diff options
Diffstat (limited to 'meta/recipes-extended/unzip')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | 67 | ||||
-rw-r--r-- | meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch | 39 | ||||
-rw-r--r-- | meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch | 33 | ||||
-rw-r--r-- | meta/recipes-extended/unzip/unzip_6.0.bb | 7 |
4 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nils Bars <nils.bars@t-online.de> | ||
3 | Date: Mon, 17 Jan 2022 16:53:16 +0000 | ||
4 | Subject: [PATCH] Fix null pointer dereference and use of uninitialized data | ||
5 | |||
6 | This fixes a bug that causes use of uninitialized heap data if `readbuf` fails | ||
7 | to read as many bytes as indicated by the extra field length attribute. | ||
8 | Furthermore, this fixes a null pointer dereference if an archive contains an | ||
9 | `EF_UNIPATH` extra field but does not have a filename set. | ||
10 | --- | ||
11 | fileio.c | 5 ++++- | ||
12 | process.c | 6 +++++- | ||
13 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
14 | --- | ||
15 | |||
16 | Patch from: | ||
17 | https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 | ||
18 | https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch | ||
19 | Regenerated to apply without offsets. | ||
20 | |||
21 | CVE: CVE-2021-4217 | ||
22 | |||
23 | Upstream-Status: Pending [infozip upstream inactive] | ||
24 | |||
25 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
26 | |||
27 | |||
28 | diff --git a/fileio.c b/fileio.c | ||
29 | index 14460f3..1dc319e 100644 | ||
30 | --- a/fileio.c | ||
31 | +++ b/fileio.c | ||
32 | @@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ | ||
33 | seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + | ||
34 | (G.inptr-G.inbuf) + length); | ||
35 | } else { | ||
36 | - if (readbuf(__G__ (char *)G.extra_field, length) == 0) | ||
37 | + unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); | ||
38 | + if (bytes_read == 0) | ||
39 | return PK_EOF; | ||
40 | + if (bytes_read != length) | ||
41 | + return PK_ERR; | ||
42 | /* Looks like here is where extra fields are read */ | ||
43 | if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | ||
44 | { | ||
45 | diff --git a/process.c b/process.c | ||
46 | index 5f8f6c6..de843a5 100644 | ||
47 | --- a/process.c | ||
48 | +++ b/process.c | ||
49 | @@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) | ||
50 | G.unipath_checksum = makelong(offset + ef_buf); | ||
51 | offset += 4; | ||
52 | |||
53 | + if (!G.filename_full) { | ||
54 | + /* Check if we have a unicode extra section but no filename set */ | ||
55 | + return PK_ERR; | ||
56 | + } | ||
57 | + | ||
58 | /* | ||
59 | * Compute 32-bit crc | ||
60 | */ | ||
61 | - | ||
62 | chksum = crc32(chksum, (uch *)(G.filename_full), | ||
63 | strlen(G.filename_full)); | ||
64 | |||
65 | -- | ||
66 | 2.32.0 | ||
67 | |||
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch new file mode 100644 index 0000000000..1c1e120deb --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 | ||
2 | |||
3 | CVE: CVE-2022-0529 | ||
4 | Upstream-Status: Inactive-Upstream [need a new release] | ||
5 | |||
6 | diff --git a/process.c b/process.c | ||
7 | index d2a846e..99b9c7b 100644 | ||
8 | --- a/process.c | ||
9 | +++ b/process.c | ||
10 | @@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) | ||
11 | char buf[9]; | ||
12 | char *buffer = NULL; | ||
13 | char *local_string = NULL; | ||
14 | + size_t buffer_size; | ||
15 | |||
16 | for (wsize = 0; wide_string[wsize]; wsize++) ; | ||
17 | |||
18 | if (max_bytes < MAX_ESCAPE_BYTES) | ||
19 | max_bytes = MAX_ESCAPE_BYTES; | ||
20 | |||
21 | - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { | ||
22 | + buffer_size = wsize * max_bytes + 1; | ||
23 | + if ((buffer = (char *)malloc(buffer_size)) == NULL) { | ||
24 | return NULL; | ||
25 | } | ||
26 | |||
27 | @@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) | ||
28 | /* no MB for this wide */ | ||
29 | /* use escape for wide character */ | ||
30 | char *escape_string = wide_to_escape_string(wide_string[i]); | ||
31 | - strcat(buffer, escape_string); | ||
32 | + size_t buffer_len = strlen(buffer); | ||
33 | + size_t escape_string_len = strlen(escape_string); | ||
34 | + if (buffer_len + escape_string_len + 1 > buffer_size) | ||
35 | + escape_string_len = buffer_size - buffer_len - 1; | ||
36 | + strncat(buffer, escape_string, escape_string_len); | ||
37 | free(escape_string); | ||
38 | } | ||
39 | } | ||
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch new file mode 100644 index 0000000000..363dafddc9 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 | ||
2 | |||
3 | CVE: CVE-2022-0530 | ||
4 | Upstream-Status: Inactive-Upstream [need a new release] | ||
5 | |||
6 | diff --git a/fileio.c b/fileio.c | ||
7 | index 6290824..77e4b5f 100644 | ||
8 | --- a/fileio.c | ||
9 | +++ b/fileio.c | ||
10 | @@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ | ||
11 | /* convert UTF-8 to local character set */ | ||
12 | fn = utf8_to_local_string(G.unipath_filename, | ||
13 | G.unicode_escape_all); | ||
14 | + if (fn == NULL) | ||
15 | + return PK_ERR; | ||
16 | + | ||
17 | /* make sure filename is short enough */ | ||
18 | if (strlen(fn) >= FILNAMSIZ) { | ||
19 | fn[FILNAMSIZ - 1] = '\0'; | ||
20 | diff --git a/process.c b/process.c | ||
21 | index d2a846e..715bc0f 100644 | ||
22 | --- a/process.c | ||
23 | +++ b/process.c | ||
24 | @@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) | ||
25 | int escape_all; | ||
26 | { | ||
27 | zwchar *wide = utf8_to_wide_string(utf8_string); | ||
28 | + if (wide == NULL) | ||
29 | + return NULL; | ||
30 | char *loc = wide_to_local_string(wide, escape_all); | ||
31 | free(wide); | ||
32 | return loc; | ||
33 | |||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index c1ea0a9a2c..fa57c8f5bd 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Utilities for extracting and viewing files in .zip archives" | 1 | SUMMARY = "Utilities for extracting and viewing files in .zip archives" |
2 | HOMEPAGE = "http://www.info-zip.org" | 2 | HOMEPAGE = "http://www.info-zip.org" |
3 | DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc." | ||
3 | SECTION = "console/utils" | 4 | SECTION = "console/utils" |
4 | LICENSE = "BSD-3-Clause" | 5 | LICENSE = "BSD-3-Clause" |
5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29" | 6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29" |
@@ -25,12 +26,18 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ | |||
25 | file://CVE-2019-13232_p1.patch \ | 26 | file://CVE-2019-13232_p1.patch \ |
26 | file://CVE-2019-13232_p2.patch \ | 27 | file://CVE-2019-13232_p2.patch \ |
27 | file://CVE-2019-13232_p3.patch \ | 28 | file://CVE-2019-13232_p3.patch \ |
29 | file://CVE-2021-4217.patch \ | ||
30 | file://CVE-2022-0529.patch \ | ||
31 | file://CVE-2022-0530.patch \ | ||
28 | " | 32 | " |
29 | UPSTREAM_VERSION_UNKNOWN = "1" | 33 | UPSTREAM_VERSION_UNKNOWN = "1" |
30 | 34 | ||
31 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" | 35 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" |
32 | SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" | 36 | SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" |
33 | 37 | ||
38 | # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source | ||
39 | CVE_CHECK_WHITELIST += "CVE-2008-0888" | ||
40 | |||
34 | # exclude version 5.5.2 which triggers a false positive | 41 | # exclude version 5.5.2 which triggers a false positive |
35 | UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" | 42 | UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" |
36 | 43 | ||