4 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
new file mode 100644
index 0000000000..6ba2b879a3
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
@@ -0,0 +1,67 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+---
+ fileio.c  | 5 ++++-
+ process.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-) 
+---
+Patch from:
+https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
+https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
+Regenerated to apply without offsets.
+CVE: CVE-2021-4217
+Upstream-Status: Pending [infozip upstream inactive]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/fileio.c b/fileio.c
+index 14460f3..1dc319e 100644
+--- a/fileio.c
+++ b/fileio.c
+@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+             seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
+                       (G.inptr-G.inbuf) + length);
+         } else {
+-            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
+            if (bytes_read == 0)
+                 return PK_EOF;
+            if (bytes_read != length)
+                return PK_ERR;
+             /* Looks like here is where extra fields are read */
+             if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+             {
+diff --git a/process.c b/process.c
+index 5f8f6c6..de843a5 100644
+--- a/process.c
+++ b/process.c
+@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+           G.unipath_checksum = makelong(offset + ef_buf);
+           offset += 4;
+ 
+          if (!G.filename_full) {
+            /* Check if we have a unicode extra section but no filename set */
+            return PK_ERR;
+          }
+
+           /*
+            * Compute 32-bit crc
+            */
+-
+           chksum = crc32(chksum, (uch *)(G.filename_full),
+                          strlen(G.filename_full));
+ 
+-- 
+2.32.0
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
new file mode 100644
index 0000000000..1c1e120deb
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
@@ -0,0 +1,39 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
+CVE: CVE-2022-0529
+Upstream-Status: Inactive-Upstream [need a new release]
+diff --git a/process.c b/process.c
+index d2a846e..99b9c7b 100644
+--- a/process.c
+++ b/process.c
+@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
+   char buf[9];
+   char *buffer = NULL;
+   char *local_string = NULL;
+  size_t buffer_size;
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+ 
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+  buffer_size = wsize * max_bytes + 1;
+  if ((buffer = (char *)malloc(buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
+       /* no MB for this wide */
+         /* use escape for wide character */
+         char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
+        size_t buffer_len = strlen(buffer);
+        size_t escape_string_len = strlen(escape_string);
+        if (buffer_len + escape_string_len + 1 > buffer_size)
+          escape_string_len = buffer_size - buffer_len - 1;
+        strncat(buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
new file mode 100644
index 0000000000..363dafddc9
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
@@ -0,0 +1,33 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
+CVE: CVE-2022-0530
+Upstream-Status: Inactive-Upstream [need a new release]
+diff --git a/fileio.c b/fileio.c
+index 6290824..77e4b5f 100644
+--- a/fileio.c
+++ b/fileio.c
+@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+                  if (fn == NULL)
+                    return PK_ERR;
+
+                   /* make sure filename is short enough */
+                   if (strlen(fn) >= FILNAMSIZ) {
+                     fn[FILNAMSIZ - 1] = '\0';
+diff --git a/process.c b/process.c
+index d2a846e..715bc0f 100644
+--- a/process.c
+++ b/process.c
+@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
+  if (wide == NULL)
+    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index c1ea0a9a2c..fa57c8f5bd 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Utilities for extracting and viewing files in .zip archives"
 HOMEPAGE = "http://www.info-zip.org"
+DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
 SECTION = "console/utils"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29"
@@ -25,12 +26,18 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
        file://CVE-2019-13232_p1.patch \
        file://CVE-2019-13232_p2.patch \
        file://CVE-2019-13232_p3.patch \
+        file://CVE-2021-4217.patch \
+        file://CVE-2022-0529.patch \
+        file://CVE-2022-0530.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
+# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
+CVE_CHECK_WHITELIST += "CVE-2008-0888"
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"

diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
@@ -0,0 +1,67 @@
		1	From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
		2	From: Nils Bars <nils.bars@t-online.de>
		3	Date: Mon, 17 Jan 2022 16:53:16 +0000
		4	Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
		5
		6	This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
		7	to read as many bytes as indicated by the extra field length attribute.
		8	Furthermore, this fixes a null pointer dereference if an archive contains an
		9	`EF_UNIPATH` extra field but does not have a filename set.
		10	---
		11	fileio.c \| 5 ++++-
		12	process.c \| 6 +++++-
		13	2 files changed, 9 insertions(+), 2 deletions(-)
		14	---
		15
		16	Patch from:
		17	https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
		18	https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
		19	Regenerated to apply without offsets.
		20
		21	CVE: CVE-2021-4217
		22
		23	Upstream-Status: Pending [infozip upstream inactive]
		24
		25	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		26
		27
		28	diff --git a/fileio.c b/fileio.c
		29	index 14460f3..1dc319e 100644
		30	--- a/fileio.c
		31	+++ b/fileio.c
		32	@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */
		33	seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
		34	(G.inptr-G.inbuf) + length);
		35	} else {
		36	- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
		37	+ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
		38	+ if (bytes_read == 0)
		39	return PK_EOF;
		40	+ if (bytes_read != length)
		41	+ return PK_ERR;
		42	/* Looks like here is where extra fields are read */
		43	if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
		44	{
		45	diff --git a/process.c b/process.c
		46	index 5f8f6c6..de843a5 100644
		47	--- a/process.c
		48	+++ b/process.c
		49	@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
		50	G.unipath_checksum = makelong(offset + ef_buf);
		51	offset += 4;
		52
		53	+ if (!G.filename_full) {
		54	+ /* Check if we have a unicode extra section but no filename set */
		55	+ return PK_ERR;
		56	+ }
		57	+
		58	/*
		59	* Compute 32-bit crc
		60	*/
		61	-
		62	chksum = crc32(chksum, (uch *)(G.filename_full),
		63	strlen(G.filename_full));
		64
		65	--
		66	2.32.0
		67


diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch new file mode 100644 index 0000000000..1c1e120deb --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
@@ -0,0 +1,39 @@
		1	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
		2
		3	CVE: CVE-2022-0529
		4	Upstream-Status: Inactive-Upstream [need a new release]
		5
		6	diff --git a/process.c b/process.c
		7	index d2a846e..99b9c7b 100644
		8	--- a/process.c
		9	+++ b/process.c
		10	@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
		11	char buf[9];
		12	char *buffer = NULL;
		13	char *local_string = NULL;
		14	+ size_t buffer_size;
		15
		16	for (wsize = 0; wide_string[wsize]; wsize++) ;
		17
		18	if (max_bytes < MAX_ESCAPE_BYTES)
		19	max_bytes = MAX_ESCAPE_BYTES;
		20
		21	- if ((buffer = (char )malloc(wsize max_bytes + 1)) == NULL) {
		22	+ buffer_size = wsize * max_bytes + 1;
		23	+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
		24	return NULL;
		25	}
		26
		27	@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
		28	/* no MB for this wide */
		29	/* use escape for wide character */
		30	char *escape_string = wide_to_escape_string(wide_string[i]);
		31	- strcat(buffer, escape_string);
		32	+ size_t buffer_len = strlen(buffer);
		33	+ size_t escape_string_len = strlen(escape_string);
		34	+ if (buffer_len + escape_string_len + 1 > buffer_size)
		35	+ escape_string_len = buffer_size - buffer_len - 1;
		36	+ strncat(buffer, escape_string, escape_string_len);
		37	free(escape_string);
		38	}
		39	}


diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch new file mode 100644 index 0000000000..363dafddc9 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
@@ -0,0 +1,33 @@
		1	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
		2
		3	CVE: CVE-2022-0530
		4	Upstream-Status: Inactive-Upstream [need a new release]
		5
		6	diff --git a/fileio.c b/fileio.c
		7	index 6290824..77e4b5f 100644
		8	--- a/fileio.c
		9	+++ b/fileio.c
		10	@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */
		11	/* convert UTF-8 to local character set */
		12	fn = utf8_to_local_string(G.unipath_filename,
		13	G.unicode_escape_all);
		14	+ if (fn == NULL)
		15	+ return PK_ERR;
		16	+
		17	/* make sure filename is short enough */
		18	if (strlen(fn) >= FILNAMSIZ) {
		19	fn[FILNAMSIZ - 1] = '\0';
		20	diff --git a/process.c b/process.c
		21	index d2a846e..715bc0f 100644
		22	--- a/process.c
		23	+++ b/process.c
		24	@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
		25	int escape_all;
		26	{
		27	zwchar *wide = utf8_to_wide_string(utf8_string);
		28	+ if (wide == NULL)
		29	+ return NULL;
		30	char *loc = wide_to_local_string(wide, escape_all);
		31	free(wide);
		32	return loc;
		33


diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index c1ea0a9a2c..fa57c8f5bd 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -1,5 +1,6 @@
1	SUMMARY = "Utilities for extracting and viewing files in .zip archives"	1	SUMMARY = "Utilities for extracting and viewing files in .zip archives"
2	HOMEPAGE = "http://www.info-zip.org"	2	HOMEPAGE = "http://www.info-zip.org"
		3	DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
3	SECTION = "console/utils"	4	SECTION = "console/utils"
4	LICENSE = "BSD-3-Clause"	5	LICENSE = "BSD-3-Clause"
5	LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29"	6	LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29"
@@ -25,12 +26,18 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
25	file://CVE-2019-13232_p1.patch \	26	file://CVE-2019-13232_p1.patch \
26	file://CVE-2019-13232_p2.patch \	27	file://CVE-2019-13232_p2.patch \
27	file://CVE-2019-13232_p3.patch \	28	file://CVE-2019-13232_p3.patch \
		29	file://CVE-2021-4217.patch \
		30	file://CVE-2022-0529.patch \
		31	file://CVE-2022-0530.patch \
28	"	32	"
29	UPSTREAM_VERSION_UNKNOWN = "1"	33	UPSTREAM_VERSION_UNKNOWN = "1"
30		34
31	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"	35	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
32	SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"	36	SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
33		37
		38	# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
		39	CVE_CHECK_WHITELIST += "CVE-2008-0888"
		40
34	# exclude version 5.5.2 which triggers a false positive	41	# exclude version 5.5.2 which triggers a false positive
35	UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"	42	UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
36		43