summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch45
-rw-r--r--meta/recipes-extended/unzip/unzip_6.0.bb1
2 files changed, 0 insertions, 46 deletions
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
deleted file mode 100644
index b64dd99244..0000000000
--- a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From: mancha <mancha1 AT zoho DOT com>
2Date: Mon, 3 Nov 2014
3Subject: Info-ZIP UnZip buffer overflow
4Bug-Debian: http://bugs.debian.org/776589
5
6By carefully crafting a corrupt ZIP archive with "extra fields" that
7purport to have compressed blocks larger than the corresponding
8uncompressed blocks in STORED no-compression mode, an attacker can
9trigger a heap overflow that can result in application crash or
10possibly have other unspecified impact.
11
12This patch ensures that when extra fields use STORED mode, the
13"compressed" and uncompressed block sizes match.
14
15The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
16
17Upstream-Status: Backport
18
19Signed-off-by: Roy Li <rongqing.li@windriver.com>
20
21--- a/extract.c
22+++ b/extract.c
23@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
24 uch *eb_ucptr;
25 int r;
26 ush method;
27+ ush eb_compr_method;
28
29 if (compr_offset < 4) /* field is not compressed: */
30 return PK_OK; /* do nothing and signal OK */
31@@ -2244,6 +2245,14 @@
32 ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
33 return IZ_EF_TRUNC; /* no/bad compressed data! */
34
35+ /* 2014-11-03 Michal Zalewski, SMS.
36+ * For STORE method, compressed and uncompressed sizes must agree.
37+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
38+ */
39+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
40+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
41+ return PK_ERR;
42+
43 if (
44 #ifdef INT_16BIT
45 (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index b022f21844..4a0a713a61 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -14,7 +14,6 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
14 file://09-cve-2014-8139-crc-overflow.patch \ 14 file://09-cve-2014-8139-crc-overflow.patch \
15 file://10-cve-2014-8140-test-compr-eb.patch \ 15 file://10-cve-2014-8140-test-compr-eb.patch \
16 file://11-cve-2014-8141-getzip64data.patch \ 16 file://11-cve-2014-8141-getzip64data.patch \
17 file://12-cve-2014-9636-test-compr-eb.patch \
18" 17"
19 18
20SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" 19SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"