1 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
new file mode 100644
index 0000000000..d0c1db3925
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
+From: sms
+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+Bug-Debian: http://bugs.debian.org/773722
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+Upstream-Status: Backport
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+--- a/fileio.c
+++ b/fileio.c
+@@ -176,6 +176,8 @@
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
+static ZCONST char Far ExtraFieldCorrupt[] =
+  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
+ 
+ #ifdef WINDLL
+    static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@
+             if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+                 return PK_EOF;
+             /* Looks like here is where extra fields are read */
+-            getZip64Data(__G__ G.extra_field, length);
+            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+            {
+                Info(slide, 0x401, ((char *)slide,
+                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+                error = PK_WARN;
+            }
+ #ifdef UNICODE_SUPPORT
+             G.unipath_filename = NULL;
+             if (G.UzO.U_flag < 2) {
+--- a/process.c
+++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@
+     and a 4-byte version of disk start number.
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
+
+    2014-12-05 SMS.
+    Added checks to ensure that enough data are available before calling
+    makeint64() or makelong().  Replaced various sizeof() values with
+    simple ("4" or "8") constants.  (The Zip64 structures do not depend
+    on our variable sizes.)  Error handling is crude, but we should now
+    stay within the buffer.
+   ---------------------------------------------------------------------------*/
+ 
+#define Z64FLGS 0xffff
+#define Z64FLGL 0xffffffff
+
+     if (ef_len == 0 || ef_buf == NULL)
+         return PK_COOL;
+ 
+     Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+       ef_len));
+ 
+-    while (ef_len >= EB_HEADSIZE) {
+    while (ef_len >= EB_HEADSIZE)
+    {
+         eb_id = makeword(EB_ID + ef_buf);
+         eb_len = makeword(EB_LEN + ef_buf);
+ 
+-        if (eb_len > (ef_len - EB_HEADSIZE)) {
+-            /* discovered some extra field inconsistency! */
+        if (eb_len > (ef_len - EB_HEADSIZE))
+        {
+            /* Extra block length exceeds remaining extra field length. */
+             Trace((stderr,
+               "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+               ef_len - EB_HEADSIZE));
+             break;
+         }
+-        if (eb_id == EF_PKSZ64) {
+-
+        if (eb_id == EF_PKSZ64)
+        {
+           int offset = EB_HEADSIZE;
+ 
+-          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+-            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.ucsize);
+          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
+            offset += 8;
+           }
+-          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+-            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.csize);
+
+          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
+            offset += 8;
+           }
+-          if (G.crec.relative_offset_local_header == 0xffffffff){
+
+          if (G.crec.relative_offset_local_header == Z64FLGL)
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+             G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.relative_offset_local_header);
+            offset += 8;
+           }
+-          if (G.crec.disk_number_start == 0xffff){
+
+          if (G.crec.disk_number_start == Z64FLGS)
+          {
+            if (offset+ 4 > ef_len)
+              return PK_ERR;
+
+             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+-            offset += sizeof(G.crec.disk_number_start);
+            offset += 4;
+           }
+#if 0
+          break;                /* Expect only one EF_PKSZ64 block. */
+#endif /* 0 */
+         }
+ 
+-        /* Skip this extra field block */
+        /* Skip this extra field block. */
+         ef_buf += (eb_len + EB_HEADSIZE);
+         ef_len -= (eb_len + EB_HEADSIZE);
+     }

diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch new file mode 100644 index 0000000000..d0c1db3925 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
	1	From: sms
	2	Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
	3	Bug-Debian: http://bugs.debian.org/773722
	4
	5	The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
	6
	7	Upstream-Status: Backport
	8
	9	Signed-off-by: Roy Li <rongqing.li@windriver.com>
	10
	11
	12	--- a/fileio.c
	13	+++ b/fileio.c
	14	@@ -176,6 +176,8 @@
	15	#endif
	16	static ZCONST char Far ExtraFieldTooLong[] =
	17	"warning: extra field too long (%d). Ignoring...\n";
	18	+static ZCONST char Far ExtraFieldCorrupt[] =
	19	+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
	20
	21	#ifdef WINDLL
	22	static ZCONST char Far DiskFullQuery[] =
	23	@@ -2295,7 +2297,12 @@
	24	if (readbuf(__G__ (char *)G.extra_field, length) == 0)
	25	return PK_EOF;
	26	/* Looks like here is where extra fields are read */
	27	- getZip64Data(__G__ G.extra_field, length);
	28	+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
	29	+ {
	30	+ Info(slide, 0x401, ((char *)slide,
	31	+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
	32	+ error = PK_WARN;
	33	+ }
	34	#ifdef UNICODE_SUPPORT
	35	G.unipath_filename = NULL;
	36	if (G.UzO.U_flag < 2) {
	37	--- a/process.c
	38	+++ b/process.c
	39	@@ -1,5 +1,5 @@
	40	/*
	41	- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
	42	+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
	43
	44	See the accompanying file LICENSE, version 2009-Jan-02 or later
	45	(the contents of which are also included in unzip.h) for terms of use.
	46	@@ -1901,48 +1901,82 @@
	47	and a 4-byte version of disk start number.
	48	Sets both local header and central header fields. Not terribly clever,
	49	but it means that this procedure is only called in one place.
	50	+
	51	+ 2014-12-05 SMS.
	52	+ Added checks to ensure that enough data are available before calling
	53	+ makeint64() or makelong(). Replaced various sizeof() values with
	54	+ simple ("4" or "8") constants. (The Zip64 structures do not depend
	55	+ on our variable sizes.) Error handling is crude, but we should now
	56	+ stay within the buffer.
	57	---------------------------------------------------------------------------*/
	58
	59	+#define Z64FLGS 0xffff
	60	+#define Z64FLGL 0xffffffff
	61	+
	62	if (ef_len == 0 \|\| ef_buf == NULL)
	63	return PK_COOL;
	64
	65	Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
	66	ef_len));
	67
	68	- while (ef_len >= EB_HEADSIZE) {
	69	+ while (ef_len >= EB_HEADSIZE)
	70	+ {
	71	eb_id = makeword(EB_ID + ef_buf);
	72	eb_len = makeword(EB_LEN + ef_buf);
	73
	74	- if (eb_len > (ef_len - EB_HEADSIZE)) {
	75	- /* discovered some extra field inconsistency! */
	76	+ if (eb_len > (ef_len - EB_HEADSIZE))
	77	+ {
	78	+ /* Extra block length exceeds remaining extra field length. */
	79	Trace((stderr,
	80	"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
	81	ef_len - EB_HEADSIZE));
	82	break;
	83	}
	84	- if (eb_id == EF_PKSZ64) {
	85	-
	86	+ if (eb_id == EF_PKSZ64)
	87	+ {
	88	int offset = EB_HEADSIZE;
	89
	90	- if (G.crec.ucsize == 0xffffffff \|\| G.lrec.ucsize == 0xffffffff){
	91	- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
	92	- offset += sizeof(G.crec.ucsize);
	93	+ if ((G.crec.ucsize == Z64FLGL) \|\| (G.lrec.ucsize == Z64FLGL))
	94	+ {
	95	+ if (offset+ 8 > ef_len)
	96	+ return PK_ERR;
	97	+
	98	+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
	99	+ offset += 8;
	100	}
	101	- if (G.crec.csize == 0xffffffff \|\| G.lrec.csize == 0xffffffff){
	102	- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
	103	- offset += sizeof(G.crec.csize);
	104	+
	105	+ if ((G.crec.csize == Z64FLGL) \|\| (G.lrec.csize == Z64FLGL))
	106	+ {
	107	+ if (offset+ 8 > ef_len)
	108	+ return PK_ERR;
	109	+
	110	+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
	111	+ offset += 8;
	112	}
	113	- if (G.crec.relative_offset_local_header == 0xffffffff){
	114	+
	115	+ if (G.crec.relative_offset_local_header == Z64FLGL)
	116	+ {
	117	+ if (offset+ 8 > ef_len)
	118	+ return PK_ERR;
	119	+
	120	G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
	121	- offset += sizeof(G.crec.relative_offset_local_header);
	122	+ offset += 8;
	123	}
	124	- if (G.crec.disk_number_start == 0xffff){
	125	+
	126	+ if (G.crec.disk_number_start == Z64FLGS)
	127	+ {
	128	+ if (offset+ 4 > ef_len)
	129	+ return PK_ERR;
	130	+
	131	G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
	132	- offset += sizeof(G.crec.disk_number_start);
	133	+ offset += 4;
	134	}
	135	+#if 0
	136	+ break; /* Expect only one EF_PKSZ64 block. */
	137	+#endif /* 0 */
	138	}
	139
	140	- /* Skip this extra field block */
	141	+ /* Skip this extra field block. */
	142	ef_buf += (eb_len + EB_HEADSIZE);
	143	ef_len -= (eb_len + EB_HEADSIZE);
	144	}