diff options
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch new file mode 100644 index 0000000000..edc7d515b0 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From: sms | ||
2 | Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() | ||
3 | Bug-Debian: http://bugs.debian.org/773722 | ||
4 | |||
5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
10 | |||
11 | --- a/extract.c | ||
12 | +++ b/extract.c | ||
13 | @@ -2232,10 +2232,17 @@ | ||
14 | if (compr_offset < 4) /* field is not compressed: */ | ||
15 | return PK_OK; /* do nothing and signal OK */ | ||
16 | |||
17 | + /* Return no/bad-data error status if any problem is found: | ||
18 | + * 1. eb_size is too small to hold the uncompressed size | ||
19 | + * (eb_ucsize). (Else extract eb_ucsize.) | ||
20 | + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. | ||
21 | + * 3. eb_ucsize is positive, but eb_size is too small to hold | ||
22 | + * the compressed data header. | ||
23 | + */ | ||
24 | if ((eb_size < (EB_UCSIZE_P + 4)) || | ||
25 | - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && | ||
26 | - eb_size <= (compr_offset + EB_CMPRHEADLEN))) | ||
27 | - return IZ_EF_TRUNC; /* no compressed data! */ | ||
28 | + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || | ||
29 | + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
30 | + return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
31 | |||
32 | if ( | ||
33 | #ifdef INT_16BIT | ||