2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch b/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch
new file mode 100644
index 0000000000..37289d1a53
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch
@@ -0,0 +1,48 @@
+From 349f566e6e757458843fa164a0f0584280e1501e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 15 Aug 2018 16:20:53 +0800
+Subject: [PATCH] unzip: fix CVE-2018-1000035
+Upstream-Status: Backport
+CVE: CVE-2018-1000035
+backport from unzip6.10c23
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ fileio.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/fileio.c b/fileio.c
+index 36bfea3..7605a29 100644
+--- a/fileio.c
+++ b/fileio.c
+@@ -1582,6 +1582,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
+     int r = IZ_PW_ENTERED;
+     char *m;
+     char *prompt;
+    char *ep;
+    char *zp;
+ 
+ #ifndef REENTRANT
+     /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,9 +1592,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
+ 
+     if (*rcnt == 0) {           /* First call for current entry */
+         *rcnt = 2;
+-        if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+-            sprintf(prompt, LoadFarString(PasswPrompt),
+-                    FnFilter1(zfn), FnFilter2(efn));
+        zp = FnFilter1( zfn);
+        ep = FnFilter2( efn);
+        prompt = (char *)malloc(    /* Slightly too long (2* "%s"). */
+         sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
+        if (prompt != (char *)NULL) {
+            sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+             m = prompt;
+         } else
+             m = (char *)LoadFarString(PasswPrompt2);
+-- 
+2.7.4
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index dbf4112a4c..a47491ea4a 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -20,6 +20,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
        file://18-cve-2014-9913-unzip-buffer-overflow.patch \
        file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
        file://symlink.patch \
+        file://0001-unzip-fix-CVE-2018-1000035.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"

diff --git a/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch b/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch new file mode 100644 index 0000000000..37289d1a53 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/0001-unzip-fix-CVE-2018-1000035.patch
@@ -0,0 +1,48 @@
		1	From 349f566e6e757458843fa164a0f0584280e1501e Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Wed, 15 Aug 2018 16:20:53 +0800
		4	Subject: [PATCH] unzip: fix CVE-2018-1000035
		5
		6	Upstream-Status: Backport
		7
		8	CVE: CVE-2018-1000035
		9
		10	backport from unzip6.10c23
		11
		12	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		13	---
		14	fileio.c \| 11 ++++++++---
		15	1 file changed, 8 insertions(+), 3 deletions(-)
		16
		17	diff --git a/fileio.c b/fileio.c
		18	index 36bfea3..7605a29 100644
		19	--- a/fileio.c
		20	+++ b/fileio.c
		21	@@ -1582,6 +1582,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
		22	int r = IZ_PW_ENTERED;
		23	char *m;
		24	char *prompt;
		25	+ char *ep;
		26	+ char *zp;
		27
		28	#ifndef REENTRANT
		29	/* tell picky compilers to shut up about "unused variable" warnings */
		30	@@ -1590,9 +1592,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
		31
		32	if (rcnt == 0) { / First call for current entry */
		33	*rcnt = 2;
		34	- if ((prompt = (char )malloc(2FILNAMSIZ + 15)) != (char *)NULL) {
		35	- sprintf(prompt, LoadFarString(PasswPrompt),
		36	- FnFilter1(zfn), FnFilter2(efn));
		37	+ zp = FnFilter1( zfn);
		38	+ ep = FnFilter2( efn);
		39	+ prompt = (char )malloc( / Slightly too long (2* "%s"). */
		40	+ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
		41	+ if (prompt != (char *)NULL) {
		42	+ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
		43	m = prompt;
		44	} else
		45	m = (char *)LoadFarString(PasswPrompt2);
		46	--
		47	2.7.4
		48


diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index dbf4112a4c..a47491ea4a 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -20,6 +20,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
20	file://18-cve-2014-9913-unzip-buffer-overflow.patch \	20	file://18-cve-2014-9913-unzip-buffer-overflow.patch \
21	file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \	21	file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
22	file://symlink.patch \	22	file://symlink.patch \
		23	file://0001-unzip-fix-CVE-2018-1000035.patch \
23	"	24	"
24	UPSTREAM_VERSION_UNKNOWN = "1"	25	UPSTREAM_VERSION_UNKNOWN = "1"
25		26