diff options
4 files changed, 513 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch new file mode 100644 index 0000000000..d485a1bd6e --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Mon, 27 May 2019 08:20:32 -0700 | ||
4 | Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the input | ||
5 | state. | ||
6 | |||
7 | CVE: CVE-2019-13232 | ||
8 | Upstream-Status: Backport | ||
9 | [https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213] | ||
10 | |||
11 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
12 | --- | ||
13 | fileio.c | 4 +++- | ||
14 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/fileio.c b/fileio.c | ||
17 | index 7605a29..14460f3 100644 | ||
18 | --- a/fileio.c | ||
19 | +++ b/fileio.c | ||
20 | @@ -532,8 +532,10 @@ void undefer_input(__G) | ||
21 | * This condition was checked when G.incnt_leftover was set > 0 in | ||
22 | * defer_leftover_input(), and it is NOT allowed to touch G.csize | ||
23 | * before calling undefer_input() when (G.incnt_leftover > 0) | ||
24 | - * (single exception: see read_byte()'s "G.csize <= 0" handling) !! | ||
25 | + * (single exception: see readbyte()'s "G.csize <= 0" handling) !! | ||
26 | */ | ||
27 | + if (G.csize < 0L) | ||
28 | + G.csize = 0L; | ||
29 | G.incnt = G.incnt_leftover + (int)G.csize; | ||
30 | G.inptr = G.inptr_leftover - (int)G.csize; | ||
31 | G.incnt_leftover = 0; | ||
32 | -- | ||
33 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch new file mode 100644 index 0000000000..41037a8e24 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch | |||
@@ -0,0 +1,356 @@ | |||
1 | From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Tue, 11 Jun 2019 22:01:18 -0700 | ||
4 | Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped entries. | ||
5 | |||
6 | This detects an invalid zip file that has at least one entry that | ||
7 | overlaps with another entry or with the central directory to the | ||
8 | end of the file. A Fifield zip bomb uses overlapped local entries | ||
9 | to vastly increase the potential inflation ratio. Such an invalid | ||
10 | zip file is rejected. | ||
11 | |||
12 | See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's | ||
13 | analysis, construction, and examples of such zip bombs. | ||
14 | |||
15 | The detection maintains a list of covered spans of the zip files | ||
16 | so far, where the central directory to the end of the file and any | ||
17 | bytes preceding the first entry at zip file offset zero are | ||
18 | considered covered initially. Then as each entry is decompressed | ||
19 | or tested, it is considered covered. When a new entry is about to | ||
20 | be processed, its initial offset is checked to see if it is | ||
21 | contained by a covered span. If so, the zip file is rejected as | ||
22 | invalid. | ||
23 | |||
24 | This commit depends on a preceding commit: "Fix bug in | ||
25 | undefer_input() that misplaced the input state." | ||
26 | |||
27 | CVE: CVE-2019-13232 | ||
28 | Upstream-Status: Backport | ||
29 | [https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c] | ||
30 | |||
31 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
32 | --- | ||
33 | extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
34 | globals.c | 1 + | ||
35 | globals.h | 3 + | ||
36 | process.c | 10 +++ | ||
37 | unzip.h | 1 + | ||
38 | 5 files changed, 204 insertions(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/extract.c b/extract.c | ||
41 | index 24db2a8..2bb72ba 100644 | ||
42 | --- a/extract.c | ||
43 | +++ b/extract.c | ||
44 | @@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[] = | ||
45 | "\nerror: unsupported extra-field compression type (%u)--skipping\n"; | ||
46 | static ZCONST char Far BadExtraFieldCRC[] = | ||
47 | "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; | ||
48 | +static ZCONST char Far NotEnoughMemCover[] = | ||
49 | + "error: not enough memory for bomb detection\n"; | ||
50 | +static ZCONST char Far OverlappedComponents[] = | ||
51 | + "error: invalid zip file with overlapped components (possible zip bomb)\n"; | ||
52 | + | ||
53 | + | ||
54 | + | ||
55 | + | ||
56 | + | ||
57 | +/* A growable list of spans. */ | ||
58 | +typedef zoff_t bound_t; | ||
59 | +typedef struct { | ||
60 | + bound_t beg; /* start of the span */ | ||
61 | + bound_t end; /* one past the end of the span */ | ||
62 | +} span_t; | ||
63 | +typedef struct { | ||
64 | + span_t *span; /* allocated, distinct, and sorted list of spans */ | ||
65 | + size_t num; /* number of spans in the list */ | ||
66 | + size_t max; /* allocated number of spans (num <= max) */ | ||
67 | +} cover_t; | ||
68 | + | ||
69 | +/* | ||
70 | + * Return the index of the first span in cover whose beg is greater than val. | ||
71 | + * If there is no such span, then cover->num is returned. | ||
72 | + */ | ||
73 | +static size_t cover_find(cover, val) | ||
74 | + cover_t *cover; | ||
75 | + bound_t val; | ||
76 | +{ | ||
77 | + size_t lo = 0, hi = cover->num; | ||
78 | + while (lo < hi) { | ||
79 | + size_t mid = (lo + hi) >> 1; | ||
80 | + if (val < cover->span[mid].beg) | ||
81 | + hi = mid; | ||
82 | + else | ||
83 | + lo = mid + 1; | ||
84 | + } | ||
85 | + return hi; | ||
86 | +} | ||
87 | + | ||
88 | +/* Return true if val lies within any one of the spans in cover. */ | ||
89 | +static int cover_within(cover, val) | ||
90 | + cover_t *cover; | ||
91 | + bound_t val; | ||
92 | +{ | ||
93 | + size_t pos = cover_find(cover, val); | ||
94 | + return pos > 0 && val < cover->span[pos - 1].end; | ||
95 | +} | ||
96 | + | ||
97 | +/* | ||
98 | + * Add a new span to the list, but only if the new span does not overlap any | ||
99 | + * spans already in the list. The new span covers the values beg..end-1. beg | ||
100 | + * must be less than end. | ||
101 | + * | ||
102 | + * Keep the list sorted and merge adjacent spans. Grow the allocated space for | ||
103 | + * the list as needed. On success, 0 is returned. If the new span overlaps any | ||
104 | + * existing spans, then 1 is returned and the new span is not added to the | ||
105 | + * list. If the new span is invalid because beg is greater than or equal to | ||
106 | + * end, then -1 is returned. If the list needs to be grown but the memory | ||
107 | + * allocation fails, then -2 is returned. | ||
108 | + */ | ||
109 | +static int cover_add(cover, beg, end) | ||
110 | + cover_t *cover; | ||
111 | + bound_t beg; | ||
112 | + bound_t end; | ||
113 | +{ | ||
114 | + size_t pos; | ||
115 | + int prec, foll; | ||
116 | + | ||
117 | + if (beg >= end) | ||
118 | + /* The new span is invalid. */ | ||
119 | + return -1; | ||
120 | + | ||
121 | + /* Find where the new span should go, and make sure that it does not | ||
122 | + overlap with any existing spans. */ | ||
123 | + pos = cover_find(cover, beg); | ||
124 | + if ((pos > 0 && beg < cover->span[pos - 1].end) || | ||
125 | + (pos < cover->num && end > cover->span[pos].beg)) | ||
126 | + return 1; | ||
127 | + | ||
128 | + /* Check for adjacencies. */ | ||
129 | + prec = pos > 0 && beg == cover->span[pos - 1].end; | ||
130 | + foll = pos < cover->num && end == cover->span[pos].beg; | ||
131 | + if (prec && foll) { | ||
132 | + /* The new span connects the preceding and following spans. Merge the | ||
133 | + following span into the preceding span, and delete the following | ||
134 | + span. */ | ||
135 | + cover->span[pos - 1].end = cover->span[pos].end; | ||
136 | + cover->num--; | ||
137 | + memmove(cover->span + pos, cover->span + pos + 1, | ||
138 | + (cover->num - pos) * sizeof(span_t)); | ||
139 | + } | ||
140 | + else if (prec) | ||
141 | + /* The new span is adjacent only to the preceding span. Extend the end | ||
142 | + of the preceding span. */ | ||
143 | + cover->span[pos - 1].end = end; | ||
144 | + else if (foll) | ||
145 | + /* The new span is adjacent only to the following span. Extend the | ||
146 | + beginning of the following span. */ | ||
147 | + cover->span[pos].beg = beg; | ||
148 | + else { | ||
149 | + /* The new span has gaps between both the preceding and the following | ||
150 | + spans. Assure that there is room and insert the span. */ | ||
151 | + if (cover->num == cover->max) { | ||
152 | + size_t max = cover->max == 0 ? 16 : cover->max << 1; | ||
153 | + span_t *span = realloc(cover->span, max * sizeof(span_t)); | ||
154 | + if (span == NULL) | ||
155 | + return -2; | ||
156 | + cover->span = span; | ||
157 | + cover->max = max; | ||
158 | + } | ||
159 | + memmove(cover->span + pos + 1, cover->span + pos, | ||
160 | + (cover->num - pos) * sizeof(span_t)); | ||
161 | + cover->num++; | ||
162 | + cover->span[pos].beg = beg; | ||
163 | + cover->span[pos].end = end; | ||
164 | + } | ||
165 | + return 0; | ||
166 | +} | ||
167 | |||
168 | |||
169 | |||
170 | @@ -376,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ | ||
171 | } | ||
172 | #endif /* !SFX || SFX_EXDIR */ | ||
173 | |||
174 | + /* One more: initialize cover structure for bomb detection. Start with a | ||
175 | + span that covers the central directory though the end of the file. */ | ||
176 | + if (G.cover == NULL) { | ||
177 | + G.cover = malloc(sizeof(cover_t)); | ||
178 | + if (G.cover == NULL) { | ||
179 | + Info(slide, 0x401, ((char *)slide, | ||
180 | + LoadFarString(NotEnoughMemCover))); | ||
181 | + return PK_MEM; | ||
182 | + } | ||
183 | + ((cover_t *)G.cover)->span = NULL; | ||
184 | + ((cover_t *)G.cover)->max = 0; | ||
185 | + } | ||
186 | + ((cover_t *)G.cover)->num = 0; | ||
187 | + if ((G.extra_bytes != 0 && | ||
188 | + cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || | ||
189 | + cover_add((cover_t *)G.cover, | ||
190 | + G.extra_bytes + G.ecrec.offset_start_central_directory, | ||
191 | + G.ziplen) != 0) { | ||
192 | + Info(slide, 0x401, ((char *)slide, | ||
193 | + LoadFarString(NotEnoughMemCover))); | ||
194 | + return PK_MEM; | ||
195 | + } | ||
196 | + | ||
197 | /*--------------------------------------------------------------------------- | ||
198 | The basic idea of this function is as follows. Since the central di- | ||
199 | rectory lies at the end of the zipfile and the member files lie at the | ||
200 | @@ -593,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ | ||
201 | if (error > error_in_archive) | ||
202 | error_in_archive = error; | ||
203 | /* ...and keep going (unless disk full or user break) */ | ||
204 | - if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { | ||
205 | + if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || | ||
206 | + error == PK_BOMB) { | ||
207 | /* clear reached_end to signal premature stop ... */ | ||
208 | reached_end = FALSE; | ||
209 | /* ... and cancel scanning the central directory */ | ||
210 | @@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk, | ||
211 | |||
212 | /* seek_zipf(__G__ pInfo->offset); */ | ||
213 | request = G.pInfo->offset + G.extra_bytes; | ||
214 | + if (cover_within((cover_t *)G.cover, request)) { | ||
215 | + Info(slide, 0x401, ((char *)slide, | ||
216 | + LoadFarString(OverlappedComponents))); | ||
217 | + return PK_BOMB; | ||
218 | + } | ||
219 | inbuf_offset = request % INBUFSIZ; | ||
220 | bufstart = request - inbuf_offset; | ||
221 | |||
222 | @@ -1593,6 +1741,18 @@ reprompt: | ||
223 | return IZ_CTRLC; /* cancel operation by user request */ | ||
224 | } | ||
225 | #endif | ||
226 | + error = cover_add((cover_t *)G.cover, request, | ||
227 | + G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); | ||
228 | + if (error < 0) { | ||
229 | + Info(slide, 0x401, ((char *)slide, | ||
230 | + LoadFarString(NotEnoughMemCover))); | ||
231 | + return PK_MEM; | ||
232 | + } | ||
233 | + if (error != 0) { | ||
234 | + Info(slide, 0x401, ((char *)slide, | ||
235 | + LoadFarString(OverlappedComponents))); | ||
236 | + return PK_BOMB; | ||
237 | + } | ||
238 | #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ | ||
239 | UserStop(); | ||
240 | #endif | ||
241 | @@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ | ||
242 | } | ||
243 | |||
244 | undefer_input(__G); | ||
245 | + | ||
246 | + if ((G.lrec.general_purpose_bit_flag & 8) != 0) { | ||
247 | + /* skip over data descriptor (harder than it sounds, due to signature | ||
248 | + * ambiguity) | ||
249 | + */ | ||
250 | +# define SIG 0x08074b50 | ||
251 | +# define LOW 0xffffffff | ||
252 | + uch buf[12]; | ||
253 | + unsigned shy = 12 - readbuf((char *)buf, 12); | ||
254 | + ulg crc = shy ? 0 : makelong(buf); | ||
255 | + ulg clen = shy ? 0 : makelong(buf + 4); | ||
256 | + ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ | ||
257 | + if (crc == SIG && /* if not SIG, no signature */ | ||
258 | + (G.lrec.crc32 != SIG || /* if not SIG, have signature */ | ||
259 | + (clen == SIG && /* if not SIG, no signature */ | ||
260 | + ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ | ||
261 | + (ulen == SIG && /* if not SIG, no signature */ | ||
262 | + (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG | ||
263 | + /* if not SIG, have signature */ | ||
264 | + ))))) | ||
265 | + /* skip four more bytes to account for signature */ | ||
266 | + shy += 4 - readbuf((char *)buf, 4); | ||
267 | + if (G.zip64) | ||
268 | + shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ | ||
269 | + if (shy) | ||
270 | + error = PK_ERR; | ||
271 | + } | ||
272 | + | ||
273 | return error; | ||
274 | |||
275 | } /* end function extract_or_test_member() */ | ||
276 | diff --git a/globals.c b/globals.c | ||
277 | index fa8cca5..1e0f608 100644 | ||
278 | --- a/globals.c | ||
279 | +++ b/globals.c | ||
280 | @@ -181,6 +181,7 @@ Uz_Globs *globalsCtor() | ||
281 | # if (!defined(NO_TIMESTAMPS)) | ||
282 | uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ | ||
283 | # endif | ||
284 | + G.cover = NULL; /* not allocated yet */ | ||
285 | #endif | ||
286 | |||
287 | uO.lflag=(-1); | ||
288 | diff --git a/globals.h b/globals.h | ||
289 | index 11b7215..2bdcdeb 100644 | ||
290 | --- a/globals.h | ||
291 | +++ b/globals.h | ||
292 | @@ -260,12 +260,15 @@ typedef struct Globals { | ||
293 | ecdir_rec ecrec; /* used in unzip.c, extract.c */ | ||
294 | z_stat statbuf; /* used by main, mapname, check_for_newer */ | ||
295 | |||
296 | + int zip64; /* true if Zip64 info in extra field */ | ||
297 | + | ||
298 | int mem_mode; | ||
299 | uch *outbufptr; /* extract.c static */ | ||
300 | ulg outsize; /* extract.c static */ | ||
301 | int reported_backslash; /* extract.c static */ | ||
302 | int disk_full; | ||
303 | int newfile; | ||
304 | + void **cover; /* used in extract.c for bomb detection */ | ||
305 | |||
306 | int didCRlast; /* fileio static */ | ||
307 | ulg numlines; /* fileio static: number of lines printed */ | ||
308 | diff --git a/process.c b/process.c | ||
309 | index a3c1a4d..208619c 100644 | ||
310 | --- a/process.c | ||
311 | +++ b/process.c | ||
312 | @@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ | ||
313 | } | ||
314 | #endif | ||
315 | |||
316 | + /* Free the cover span list and the cover structure. */ | ||
317 | + if (G.cover != NULL) { | ||
318 | + free(*(G.cover)); | ||
319 | + free(G.cover); | ||
320 | + G.cover = NULL; | ||
321 | + } | ||
322 | + | ||
323 | } /* end function free_G_buffers() */ | ||
324 | |||
325 | |||
326 | @@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len) | ||
327 | |||
328 | #define Z64FLGS 0xffff | ||
329 | #define Z64FLGL 0xffffffff | ||
330 | + G.zip64 = FALSE; | ||
331 | |||
332 | if (ef_len == 0 || ef_buf == NULL) | ||
333 | return PK_COOL; | ||
334 | @@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len) | ||
335 | G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); | ||
336 | offset += 4; | ||
337 | } | ||
338 | + | ||
339 | + G.zip64 = TRUE; | ||
340 | #if 0 | ||
341 | break; /* Expect only one EF_PKSZ64 block. */ | ||
342 | #endif /* 0 */ | ||
343 | diff --git a/unzip.h b/unzip.h | ||
344 | index 5b2a326..ed24a5b 100644 | ||
345 | --- a/unzip.h | ||
346 | +++ b/unzip.h | ||
347 | @@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec { | ||
348 | #define PK_NOZIP 9 /* zipfile not found */ | ||
349 | #define PK_PARAM 10 /* bad or illegal parameters specified */ | ||
350 | #define PK_FIND 11 /* no files found */ | ||
351 | +#define PK_BOMB 12 /* likely zip bomb */ | ||
352 | #define PK_DISK 50 /* disk full */ | ||
353 | #define PK_EOF 51 /* unexpected EOF */ | ||
354 | |||
355 | -- | ||
356 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch new file mode 100644 index 0000000000..fd26fdd833 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Thu, 25 Jul 2019 20:43:17 -0700 | ||
4 | Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central | ||
5 | directory. | ||
6 | |||
7 | There is a zip-like file in the Firefox distribution, omni.ja, | ||
8 | which is a zip container with the central directory placed at the | ||
9 | start of the file instead of after the local entries as required | ||
10 | by the zip standard. This commit marks the actual location of the | ||
11 | central directory, as well as the end of central directory records, | ||
12 | as disallowed locations. This now permits such containers to not | ||
13 | raise a zip bomb alert, where in fact there are no overlaps. | ||
14 | |||
15 | CVE: CVE-2019-13232 | ||
16 | Upstream-Status: Backport | ||
17 | [https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc] | ||
18 | |||
19 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
20 | --- | ||
21 | extract.c | 25 +++++++++++++++++++------ | ||
22 | process.c | 6 ++++++ | ||
23 | unzpriv.h | 10 ++++++++++ | ||
24 | 3 files changed, 35 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/extract.c b/extract.c | ||
27 | index 2bb72ba..a9dcca8 100644 | ||
28 | --- a/extract.c | ||
29 | +++ b/extract.c | ||
30 | @@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ | ||
31 | } | ||
32 | #endif /* !SFX || SFX_EXDIR */ | ||
33 | |||
34 | - /* One more: initialize cover structure for bomb detection. Start with a | ||
35 | - span that covers the central directory though the end of the file. */ | ||
36 | + /* One more: initialize cover structure for bomb detection. Start with | ||
37 | + spans that cover any extra bytes at the start, the central directory, | ||
38 | + the end of central directory record (including the Zip64 end of central | ||
39 | + directory locator, if present), and the Zip64 end of central directory | ||
40 | + record, if present. */ | ||
41 | if (G.cover == NULL) { | ||
42 | G.cover = malloc(sizeof(cover_t)); | ||
43 | if (G.cover == NULL) { | ||
44 | @@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ | ||
45 | ((cover_t *)G.cover)->max = 0; | ||
46 | } | ||
47 | ((cover_t *)G.cover)->num = 0; | ||
48 | - if ((G.extra_bytes != 0 && | ||
49 | - cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || | ||
50 | - cover_add((cover_t *)G.cover, | ||
51 | + if (cover_add((cover_t *)G.cover, | ||
52 | G.extra_bytes + G.ecrec.offset_start_central_directory, | ||
53 | - G.ziplen) != 0) { | ||
54 | + G.extra_bytes + G.ecrec.offset_start_central_directory + | ||
55 | + G.ecrec.size_central_directory) != 0) { | ||
56 | Info(slide, 0x401, ((char *)slide, | ||
57 | LoadFarString(NotEnoughMemCover))); | ||
58 | return PK_MEM; | ||
59 | } | ||
60 | + if ((G.extra_bytes != 0 && | ||
61 | + cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || | ||
62 | + (G.ecrec.have_ecr64 && | ||
63 | + cover_add((cover_t *)G.cover, G.ecrec.ec64_start, | ||
64 | + G.ecrec.ec64_end) != 0) || | ||
65 | + cover_add((cover_t *)G.cover, G.ecrec.ec_start, | ||
66 | + G.ecrec.ec_end) != 0) { | ||
67 | + Info(slide, 0x401, ((char *)slide, | ||
68 | + LoadFarString(OverlappedComponents))); | ||
69 | + return PK_BOMB; | ||
70 | + } | ||
71 | |||
72 | /*--------------------------------------------------------------------------- | ||
73 | The basic idea of this function is as follows. Since the central di- | ||
74 | diff --git a/process.c b/process.c | ||
75 | index 208619c..5f8f6c6 100644 | ||
76 | --- a/process.c | ||
77 | +++ b/process.c | ||
78 | @@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ | ||
79 | |||
80 | /* Now, we are (almost) sure that we have a Zip64 archive. */ | ||
81 | G.ecrec.have_ecr64 = 1; | ||
82 | + G.ecrec.ec_start -= ECLOC64_SIZE+4; | ||
83 | + G.ecrec.ec64_start = ecrec64_start_offset; | ||
84 | + G.ecrec.ec64_end = ecrec64_start_offset + | ||
85 | + 12 + makeint64(&byterec[ECREC64_LENGTH]); | ||
86 | |||
87 | /* Update the "end-of-central-dir offset" for later checks. */ | ||
88 | G.real_ecrec_offset = ecrec64_start_offset; | ||
89 | @@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ | ||
90 | makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); | ||
91 | G.ecrec.zipfile_comment_length = | ||
92 | makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); | ||
93 | + G.ecrec.ec_start = G.real_ecrec_offset; | ||
94 | + G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; | ||
95 | |||
96 | /* Now, we have to read the archive comment, BEFORE the file pointer | ||
97 | is moved away backwards to seek for a Zip64 ECLOC64 structure. | ||
98 | diff --git a/unzpriv.h b/unzpriv.h | ||
99 | index c8d3eab..5e177c7 100644 | ||
100 | --- a/unzpriv.h | ||
101 | +++ b/unzpriv.h | ||
102 | @@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { | ||
103 | int have_ecr64; /* valid Zip64 ecdir-record exists */ | ||
104 | int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ | ||
105 | ush zipfile_comment_length; | ||
106 | + zusz_t ec_start, ec_end; /* offsets of start and end of the | ||
107 | + end of central directory record, | ||
108 | + including if present the Zip64 | ||
109 | + end of central directory locator, | ||
110 | + which immediately precedes the | ||
111 | + end of central directory record */ | ||
112 | + zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these | ||
113 | + are the offsets of the start and | ||
114 | + end of the Zip64 end of central | ||
115 | + directory record */ | ||
116 | } ecdir_rec; | ||
117 | |||
118 | |||
119 | -- | ||
120 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
121 | |||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index daba722722..c1ea0a9a2c 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
@@ -22,6 +22,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ | |||
22 | file://symlink.patch \ | 22 | file://symlink.patch \ |
23 | file://0001-unzip-fix-CVE-2018-1000035.patch \ | 23 | file://0001-unzip-fix-CVE-2018-1000035.patch \ |
24 | file://CVE-2018-18384.patch \ | 24 | file://CVE-2018-18384.patch \ |
25 | file://CVE-2019-13232_p1.patch \ | ||
26 | file://CVE-2019-13232_p2.patch \ | ||
27 | file://CVE-2019-13232_p3.patch \ | ||
25 | " | 28 | " |
26 | UPSTREAM_VERSION_UNKNOWN = "1" | 29 | UPSTREAM_VERSION_UNKNOWN = "1" |
27 | 30 | ||