diff options
-rw-r--r-- | meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch | 45 | ||||
-rw-r--r-- | meta/recipes-extended/unzip/unzip_6.0.bb | 1 |
2 files changed, 0 insertions, 46 deletions
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch deleted file mode 100644 index b64dd99244..0000000000 --- a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From: mancha <mancha1 AT zoho DOT com> | ||
2 | Date: Mon, 3 Nov 2014 | ||
3 | Subject: Info-ZIP UnZip buffer overflow | ||
4 | Bug-Debian: http://bugs.debian.org/776589 | ||
5 | |||
6 | By carefully crafting a corrupt ZIP archive with "extra fields" that | ||
7 | purport to have compressed blocks larger than the corresponding | ||
8 | uncompressed blocks in STORED no-compression mode, an attacker can | ||
9 | trigger a heap overflow that can result in application crash or | ||
10 | possibly have other unspecified impact. | ||
11 | |||
12 | This patch ensures that when extra fields use STORED mode, the | ||
13 | "compressed" and uncompressed block sizes match. | ||
14 | |||
15 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
20 | |||
21 | --- a/extract.c | ||
22 | +++ b/extract.c | ||
23 | @@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) | ||
24 | uch *eb_ucptr; | ||
25 | int r; | ||
26 | ush method; | ||
27 | + ush eb_compr_method; | ||
28 | |||
29 | if (compr_offset < 4) /* field is not compressed: */ | ||
30 | return PK_OK; /* do nothing and signal OK */ | ||
31 | @@ -2244,6 +2245,14 @@ | ||
32 | ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
33 | return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
34 | |||
35 | + /* 2014-11-03 Michal Zalewski, SMS. | ||
36 | + * For STORE method, compressed and uncompressed sizes must agree. | ||
37 | + * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 | ||
38 | + */ | ||
39 | + eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); | ||
40 | + if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize)) | ||
41 | + return PK_ERR; | ||
42 | + | ||
43 | if ( | ||
44 | #ifdef INT_16BIT | ||
45 | (((ulg)(extent)eb_ucsize) != eb_ucsize) || | ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index b022f21844..4a0a713a61 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
@@ -14,7 +14,6 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \ | |||
14 | file://09-cve-2014-8139-crc-overflow.patch \ | 14 | file://09-cve-2014-8139-crc-overflow.patch \ |
15 | file://10-cve-2014-8140-test-compr-eb.patch \ | 15 | file://10-cve-2014-8140-test-compr-eb.patch \ |
16 | file://11-cve-2014-8141-getzip64data.patch \ | 16 | file://11-cve-2014-8141-getzip64data.patch \ |
17 | file://12-cve-2014-9636-test-compr-eb.patch \ | ||
18 | " | 17 | " |
19 | 18 | ||
20 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" | 19 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" |