensitively -L make (some) names \
		202	+lowercase\n %-42s -V retain VMS version numbers\n%s\
		203	+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
		204	+ -I CHARSET specify a character encoding for UNIX and other archives\n\n";
		205	#else /* !VMS */
		206	static ZCONST char Far UnzipUsageLine4[] = "\
		207	modifiers:\n\
		208	@@ -802,6 +823,10 @@
		209	#endif /* UNICODE_SUPPORT */
		210
		211
		212	+#ifdef UNIX
		213	+ init_conversion_charsets();
		214	+#endif
		215	+
		216	#if (defined(__IBMC__) && defined(__DEBUG_ALLOC__))
		217	extern void DebugMalloc(void);
		218
		219	@@ -1335,6 +1360,11 @@
		220	argc = *pargc;
		221	argv = *pargv;
		222
		223	+#ifdef UNIX
		224	+ extern char OEM_CP[MAX_CP_NAME];
		225	+ extern char ISO_CP[MAX_CP_NAME];
		226	+#endif
		227	+
		228	while (++argv, (--argc > 0 && argv != NULL && *argv == '-')) {
		229	s = *argv + 1;
		230	while ((c = s++) != 0) { / "!= 0": prevent Turbo C warning */
		231	@@ -1516,6 +1546,35 @@
		232	}
		233	break;
		234	#endif /* MACOS */
		235	+#ifdef UNIX
		236	+ case ('I'):
		237	+ if (negative) {
		238	+ Info(slide, 0x401, ((char *)slide,
		239	+ "error: encodings can't be negated"));
		240	+ return(PK_PARAM);
		241	+ } else {
		242	+ if(s) { / Handle the -Icharset case */
		243	+ /* Assume that charsets can't start with a dash to spot arguments misuse */
		244	+ if(*s == '-') {
		245	+ Info(slide, 0x401, ((char *)slide,
		246	+ "error: a valid character encoding should follow the -I argument"));
		247	+ return(PK_PARAM);
		248	+ }
		249	+ strncpy(ISO_CP, s, sizeof(ISO_CP));
		250	+ } else { /* -I charset */
		251	+ ++argv;
		252	+ if(!(--argc > 0 && argv != NULL && *argv != '-')) {
		253	+ Info(slide, 0x401, ((char *)slide,
		254	+ "error: a valid character encoding should follow the -I argument"));
		255	+ return(PK_PARAM);
		256	+ }
		257	+ s = *argv;
		258	+ strncpy(ISO_CP, s, sizeof(ISO_CP));
		259	+ }
		260	+ while((++s)); / No params straight after charset name */
		261	+ }
		262	+ break;
		263	+#endif /* ?UNIX */
		264	case ('j'): /* junk pathnames/directory structure */
		265	if (negative)
		266	uO.jflag = FALSE, negative = 0;
		267	@@ -1591,6 +1650,35 @@
		268	} else
		269	++uO.overwrite_all;
		270	break;
		271	+#ifdef UNIX
		272	+ case ('O'):
		273	+ if (negative) {
		274	+ Info(slide, 0x401, ((char *)slide,
		275	+ "error: encodings can't be negated"));
		276	+ return(PK_PARAM);
		277	+ } else {
		278	+ if(s) { / Handle the -Ocharset case */
		279	+ /* Assume that charsets can't start with a dash to spot arguments misuse */
		280	+ if(*s == '-') {
		281	+ Info(slide, 0x401, ((char *)slide,
		282	+ "error: a valid character encoding should follow the -I argument"));
		283	+ return(PK_PARAM);
		284	+ }
		285	+ strncpy(OEM_CP, s, sizeof(OEM_CP));
		286	+ } else { /* -O charset */
		287	+ ++argv;
		288	+ if(!(--argc > 0 && argv != NULL && *argv != '-')) {
		289	+ Info(slide, 0x401, ((char *)slide,
		290	+ "error: a valid character encoding should follow the -O argument"));
		291	+ return(PK_PARAM);
		292	+ }
		293	+ s = *argv;
		294	+ strncpy(OEM_CP, s, sizeof(OEM_CP));
		295	+ }
		296	+ while((++s)); / No params straight after charset name */
		297	+ }
		298	+ break;
		299	+#endif /* ?UNIX */
		300	case ('p'): /* pipes: extract to stdout, no messages */
		301	if (negative) {
		302	uO.cflag = FALSE;
		303	Index: unzip-6.0/unzpriv.h
		304	===================================================================
		305	--- unzip-6.0.orig/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
		306	+++ unzip-6.0/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
		307	@@ -3008,7 +3008,7 @@
		308	!(((islochdr) \|\| (isuxatt)) && \
		309	((hostver) == 25 \|\| (hostver) == 26 \|\| (hostver) == 40))) \|\| \
		310	(hostnum) == FS_HPFS_ \|\| \
		311	- ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \
		312	+ ((hostnum) == FS_NTFS_ /* && (hostver) == 50 */ )) { \
		313	_OEM_INTERN((string)); \
		314	} else { \
		315	_ISO_INTERN((string)); \
		316	Index: unzip-6.0/zipinfo.c
		317	===================================================================
		318	--- unzip-6.0.orig/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
		319	+++ unzip-6.0/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
		320	@@ -457,6 +457,10 @@
		321	int tflag_slm=TRUE, tflag_2v=FALSE;
		322	int explicit_h=FALSE, explicit_t=FALSE;
		323
		324	+#ifdef UNIX
		325	+ extern char OEM_CP[MAX_CP_NAME];
		326	+ extern char ISO_CP[MAX_CP_NAME];
		327	+#endif
		328
		329	#ifdef MACOS
		330	uO.lflag = LFLAG; /* reset default on each call */
		331	@@ -501,6 +505,35 @@
		332	uO.lflag = 0;
		333	}
		334	break;
		335	+#ifdef UNIX
		336	+ case ('I'):
		337	+ if (negative) {
		338	+ Info(slide, 0x401, ((char *)slide,
		339	+ "error: encodings can't be negated"));
		340	+ return(PK_PARAM);
		341	+ } else {
		342	+ if(s) { / Handle the -Icharset case */
		343	+ /* Assume that charsets can't start with a dash to spot arguments misuse */
		344	+ if(*s == '-') {
		345	+ Info(slide, 0x401, ((char *)slide,
		346	+ "error: a valid character encoding should follow the -I argument"));
		347	+ return(PK_PARAM);
		348	+ }
		349	+ strncpy(ISO_CP, s, sizeof(ISO_CP));
		350	+ } else { /* -I charset */
		351	+ ++argv;
		352	+ if(!(--argc > 0 && argv != NULL && *argv != '-')) {
		353	+ Info(slide, 0x401, ((char *)slide,
		354	+ "error: a valid character encoding should follow the -I argument"));
		355	+ return(PK_PARAM);
		356	+ }
		357	+ s = *argv;
		358	+ strncpy(ISO_CP, s, sizeof(ISO_CP));
		359	+ }
		360	+ while((++s)); / No params straight after charset name */
		361	+ }
		362	+ break;
		363	+#endif /* ?UNIX */
		364	case 'l': /* longer form of "ls -l" type listing */
		365	if (negative)
		366	uO.lflag = -2, negative = 0;
		367	@@ -521,6 +554,35 @@
		368	G.M_flag = TRUE;
		369	break;
		370	#endif
		371	+#ifdef UNIX
		372	+ case ('O'):
		373	+ if (negative) {
		374	+ Info(slide, 0x401, ((char *)slide,
		375	+ "error: encodings can't be negated"));
		376	+ return(PK_PARAM);
		377	+ } else {
		378	+ if(s) { / Handle the -Ocharset case */
		379	+ /* Assume that charsets can't start with a dash to spot arguments misuse */
		380	+ if(*s == '-') {
		381	+ Info(slide, 0x401, ((char *)slide,
		382	+ "error: a valid character encoding should follow the -I argument"));
		383	+ return(PK_PARAM);
		384	+ }
		385	+ strncpy(OEM_CP, s, sizeof(OEM_CP));
		386	+ } else { /* -O charset */
		387	+ ++argv;
		388	+ if(!(--argc > 0 && argv != NULL && *argv != '-')) {
		389	+ Info(slide, 0x401, ((char *)slide,
		390	+ "error: a valid character encoding should follow the -O argument"));
		391	+ return(PK_PARAM);
		392	+ }
		393	+ s = *argv;
		394	+ strncpy(OEM_CP, s, sizeof(OEM_CP));
		395	+ }
		396	+ while((++s)); / No params straight after charset name */
		397	+ }
		398	+ break;
		399	+#endif /* ?UNIX */
		400	case 's': /* default: shorter "ls -l" type listing */
		401	if (negative)
		402	uO.lflag = -2, negative = 0;


diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff new file mode 100644 index 0000000000..0a0bfbbb17 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
		1	From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
		2	From: mancha <mancha1 AT zoho DOT com>
		3	Date: Wed, 11 Feb 2015
		4	Subject: Info-ZIP UnZip buffer overflow
		5
		6	Upstream-Status: Backport
		7
		8	By carefully crafting a corrupt ZIP archive with "extra fields" that
		9	purport to have compressed blocks larger than the corresponding
		10	uncompressed blocks in STORED no-compression mode, an attacker can
		11	trigger a heap overflow that can result in application crash or
		12	possibly have other unspecified impact.
		13
		14	This patch ensures that when extra fields use STORED mode, the
		15	"compressed" and uncompressed block sizes match.
		16
		17	Signed-off-by: mancha <mancha1 AT zoho DOT com>
		18	---
		19	extract.c \| 8 ++++++++
		20	1 file changed, 8 insertions(+)
		21
		22	--- a/extract.c
		23	+++ b/extract.c
		24	@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
		25	ulg eb_ucsize;
		26	uch *eb_ucptr;
		27	int r;
		28	+ ush method;
		29
		30	if (compr_offset < 4) /* field is not compressed: */
		31	return PK_OK; /* do nothing and signal OK */
		32	@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
		33	eb_size <= (compr_offset + EB_CMPRHEADLEN)))
		34	return IZ_EF_TRUNC; /* no compressed data! */
		35
		36	+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
		37	+ if ((method == STORED) &&
		38	+ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
		39	+ return PK_ERR; /* compressed & uncompressed
		40	+ * should match in STORED
		41	+ * method */
		42	+
		43	if (
		44	#ifdef INT_16BIT
		45	(((ulg)(extent)eb_ucsize) != eb_ucsize) \|\|


diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 33c20f8b4c..9653bee1be 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -8,7 +8,10 @@ PR = "r5"
8		8
9	SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \	9	SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
10	file://avoid-strip.patch \	10	file://avoid-strip.patch \
11	file://define-ldflags.patch"	11	file://define-ldflags.patch \
		12	file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
		13	file://unzip-6.0_overflow3.diff \
		14	"
12		15
13	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"	16	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
14	SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"	17	SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"