unzip: CVE-2014-9913 CVE-2016-9844

Backport the patches for CVE-2014-9913 CVE-2016-9844 CVE-2016-9844: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. CVE-2014-9913: Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method. Patches come from: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/ or https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff Bug-Debian: https://bugs.debian.org/847486 Bug-Ubuntu: https://launchpad.net/bugs/1643750 (LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222 (From OE-Core rev: fc386ed4afb76bd3e5a3afff54d7dc8dde14fe9c) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2017-02-22 15:14:42 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-03-01 23:27:09 +0000
commit: 1f9af41ddea93ad4d4e600955084cf4b4cb16fcd (patch)
tree: 67a6d58c6db4af62880b27d202b0f4c10f9cc641 /meta
parent: 9e6cb6ec8b4b1d66b1e626f175946d15c1a2b49c (diff)
download: poky-1f9af41ddea93ad4d4e600955084cf4b4cb16fcd.tar.gz
3 files changed, 68 insertions, 1 deletions
diff --git a/meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch b/meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch
new file mode 100644
index 0000000000..eb76e2ea7d
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch
@@ -0,0 +1,33 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-9913, buffer overflow in unzip
+Bug: https://sourceforge.net/p/infozip/bugs/27/
+Bug-Debian: https://bugs.debian.org/847485
+Bug-Ubuntu: https://launchpad.net/bugs/387350
+X-Debian-version: 6.0-21
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+--- a/list.c
+++ b/list.c
+@@ -339,7 +339,18 @@
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
+                /* 2013-02-26 SMS.
+                 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.
+                 * Unexpectedly large compression methods overflow
+                 * &methbuf[].  Use the old, three-digit decimal format
+                 * for values which fit.  Otherwise, sacrifice the
+                 * colon, and use four-digit hexadecimal.
+                 */
+                if (G.crec.compression_method <= 999) {
+                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
+                } else {
+                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
+                }
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */
diff --git a/meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch b/meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch
new file mode 100644
index 0000000000..fd0c024d7e
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch
@@ -0,0 +1,32 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
+Bug-Debian: https://bugs.debian.org/847486
+Bug-Ubuntu: https://launchpad.net/bugs/1643750
+X-Debian-version: 6.0-21
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+--- a/zipinfo.c
+++ b/zipinfo.c
+@@ -1921,7 +1921,18 @@
+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+         methbuf[3] = dtype[dnum];
+     } else if (methnum >= NUM_METHODS) {   /* unknown */
+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);
+        /* 2016-12-05 SMS.
+         * https://launchpad.net/bugs/1643750
+         * Unexpectedly large compression methods overflow
+         * &methbuf[].  Use the old, three-digit decimal format
+         * for values which fit.  Otherwise, sacrifice the "u",
+         * and use four-digit hexadecimal.
+         */
+        if (G.crec.compression_method <= 999) {
+            sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
+        } else {
+            sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
+        }
+     }
+ 
+     for (k = 0;  k < 15;  ++k)
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 547379c0dc..d4ee487417 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -16,7 +16,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
        file://11-cve-2014-8141-getzip64data.patch \
        file://CVE-2015-7696.patch \
        file://CVE-2015-7697.patch \
-        file://fix-security-format.patch \
+        file://fix-security-format.patch \
+        file://18-cve-2014-9913-unzip-buffer-overflow.patch \
+        file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
 "
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2017-02-22 15:14:42 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-03-01 23:27:09 +0000
commit	1f9af41ddea93ad4d4e600955084cf4b4cb16fcd (patch)
tree	67a6d58c6db4af62880b27d202b0f4c10f9cc641 /meta
parent	9e6cb6ec8b4b1d66b1e626f175946d15c1a2b49c (diff)
download	poky-1f9af41ddea93ad4d4e600955084cf4b4cb16fcd.tar.gz

diff --git a/meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch b/meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch new file mode 100644 index 0000000000..eb76e2ea7d --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch
@@ -0,0 +1,33 @@
		1	From: "Steven M. Schweda" <sms@antinode.info>
		2	Subject: Fix CVE-2014-9913, buffer overflow in unzip
		3	Bug: https://sourceforge.net/p/infozip/bugs/27/
		4	Bug-Debian: https://bugs.debian.org/847485
		5	Bug-Ubuntu: https://launchpad.net/bugs/387350
		6	X-Debian-version: 6.0-21
		7
		8	Upstream-Status: Backport
		9
		10	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		11
		12	--- a/list.c
		13	+++ b/list.c
		14	@@ -339,7 +339,18 @@
		15	G.crec.compression_method == ENHDEFLATED) {
		16	methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
		17	} else if (methnum >= NUM_METHODS) {
		18	- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
		19	+ /* 2013-02-26 SMS.
		20	+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
		21	+ * Unexpectedly large compression methods overflow
		22	+ * &methbuf[]. Use the old, three-digit decimal format
		23	+ * for values which fit. Otherwise, sacrifice the
		24	+ * colon, and use four-digit hexadecimal.
		25	+ */
		26	+ if (G.crec.compression_method <= 999) {
		27	+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
		28	+ } else {
		29	+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
		30	+ }
		31	}
		32
		33	#if 0 /* GRR/Euro: add this? */


diff --git a/meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch b/meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch new file mode 100644 index 0000000000..fd0c024d7e --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch
@@ -0,0 +1,32 @@
		1	From: "Steven M. Schweda" <sms@antinode.info>
		2	Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
		3	Bug-Debian: https://bugs.debian.org/847486
		4	Bug-Ubuntu: https://launchpad.net/bugs/1643750
		5	X-Debian-version: 6.0-21
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		10
		11	--- a/zipinfo.c
		12	+++ b/zipinfo.c
		13	@@ -1921,7 +1921,18 @@
		14	ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
		15	methbuf[3] = dtype[dnum];
		16	} else if (methnum >= NUM_METHODS) { /* unknown */
		17	- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
		18	+ /* 2016-12-05 SMS.
		19	+ * https://launchpad.net/bugs/1643750
		20	+ * Unexpectedly large compression methods overflow
		21	+ * &methbuf[]. Use the old, three-digit decimal format
		22	+ * for values which fit. Otherwise, sacrifice the "u",
		23	+ * and use four-digit hexadecimal.
		24	+ */
		25	+ if (G.crec.compression_method <= 999) {
		26	+ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
		27	+ } else {
		28	+ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
		29	+ }
		30	}
		31
		32	for (k = 0; k < 15; ++k)


diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 547379c0dc..d4ee487417 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -16,7 +16,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
16	file://11-cve-2014-8141-getzip64data.patch \	16	file://11-cve-2014-8141-getzip64data.patch \
17	file://CVE-2015-7696.patch \	17	file://CVE-2015-7696.patch \
18	file://CVE-2015-7697.patch \	18	file://CVE-2015-7697.patch \
19	file://fix-security-format.patch \	19	file://fix-security-format.patch \
		20	file://18-cve-2014-9913-unzip-buffer-overflow.patch \
		21	file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
20	"	22	"
21		23
22	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"	24	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"