unzip: fix four CVE defects

Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix: cve-2014-8139 cve-2014-8140 cve-2014-8141 cve-2014-9636 (From OE-Core rev: 429ab46f975c05f65120beddf50099c7cb0b2f86) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Roy Li <rongqing.li@windriver.com> 2015-06-23 13:32:06 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 20:54:34 +0100
commit: fcd25c6d2e4f398dd641888fcb6dbcdf54ce6a4c (patch)
tree: cecec1b5d5a90dbdcc13a8cef891603ccbe4bca0 /meta
parent: 9f363a9c8a12f01c38ffb968fc727f6942aabb57 (diff)
download: poky-fcd25c6d2e4f398dd641888fcb6dbcdf54ce6a4c.tar.gz
5 files changed, 278 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
new file mode 100644
index 0000000000..e137f0dc76
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
@@ -0,0 +1,52 @@
+From: sms
+Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
+Bug-Debian: http://bugs.debian.org/773722
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+Upstream-Status: Backport
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+--- a/extract.c
+++ b/extract.c
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+   static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
+     EF block length (%u bytes) invalid (< %d)\n";
+    static ZCONST char Far InvalidComprDataEAs[] =
+      " invalid compressed data for EAs\n";
+ #  if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@
+         ebID = makeword(ef);
+         ebLen = (unsigned)makeword(ef+EB_LEN);
+ 
+-        if (ebLen > (ef_len - EB_HEADSIZE)) {
+        if (ebLen > (ef_len - EB_HEADSIZE))
+        {
+            /* Discovered some extra field inconsistency! */
+             if (uO.qflag)
+                 Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2158,11 +2161,19 @@
+                 }
+                 break;
+             case EF_PKVMS:
+-                if (makelong(ef+EB_HEADSIZE) !=
+                if (ebLen < 4)
+                {
+                    Info(slide, 1,
+                     ((char *)slide, LoadFarString(TooSmallEBlength),
+                     ebLen, 4));
+                }
+                else if (makelong(ef+EB_HEADSIZE) !=
+                     crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+                           (extent)(ebLen-4)))
+                {
+                     Info(slide, 1, ((char *)slide,
+                       LoadFarString(BadCRC_EAs)));
+                }
+                 break;
+             case EF_PKW32:
+             case EF_PKUNIX:
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
new file mode 100644
index 0000000000..edc7d515b0
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
@@ -0,0 +1,33 @@
+From: sms
+Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+Bug-Debian: http://bugs.debian.org/773722
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+Upstream-Status: Backport
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+--- a/extract.c
+++ b/extract.c
+@@ -2232,10 +2232,17 @@
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+ 
+    /* Return no/bad-data error status if any problem is found:
+     *    1. eb_size is too small to hold the uncompressed size
+     *       (eb_ucsize).  (Else extract eb_ucsize.)
+     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
+     *    3. eb_ucsize is positive, but eb_size is too small to hold
+     *       the compressed data header.
+     */
+     if ((eb_size < (EB_UCSIZE_P + 4)) ||
+-        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+-         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+-        return IZ_EF_TRUNC;               /* no compressed data! */
+     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
+     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+        return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
+     if (
+ #ifdef INT_16BIT
diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
new file mode 100644
index 0000000000..d0c1db3925
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
+From: sms
+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+Bug-Debian: http://bugs.debian.org/773722
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+Upstream-Status: Backport
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+--- a/fileio.c
+++ b/fileio.c
+@@ -176,6 +176,8 @@
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
+static ZCONST char Far ExtraFieldCorrupt[] =
+  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
+ 
+ #ifdef WINDLL
+    static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@
+             if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+                 return PK_EOF;
+             /* Looks like here is where extra fields are read */
+-            getZip64Data(__G__ G.extra_field, length);
+            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+            {
+                Info(slide, 0x401, ((char *)slide,
+                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+                error = PK_WARN;
+            }
+ #ifdef UNICODE_SUPPORT
+             G.unipath_filename = NULL;
+             if (G.UzO.U_flag < 2) {
+--- a/process.c
+++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@
+     and a 4-byte version of disk start number.
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
+
+    2014-12-05 SMS.
+    Added checks to ensure that enough data are available before calling
+    makeint64() or makelong().  Replaced various sizeof() values with
+    simple ("4" or "8") constants.  (The Zip64 structures do not depend
+    on our variable sizes.)  Error handling is crude, but we should now
+    stay within the buffer.
+   ---------------------------------------------------------------------------*/
+ 
+#define Z64FLGS 0xffff
+#define Z64FLGL 0xffffffff
+
+     if (ef_len == 0 || ef_buf == NULL)
+         return PK_COOL;
+ 
+     Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+       ef_len));
+ 
+-    while (ef_len >= EB_HEADSIZE) {
+    while (ef_len >= EB_HEADSIZE)
+    {
+         eb_id = makeword(EB_ID + ef_buf);
+         eb_len = makeword(EB_LEN + ef_buf);
+ 
+-        if (eb_len > (ef_len - EB_HEADSIZE)) {
+-            /* discovered some extra field inconsistency! */
+        if (eb_len > (ef_len - EB_HEADSIZE))
+        {
+            /* Extra block length exceeds remaining extra field length. */
+             Trace((stderr,
+               "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+               ef_len - EB_HEADSIZE));
+             break;
+         }
+-        if (eb_id == EF_PKSZ64) {
+-
+        if (eb_id == EF_PKSZ64)
+        {
+           int offset = EB_HEADSIZE;
+ 
+-          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+-            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.ucsize);
+          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
+            offset += 8;
+           }
+-          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+-            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.csize);
+
+          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
+            offset += 8;
+           }
+-          if (G.crec.relative_offset_local_header == 0xffffffff){
+
+          if (G.crec.relative_offset_local_header == Z64FLGL)
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+             G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.relative_offset_local_header);
+            offset += 8;
+           }
+-          if (G.crec.disk_number_start == 0xffff){
+
+          if (G.crec.disk_number_start == Z64FLGS)
+          {
+            if (offset+ 4 > ef_len)
+              return PK_ERR;
+
+             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+-            offset += sizeof(G.crec.disk_number_start);
+            offset += 4;
+           }
+#if 0
+          break;                /* Expect only one EF_PKSZ64 block. */
+#endif /* 0 */
+         }
+ 
+-        /* Skip this extra field block */
+        /* Skip this extra field block. */
+         ef_buf += (eb_len + EB_HEADSIZE);
+         ef_len -= (eb_len + EB_HEADSIZE);
+     }
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
new file mode 100644
index 0000000000..b64dd99244
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
@@ -0,0 +1,45 @@
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: http://bugs.debian.org/776589
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+Upstream-Status: Backport
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+--- a/extract.c
+++ b/extract.c
+@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+     uch *eb_ucptr;
+     int r;
+     ush method;
+    ush eb_compr_method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@
+      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+         return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
+    /* 2014-11-03 Michal Zalewski, SMS.
+     * For STORE method, compressed and uncompressed sizes must agree.
+     * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+     */
+    eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
+    if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
+        return PK_ERR;
+
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 9653bee1be..00b68ad785 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
        file://define-ldflags.patch \
        file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
        file://unzip-6.0_overflow3.diff \
+        file://09-cve-2014-8139-crc-overflow.patch \
+        file://10-cve-2014-8140-test-compr-eb.patch \
+        file://11-cve-2014-8141-getzip64data.patch \
+        file://12-cve-2014-9636-test-compr-eb.patch \
 "
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
author	Roy Li <rongqing.li@windriver.com>	2015-06-23 13:32:06 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 20:54:34 +0100
commit	fcd25c6d2e4f398dd641888fcb6dbcdf54ce6a4c (patch)
tree	cecec1b5d5a90dbdcc13a8cef891603ccbe4bca0 /meta
parent	9f363a9c8a12f01c38ffb968fc727f6942aabb57 (diff)
download	poky-fcd25c6d2e4f398dd641888fcb6dbcdf54ce6a4c.tar.gz

diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch new file mode 100644 index 0000000000..e137f0dc76 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
@@ -0,0 +1,52 @@
		1	From: sms
		2	Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
		3	Bug-Debian: http://bugs.debian.org/773722
		4
		5	The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Roy Li <rongqing.li@windriver.com>
		10
		11	--- a/extract.c
		12	+++ b/extract.c
		13	@@ -298,6 +298,8 @@
		14	#ifndef SFX
		15	static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
		16	EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
		17	+ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
		18	+ EF block length (%u bytes) invalid (< %d)\n";
		19	static ZCONST char Far InvalidComprDataEAs[] =
		20	" invalid compressed data for EAs\n";
		21	# if (defined(WIN32) && defined(NTSD_EAS))
		22	@@ -2023,7 +2025,8 @@
		23	ebID = makeword(ef);
		24	ebLen = (unsigned)makeword(ef+EB_LEN);
		25
		26	- if (ebLen > (ef_len - EB_HEADSIZE)) {
		27	+ if (ebLen > (ef_len - EB_HEADSIZE))
		28	+ {
		29	/* Discovered some extra field inconsistency! */
		30	if (uO.qflag)
		31	Info(slide, 1, ((char *)slide, "%-22s ",
		32	@@ -2158,11 +2161,19 @@
		33	}
		34	break;
		35	case EF_PKVMS:
		36	- if (makelong(ef+EB_HEADSIZE) !=
		37	+ if (ebLen < 4)
		38	+ {
		39	+ Info(slide, 1,
		40	+ ((char *)slide, LoadFarString(TooSmallEBlength),
		41	+ ebLen, 4));
		42	+ }
		43	+ else if (makelong(ef+EB_HEADSIZE) !=
		44	crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
		45	(extent)(ebLen-4)))
		46	+ {
		47	Info(slide, 1, ((char *)slide,
		48	LoadFarString(BadCRC_EAs)));
		49	+ }
		50	break;
		51	case EF_PKW32:
		52	case EF_PKUNIX:


diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch new file mode 100644 index 0000000000..edc7d515b0 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
@@ -0,0 +1,33 @@
		1	From: sms
		2	Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
		3	Bug-Debian: http://bugs.debian.org/773722
		4
		5	The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Roy Li <rongqing.li@windriver.com>
		10
		11	--- a/extract.c
		12	+++ b/extract.c
		13	@@ -2232,10 +2232,17 @@
		14	if (compr_offset < 4) /* field is not compressed: */
		15	return PK_OK; /* do nothing and signal OK */
		16
		17	+ /* Return no/bad-data error status if any problem is found:
		18	+ * 1. eb_size is too small to hold the uncompressed size
		19	+ * (eb_ucsize). (Else extract eb_ucsize.)
		20	+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
		21	+ * 3. eb_ucsize is positive, but eb_size is too small to hold
		22	+ * the compressed data header.
		23	+ */
		24	if ((eb_size < (EB_UCSIZE_P + 4)) \|\|
		25	- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
		26	- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
		27	- return IZ_EF_TRUNC; /* no compressed data! */
		28	+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) \|\|
		29	+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
		30	+ return IZ_EF_TRUNC; /* no/bad compressed data! */
		31
		32	if (
		33	#ifdef INT_16BIT


diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch new file mode 100644 index 0000000000..d0c1db3925 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
		1	From: sms
		2	Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
		3	Bug-Debian: http://bugs.debian.org/773722
		4
		5	The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Roy Li <rongqing.li@windriver.com>
		10
		11
		12	--- a/fileio.c
		13	+++ b/fileio.c
		14	@@ -176,6 +176,8 @@
		15	#endif
		16	static ZCONST char Far ExtraFieldTooLong[] =
		17	"warning: extra field too long (%d). Ignoring...\n";
		18	+static ZCONST char Far ExtraFieldCorrupt[] =
		19	+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
		20
		21	#ifdef WINDLL
		22	static ZCONST char Far DiskFullQuery[] =
		23	@@ -2295,7 +2297,12 @@
		24	if (readbuf(__G__ (char *)G.extra_field, length) == 0)
		25	return PK_EOF;
		26	/* Looks like here is where extra fields are read */
		27	- getZip64Data(__G__ G.extra_field, length);
		28	+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
		29	+ {
		30	+ Info(slide, 0x401, ((char *)slide,
		31	+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
		32	+ error = PK_WARN;
		33	+ }
		34	#ifdef UNICODE_SUPPORT
		35	G.unipath_filename = NULL;
		36	if (G.UzO.U_flag < 2) {
		37	--- a/process.c
		38	+++ b/process.c
		39	@@ -1,5 +1,5 @@
		40	/*
		41	- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
		42	+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
		43
		44	See the accompanying file LICENSE, version 2009-Jan-02 or later
		45	(the contents of which are also included in unzip.h) for terms of use.
		46	@@ -1901,48 +1901,82 @@
		47	and a 4-byte version of disk start number.
		48	Sets both local header and central header fields. Not terribly clever,
		49	but it means that this procedure is only called in one place.
		50	+
		51	+ 2014-12-05 SMS.
		52	+ Added checks to ensure that enough data are available before calling
		53	+ makeint64() or makelong(). Replaced various sizeof() values with
		54	+ simple ("4" or "8") constants. (The Zip64 structures do not depend
		55	+ on our variable sizes.) Error handling is crude, but we should now
		56	+ stay within the buffer.
		57	---------------------------------------------------------------------------*/
		58
		59	+#define Z64FLGS 0xffff
		60	+#define Z64FLGL 0xffffffff
		61	+
		62	if (ef_len == 0 \|\| ef_buf == NULL)
		63	return PK_COOL;
		64
		65	Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
		66	ef_len));
		67
		68	- while (ef_len >= EB_HEADSIZE) {
		69	+ while (ef_len >= EB_HEADSIZE)
		70	+ {
		71	eb_id = makeword(EB_ID + ef_buf);
		72	eb_len = makeword(EB_LEN + ef_buf);
		73
		74	- if (eb_len > (ef_len - EB_HEADSIZE)) {
		75	- /* discovered some extra field inconsistency! */
		76	+ if (eb_len > (ef_len - EB_HEADSIZE))
		77	+ {
		78	+ /* Extra block length exceeds remaining extra field length. */
		79	Trace((stderr,
		80	"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
		81	ef_len - EB_HEADSIZE));
		82	break;
		83	}
		84	- if (eb_id == EF_PKSZ64) {
		85	-
		86	+ if (eb_id == EF_PKSZ64)
		87	+ {
		88	int offset = EB_HEADSIZE;
		89
		90	- if (G.crec.ucsize == 0xffffffff \|\| G.lrec.ucsize == 0xffffffff){
		91	- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
		92	- offset += sizeof(G.crec.ucsize);
		93	+ if ((G.crec.ucsize == Z64FLGL) \|\| (G.lrec.ucsize == Z64FLGL))
		94	+ {
		95	+ if (offset+ 8 > ef_len)
		96	+ return PK_ERR;
		97	+
		98	+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
		99	+ offset += 8;
		100	}
		101	- if (G.crec.csize == 0xffffffff \|\| G.lrec.csize == 0xffffffff){
		102	- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
		103	- offset += sizeof(G.crec.csize);
		104	+
		105	+ if ((G.crec.csize == Z64FLGL) \|\| (G.lrec.csize == Z64FLGL))
		106	+ {
		107	+ if (offset+ 8 > ef_len)
		108	+ return PK_ERR;
		109	+
		110	+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
		111	+ offset += 8;
		112	}
		113	- if (G.crec.relative_offset_local_header == 0xffffffff){
		114	+
		115	+ if (G.crec.relative_offset_local_header == Z64FLGL)
		116	+ {
		117	+ if (offset+ 8 > ef_len)
		118	+ return PK_ERR;
		119	+
		120	G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
		121	- offset += sizeof(G.crec.relative_offset_local_header);
		122	+ offset += 8;
		123	}
		124	- if (G.crec.disk_number_start == 0xffff){
		125	+
		126	+ if (G.crec.disk_number_start == Z64FLGS)
		127	+ {
		128	+ if (offset+ 4 > ef_len)
		129	+ return PK_ERR;
		130	+
		131	G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
		132	- offset += sizeof(G.crec.disk_number_start);
		133	+ offset += 4;
		134	}
		135	+#if 0
		136	+ break; /* Expect only one EF_PKSZ64 block. */
		137	+#endif /* 0 */
		138	}
		139
		140	- /* Skip this extra field block */
		141	+ /* Skip this extra field block. */
		142	ef_buf += (eb_len + EB_HEADSIZE);
		143	ef_len -= (eb_len + EB_HEADSIZE);
		144	}


diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch new file mode 100644 index 0000000000..b64dd99244 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
@@ -0,0 +1,45 @@
		1	From: mancha <mancha1 AT zoho DOT com>
		2	Date: Mon, 3 Nov 2014
		3	Subject: Info-ZIP UnZip buffer overflow
		4	Bug-Debian: http://bugs.debian.org/776589
		5
		6	By carefully crafting a corrupt ZIP archive with "extra fields" that
		7	purport to have compressed blocks larger than the corresponding
		8	uncompressed blocks in STORED no-compression mode, an attacker can
		9	trigger a heap overflow that can result in application crash or
		10	possibly have other unspecified impact.
		11
		12	This patch ensures that when extra fields use STORED mode, the
		13	"compressed" and uncompressed block sizes match.
		14
		15	The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
		16
		17	Upstream-Status: Backport
		18
		19	Signed-off-by: Roy Li <rongqing.li@windriver.com>
		20
		21	--- a/extract.c
		22	+++ b/extract.c
		23	@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
		24	uch *eb_ucptr;
		25	int r;
		26	ush method;
		27	+ ush eb_compr_method;
		28
		29	if (compr_offset < 4) /* field is not compressed: */
		30	return PK_OK; /* do nothing and signal OK */
		31	@@ -2244,6 +2245,14 @@
		32	((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
		33	return IZ_EF_TRUNC; /* no/bad compressed data! */
		34
		35	+ /* 2014-11-03 Michal Zalewski, SMS.
		36	+ * For STORE method, compressed and uncompressed sizes must agree.
		37	+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
		38	+ */
		39	+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
		40	+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
		41	+ return PK_ERR;
		42	+
		43	if (
		44	#ifdef INT_16BIT
		45	(((ulg)(extent)eb_ucsize) != eb_ucsize) \|\|


diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 9653bee1be..00b68ad785 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
11	file://define-ldflags.patch \	11	file://define-ldflags.patch \
12	file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \	12	file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
13	file://unzip-6.0_overflow3.diff \	13	file://unzip-6.0_overflow3.diff \
		14	file://09-cve-2014-8139-crc-overflow.patch \
		15	file://10-cve-2014-8140-test-compr-eb.patch \
		16	file://11-cve-2014-8141-getzip64data.patch \
		17	file://12-cve-2014-9636-test-compr-eb.patch \
14	"	18	"
15		19
16	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"	20	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"