summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-04-29 08:53:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-06-28 09:44:07 +0100
commit08a09c34104eaf54cb46e48227f022e895d4e39a (patch)
tree0eb1d954e8e0cfd7717fa5b39b499487e4ba9b0f /meta
parentd271a8e004fc29dba48c444157f7d1a9b59a105f (diff)
downloadpoky-08a09c34104eaf54cb46e48227f022e895d4e39a.tar.gz
unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315 Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8. (From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802) (From OE-Core rev: d868f9e8a6a5d4dc9c38e2881a329f7e3210eab8) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch402
-rw-r--r--meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff45
-rw-r--r--meta/recipes-extended/unzip/unzip_6.0.bb5
3 files changed, 451 insertions, 1 deletions
diff --git a/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
new file mode 100644
index 0000000000..9ba3c1dc62
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
@@ -0,0 +1,402 @@
1From: Giovanni Scafora <giovanni.archlinux.org>
2Subject: unzip files encoded with non-latin, non-unicode file names
3Last-Update: 2015-02-11
4
5Upstream-Status: Backport
6
7Updated 2015-02-11 by Marc Deslauriers <marc.deslauriers@canonical.com>
8to fix buffer overflow in charset_to_intern()
9
10Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
11
12Index: unzip-6.0/unix/unix.c
13===================================================================
14--- unzip-6.0.orig/unix/unix.c 2015-02-11 08:46:43.675324290 -0500
15+++ unzip-6.0/unix/unix.c 2015-02-11 09:18:04.902081319 -0500
16@@ -30,6 +30,9 @@
17 #define UNZIP_INTERNAL
18 #include "unzip.h"
19
20+#include <iconv.h>
21+#include <langinfo.h>
22+
23 #ifdef SCO_XENIX
24 # define SYSNDIR
25 #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
26@@ -1874,3 +1877,102 @@
27 }
28 }
29 #endif /* QLZIP */
30+
31+
32+typedef struct {
33+ char *local_charset;
34+ char *archive_charset;
35+} CHARSET_MAP;
36+
37+/* A mapping of local <-> archive charsets used by default to convert filenames
38+ * of DOS/Windows Zip archives. Currently very basic. */
39+static CHARSET_MAP dos_charset_map[] = {
40+ { "ANSI_X3.4-1968", "CP850" },
41+ { "ISO-8859-1", "CP850" },
42+ { "CP1252", "CP850" },
43+ { "UTF-8", "CP866" },
44+ { "KOI8-R", "CP866" },
45+ { "KOI8-U", "CP866" },
46+ { "ISO-8859-5", "CP866" }
47+};
48+
49+char OEM_CP[MAX_CP_NAME] = "";
50+char ISO_CP[MAX_CP_NAME] = "";
51+
52+/* Try to guess the default value of OEM_CP based on the current locale.
53+ * ISO_CP is left alone for now. */
54+void init_conversion_charsets()
55+{
56+ const char *local_charset;
57+ int i;
58+
59+ /* Make a guess only if OEM_CP not already set. */
60+ if(*OEM_CP == '\0') {
61+ local_charset = nl_langinfo(CODESET);
62+ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
63+ if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
64+ strncpy(OEM_CP, dos_charset_map[i].archive_charset,
65+ sizeof(OEM_CP));
66+ break;
67+ }
68+ }
69+}
70+
71+/* Convert a string from one encoding to the current locale using iconv().
72+ * Be as non-intrusive as possible. If error is encountered during covertion
73+ * just leave the string intact. */
74+static void charset_to_intern(char *string, char *from_charset)
75+{
76+ iconv_t cd;
77+ char *s,*d, *buf;
78+ size_t slen, dlen, buflen;
79+ const char *local_charset;
80+
81+ if(*from_charset == '\0')
82+ return;
83+
84+ buf = NULL;
85+ local_charset = nl_langinfo(CODESET);
86+
87+ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
88+ return;
89+
90+ slen = strlen(string);
91+ s = string;
92+
93+ /* Make sure OUTBUFSIZ + 1 never ends up smaller than FILNAMSIZ
94+ * as this function also gets called with G.outbuf in fileio.c
95+ */
96+ buflen = FILNAMSIZ;
97+ if (OUTBUFSIZ + 1 < FILNAMSIZ)
98+ {
99+ buflen = OUTBUFSIZ + 1;
100+ }
101+
102+ d = buf = malloc(buflen);
103+ if(!d)
104+ goto cleanup;
105+
106+ bzero(buf,buflen);
107+ dlen = buflen - 1;
108+
109+ if(iconv(cd, &s, &slen, &d, &dlen) == (size_t)-1)
110+ goto cleanup;
111+ strncpy(string, buf, buflen);
112+
113+ cleanup:
114+ free(buf);
115+ iconv_close(cd);
116+}
117+
118+/* Convert a string from OEM_CP to the current locale charset. */
119+inline void oem_intern(char *string)
120+{
121+ charset_to_intern(string, OEM_CP);
122+}
123+
124+/* Convert a string from ISO_CP to the current locale charset. */
125+inline void iso_intern(char *string)
126+{
127+ charset_to_intern(string, ISO_CP);
128+}
129Index: unzip-6.0/unix/unxcfg.h
130===================================================================
131--- unzip-6.0.orig/unix/unxcfg.h 2015-02-11 08:46:43.675324290 -0500
132+++ unzip-6.0/unix/unxcfg.h 2015-02-11 08:46:43.671324260 -0500
133@@ -228,4 +228,30 @@
134 /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
135 /* and notfirstcall are used by do_wild(). */
136
137+
138+#define MAX_CP_NAME 25
139+
140+#ifdef SETLOCALE
141+# undef SETLOCALE
142+#endif
143+#define SETLOCALE(category, locale) setlocale(category, locale)
144+#include <locale.h>
145+
146+#ifdef _ISO_INTERN
147+# undef _ISO_INTERN
148+#endif
149+#define _ISO_INTERN(str1) iso_intern(str1)
150+
151+#ifdef _OEM_INTERN
152+# undef _OEM_INTERN
153+#endif
154+#ifndef IZ_OEM2ISO_ARRAY
155+# define IZ_OEM2ISO_ARRAY
156+#endif
157+#define _OEM_INTERN(str1) oem_intern(str1)
158+
159+void iso_intern(char *);
160+void oem_intern(char *);
161+void init_conversion_charsets(void);
162+
163 #endif /* !__unxcfg_h */
164Index: unzip-6.0/unzip.c
165===================================================================
166--- unzip-6.0.orig/unzip.c 2015-02-11 08:46:43.675324290 -0500
167+++ unzip-6.0/unzip.c 2015-02-11 08:46:43.675324290 -0500
168@@ -327,11 +327,21 @@
169 -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\
170 -v verbose, multi-page format\n";
171
172+#ifndef UNIX
173 static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
174 -h print header line -t print totals for listed files or for all\n\
175 -z print zipfile comment -T print file times in sortable decimal format\
176 \n -C be case-insensitive %s\
177 -x exclude filenames that follow from listing\n";
178+#else /* UNIX */
179+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
180+ -h print header line -t print totals for listed files or for all\n\
181+ -z print zipfile comment %c-T%c print file times in sortable decimal format\
182+\n %c-C%c be case-insensitive %s\
183+ -x exclude filenames that follow from listing\n\
184+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
185+ -I CHARSET specify a character encoding for UNIX and other archives\n";
186+#endif /* !UNIX */
187 #ifdef MORE
188 static ZCONST char Far ZipInfoUsageLine4[] =
189 " -M page output through built-in \"more\"\n";
190@@ -664,6 +674,17 @@
191 -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
192 -C match filenames case-insensitively -L make (some) names \
193 lowercase\n %-42s -V retain VMS version numbers\n%s";
194+#elif (defined UNIX)
195+static ZCONST char Far UnzipUsageLine4[] = "\
196+modifiers:\n\
197+ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
198+ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\
199+ -j junk paths (do not make directories) -aa treat ALL files as text\n\
200+ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
201+ -C match filenames case-insensitively -L make (some) names \
202+lowercase\n %-42s -V retain VMS version numbers\n%s\
203+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
204+ -I CHARSET specify a character encoding for UNIX and other archives\n\n";
205 #else /* !VMS */
206 static ZCONST char Far UnzipUsageLine4[] = "\
207 modifiers:\n\
208@@ -802,6 +823,10 @@
209 #endif /* UNICODE_SUPPORT */
210
211
212+#ifdef UNIX
213+ init_conversion_charsets();
214+#endif
215+
216 #if (defined(__IBMC__) && defined(__DEBUG_ALLOC__))
217 extern void DebugMalloc(void);
218
219@@ -1335,6 +1360,11 @@
220 argc = *pargc;
221 argv = *pargv;
222
223+#ifdef UNIX
224+ extern char OEM_CP[MAX_CP_NAME];
225+ extern char ISO_CP[MAX_CP_NAME];
226+#endif
227+
228 while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
229 s = *argv + 1;
230 while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */
231@@ -1516,6 +1546,35 @@
232 }
233 break;
234 #endif /* MACOS */
235+#ifdef UNIX
236+ case ('I'):
237+ if (negative) {
238+ Info(slide, 0x401, ((char *)slide,
239+ "error: encodings can't be negated"));
240+ return(PK_PARAM);
241+ } else {
242+ if(*s) { /* Handle the -Icharset case */
243+ /* Assume that charsets can't start with a dash to spot arguments misuse */
244+ if(*s == '-') {
245+ Info(slide, 0x401, ((char *)slide,
246+ "error: a valid character encoding should follow the -I argument"));
247+ return(PK_PARAM);
248+ }
249+ strncpy(ISO_CP, s, sizeof(ISO_CP));
250+ } else { /* -I charset */
251+ ++argv;
252+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
253+ Info(slide, 0x401, ((char *)slide,
254+ "error: a valid character encoding should follow the -I argument"));
255+ return(PK_PARAM);
256+ }
257+ s = *argv;
258+ strncpy(ISO_CP, s, sizeof(ISO_CP));
259+ }
260+ while(*(++s)); /* No params straight after charset name */
261+ }
262+ break;
263+#endif /* ?UNIX */
264 case ('j'): /* junk pathnames/directory structure */
265 if (negative)
266 uO.jflag = FALSE, negative = 0;
267@@ -1591,6 +1650,35 @@
268 } else
269 ++uO.overwrite_all;
270 break;
271+#ifdef UNIX
272+ case ('O'):
273+ if (negative) {
274+ Info(slide, 0x401, ((char *)slide,
275+ "error: encodings can't be negated"));
276+ return(PK_PARAM);
277+ } else {
278+ if(*s) { /* Handle the -Ocharset case */
279+ /* Assume that charsets can't start with a dash to spot arguments misuse */
280+ if(*s == '-') {
281+ Info(slide, 0x401, ((char *)slide,
282+ "error: a valid character encoding should follow the -I argument"));
283+ return(PK_PARAM);
284+ }
285+ strncpy(OEM_CP, s, sizeof(OEM_CP));
286+ } else { /* -O charset */
287+ ++argv;
288+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
289+ Info(slide, 0x401, ((char *)slide,
290+ "error: a valid character encoding should follow the -O argument"));
291+ return(PK_PARAM);
292+ }
293+ s = *argv;
294+ strncpy(OEM_CP, s, sizeof(OEM_CP));
295+ }
296+ while(*(++s)); /* No params straight after charset name */
297+ }
298+ break;
299+#endif /* ?UNIX */
300 case ('p'): /* pipes: extract to stdout, no messages */
301 if (negative) {
302 uO.cflag = FALSE;
303Index: unzip-6.0/unzpriv.h
304===================================================================
305--- unzip-6.0.orig/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
306+++ unzip-6.0/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
307@@ -3008,7 +3008,7 @@
308 !(((islochdr) || (isuxatt)) && \
309 ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
310 (hostnum) == FS_HPFS_ || \
311- ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \
312+ ((hostnum) == FS_NTFS_ /* && (hostver) == 50 */ )) { \
313 _OEM_INTERN((string)); \
314 } else { \
315 _ISO_INTERN((string)); \
316Index: unzip-6.0/zipinfo.c
317===================================================================
318--- unzip-6.0.orig/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
319+++ unzip-6.0/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
320@@ -457,6 +457,10 @@
321 int tflag_slm=TRUE, tflag_2v=FALSE;
322 int explicit_h=FALSE, explicit_t=FALSE;
323
324+#ifdef UNIX
325+ extern char OEM_CP[MAX_CP_NAME];
326+ extern char ISO_CP[MAX_CP_NAME];
327+#endif
328
329 #ifdef MACOS
330 uO.lflag = LFLAG; /* reset default on each call */
331@@ -501,6 +505,35 @@
332 uO.lflag = 0;
333 }
334 break;
335+#ifdef UNIX
336+ case ('I'):
337+ if (negative) {
338+ Info(slide, 0x401, ((char *)slide,
339+ "error: encodings can't be negated"));
340+ return(PK_PARAM);
341+ } else {
342+ if(*s) { /* Handle the -Icharset case */
343+ /* Assume that charsets can't start with a dash to spot arguments misuse */
344+ if(*s == '-') {
345+ Info(slide, 0x401, ((char *)slide,
346+ "error: a valid character encoding should follow the -I argument"));
347+ return(PK_PARAM);
348+ }
349+ strncpy(ISO_CP, s, sizeof(ISO_CP));
350+ } else { /* -I charset */
351+ ++argv;
352+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
353+ Info(slide, 0x401, ((char *)slide,
354+ "error: a valid character encoding should follow the -I argument"));
355+ return(PK_PARAM);
356+ }
357+ s = *argv;
358+ strncpy(ISO_CP, s, sizeof(ISO_CP));
359+ }
360+ while(*(++s)); /* No params straight after charset name */
361+ }
362+ break;
363+#endif /* ?UNIX */
364 case 'l': /* longer form of "ls -l" type listing */
365 if (negative)
366 uO.lflag = -2, negative = 0;
367@@ -521,6 +554,35 @@
368 G.M_flag = TRUE;
369 break;
370 #endif
371+#ifdef UNIX
372+ case ('O'):
373+ if (negative) {
374+ Info(slide, 0x401, ((char *)slide,
375+ "error: encodings can't be negated"));
376+ return(PK_PARAM);
377+ } else {
378+ if(*s) { /* Handle the -Ocharset case */
379+ /* Assume that charsets can't start with a dash to spot arguments misuse */
380+ if(*s == '-') {
381+ Info(slide, 0x401, ((char *)slide,
382+ "error: a valid character encoding should follow the -I argument"));
383+ return(PK_PARAM);
384+ }
385+ strncpy(OEM_CP, s, sizeof(OEM_CP));
386+ } else { /* -O charset */
387+ ++argv;
388+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
389+ Info(slide, 0x401, ((char *)slide,
390+ "error: a valid character encoding should follow the -O argument"));
391+ return(PK_PARAM);
392+ }
393+ s = *argv;
394+ strncpy(OEM_CP, s, sizeof(OEM_CP));
395+ }
396+ while(*(++s)); /* No params straight after charset name */
397+ }
398+ break;
399+#endif /* ?UNIX */
400 case 's': /* default: shorter "ls -l" type listing */
401 if (negative)
402 uO.lflag = -2, negative = 0;
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
new file mode 100644
index 0000000000..0a0bfbbb17
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
1From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
2From: mancha <mancha1 AT zoho DOT com>
3Date: Wed, 11 Feb 2015
4Subject: Info-ZIP UnZip buffer overflow
5
6Upstream-Status: Backport
7
8By carefully crafting a corrupt ZIP archive with "extra fields" that
9purport to have compressed blocks larger than the corresponding
10uncompressed blocks in STORED no-compression mode, an attacker can
11trigger a heap overflow that can result in application crash or
12possibly have other unspecified impact.
13
14This patch ensures that when extra fields use STORED mode, the
15"compressed" and uncompressed block sizes match.
16
17Signed-off-by: mancha <mancha1 AT zoho DOT com>
18---
19 extract.c | 8 ++++++++
20 1 file changed, 8 insertions(+)
21
22--- a/extract.c
23+++ b/extract.c
24@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
25 ulg eb_ucsize;
26 uch *eb_ucptr;
27 int r;
28+ ush method;
29
30 if (compr_offset < 4) /* field is not compressed: */
31 return PK_OK; /* do nothing and signal OK */
32@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
33 eb_size <= (compr_offset + EB_CMPRHEADLEN)))
34 return IZ_EF_TRUNC; /* no compressed data! */
35
36+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
37+ if ((method == STORED) &&
38+ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
39+ return PK_ERR; /* compressed & uncompressed
40+ * should match in STORED
41+ * method */
42+
43 if (
44 #ifdef INT_16BIT
45 (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index e203c069f4..5060d35546 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -8,7 +8,10 @@ PR = "r5"
8 8
9SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \ 9SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
10 file://avoid-strip.patch \ 10 file://avoid-strip.patch \
11 file://define-ldflags.patch" 11 file://define-ldflags.patch \
12 file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
13 file://unzip-6.0_overflow3.diff \
14"
12 15
13SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" 16SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
14SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" 17SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"