diff options
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | 67 | ||||
-rw-r--r-- | meta/recipes-extended/unzip/unzip_6.0.bb | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nils Bars <nils.bars@t-online.de> | ||
3 | Date: Mon, 17 Jan 2022 16:53:16 +0000 | ||
4 | Subject: [PATCH] Fix null pointer dereference and use of uninitialized data | ||
5 | |||
6 | This fixes a bug that causes use of uninitialized heap data if `readbuf` fails | ||
7 | to read as many bytes as indicated by the extra field length attribute. | ||
8 | Furthermore, this fixes a null pointer dereference if an archive contains an | ||
9 | `EF_UNIPATH` extra field but does not have a filename set. | ||
10 | --- | ||
11 | fileio.c | 5 ++++- | ||
12 | process.c | 6 +++++- | ||
13 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
14 | --- | ||
15 | |||
16 | Patch from: | ||
17 | https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 | ||
18 | https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch | ||
19 | Regenerated to apply without offsets. | ||
20 | |||
21 | CVE: CVE-2021-4217 | ||
22 | |||
23 | Upstream-Status: Pending [infozip upstream inactive] | ||
24 | |||
25 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
26 | |||
27 | |||
28 | diff --git a/fileio.c b/fileio.c | ||
29 | index 14460f3..1dc319e 100644 | ||
30 | --- a/fileio.c | ||
31 | +++ b/fileio.c | ||
32 | @@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ | ||
33 | seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + | ||
34 | (G.inptr-G.inbuf) + length); | ||
35 | } else { | ||
36 | - if (readbuf(__G__ (char *)G.extra_field, length) == 0) | ||
37 | + unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); | ||
38 | + if (bytes_read == 0) | ||
39 | return PK_EOF; | ||
40 | + if (bytes_read != length) | ||
41 | + return PK_ERR; | ||
42 | /* Looks like here is where extra fields are read */ | ||
43 | if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | ||
44 | { | ||
45 | diff --git a/process.c b/process.c | ||
46 | index 5f8f6c6..de843a5 100644 | ||
47 | --- a/process.c | ||
48 | +++ b/process.c | ||
49 | @@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) | ||
50 | G.unipath_checksum = makelong(offset + ef_buf); | ||
51 | offset += 4; | ||
52 | |||
53 | + if (!G.filename_full) { | ||
54 | + /* Check if we have a unicode extra section but no filename set */ | ||
55 | + return PK_ERR; | ||
56 | + } | ||
57 | + | ||
58 | /* | ||
59 | * Compute 32-bit crc | ||
60 | */ | ||
61 | - | ||
62 | chksum = crc32(chksum, (uch *)(G.filename_full), | ||
63 | strlen(G.filename_full)); | ||
64 | |||
65 | -- | ||
66 | 2.32.0 | ||
67 | |||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index af94a39195..c222a684b4 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
@@ -28,6 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ | |||
28 | file://CVE-2019-13232_p3.patch \ | 28 | file://CVE-2019-13232_p3.patch \ |
29 | file://unzip_optimization.patch \ | 29 | file://unzip_optimization.patch \ |
30 | file://0001-configure-Pass-LDFLAGS-to-tests-doing-link-step.patch \ | 30 | file://0001-configure-Pass-LDFLAGS-to-tests-doing-link-step.patch \ |
31 | file://CVE-2021-4217.patch \ | ||
31 | " | 32 | " |
32 | UPSTREAM_VERSION_UNKNOWN = "1" | 33 | UPSTREAM_VERSION_UNKNOWN = "1" |
33 | 34 | ||