diff options
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch deleted file mode 100644 index b64dd99244..0000000000 --- a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From: mancha <mancha1 AT zoho DOT com> | ||
2 | Date: Mon, 3 Nov 2014 | ||
3 | Subject: Info-ZIP UnZip buffer overflow | ||
4 | Bug-Debian: http://bugs.debian.org/776589 | ||
5 | |||
6 | By carefully crafting a corrupt ZIP archive with "extra fields" that | ||
7 | purport to have compressed blocks larger than the corresponding | ||
8 | uncompressed blocks in STORED no-compression mode, an attacker can | ||
9 | trigger a heap overflow that can result in application crash or | ||
10 | possibly have other unspecified impact. | ||
11 | |||
12 | This patch ensures that when extra fields use STORED mode, the | ||
13 | "compressed" and uncompressed block sizes match. | ||
14 | |||
15 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
20 | |||
21 | --- a/extract.c | ||
22 | +++ b/extract.c | ||
23 | @@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) | ||
24 | uch *eb_ucptr; | ||
25 | int r; | ||
26 | ush method; | ||
27 | + ush eb_compr_method; | ||
28 | |||
29 | if (compr_offset < 4) /* field is not compressed: */ | ||
30 | return PK_OK; /* do nothing and signal OK */ | ||
31 | @@ -2244,6 +2245,14 @@ | ||
32 | ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) | ||
33 | return IZ_EF_TRUNC; /* no/bad compressed data! */ | ||
34 | |||
35 | + /* 2014-11-03 Michal Zalewski, SMS. | ||
36 | + * For STORE method, compressed and uncompressed sizes must agree. | ||
37 | + * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 | ||
38 | + */ | ||
39 | + eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); | ||
40 | + if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize)) | ||
41 | + return PK_ERR; | ||
42 | + | ||
43 | if ( | ||
44 | #ifdef INT_16BIT | ||
45 | (((ulg)(extent)eb_ucsize) != eb_ucsize) || | ||