diff options
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch new file mode 100644 index 0000000000..e137f0dc76 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From: sms | ||
2 | Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow | ||
3 | Bug-Debian: http://bugs.debian.org/773722 | ||
4 | |||
5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
10 | |||
11 | --- a/extract.c | ||
12 | +++ b/extract.c | ||
13 | @@ -298,6 +298,8 @@ | ||
14 | #ifndef SFX | ||
15 | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ | ||
16 | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; | ||
17 | + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ | ||
18 | + EF block length (%u bytes) invalid (< %d)\n"; | ||
19 | static ZCONST char Far InvalidComprDataEAs[] = | ||
20 | " invalid compressed data for EAs\n"; | ||
21 | # if (defined(WIN32) && defined(NTSD_EAS)) | ||
22 | @@ -2023,7 +2025,8 @@ | ||
23 | ebID = makeword(ef); | ||
24 | ebLen = (unsigned)makeword(ef+EB_LEN); | ||
25 | |||
26 | - if (ebLen > (ef_len - EB_HEADSIZE)) { | ||
27 | + if (ebLen > (ef_len - EB_HEADSIZE)) | ||
28 | + { | ||
29 | /* Discovered some extra field inconsistency! */ | ||
30 | if (uO.qflag) | ||
31 | Info(slide, 1, ((char *)slide, "%-22s ", | ||
32 | @@ -2158,11 +2161,19 @@ | ||
33 | } | ||
34 | break; | ||
35 | case EF_PKVMS: | ||
36 | - if (makelong(ef+EB_HEADSIZE) != | ||
37 | + if (ebLen < 4) | ||
38 | + { | ||
39 | + Info(slide, 1, | ||
40 | + ((char *)slide, LoadFarString(TooSmallEBlength), | ||
41 | + ebLen, 4)); | ||
42 | + } | ||
43 | + else if (makelong(ef+EB_HEADSIZE) != | ||
44 | crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), | ||
45 | (extent)(ebLen-4))) | ||
46 | + { | ||
47 | Info(slide, 1, ((char *)slide, | ||
48 | LoadFarString(BadCRC_EAs))); | ||
49 | + } | ||
50 | break; | ||
51 | case EF_PKW32: | ||
52 | case EF_PKUNIX: | ||