summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch63
-rw-r--r--meta-oe/recipes-extended/p7zip/p7zip_16.02.bb1
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
new file mode 100644
index 0000000000..586c0e82dc
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
@@ -0,0 +1,63 @@
1From 633f61e2eaf6530cf7e53c702c06de1b7a840fa7 Mon Sep 17 00:00:00 2001
2From: Vrushti Dabhi <vdabhi@cisco.com>
3Date: Thu, 27 Nov 2025 01:36:55 -0800
4Subject: [PATCH] Fix out-of-bounds read in ZIP archive processing
5 (CVE-2022-47069)
6
7Add bounds checking and replace unsafe pointer arithmetic with index-based
8access in FindCd() to prevent out-of-bounds read when processing malformed
9ZIP archives.
10
11Testing:
12- Verified fix using steps mentioned at [1], trace not observed.
13- Validated against known malicious ZIP samples [1]
14- Changes merged in upstream p7zip via [2]
15
16CVE: CVE-2022-47069
17Upstream-Status: Pending
18
19References:
20[1] https://sourceforge.net/p/p7zip/bugs/241/
21[2] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
22[3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
23
24Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
25---
26 CPP/7zip/Archive/Zip/ZipIn.cpp | 10 ++++++----
27 1 file changed, 6 insertions(+), 4 deletions(-)
28
29diff --git a/CPP/7zip/Archive/Zip/ZipIn.cpp b/CPP/7zip/Archive/Zip/ZipIn.cpp
30index c71c40f..84213b4 100644
31--- a/CPP/7zip/Archive/Zip/ZipIn.cpp
32+++ b/CPP/7zip/Archive/Zip/ZipIn.cpp
33@@ -1095,11 +1095,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
34
35 if (i >= kEcd64Locator_Size)
36 {
37- const Byte *locatorPtr = buf + i - kEcd64Locator_Size;
38- if (Get32(locatorPtr) == NSignature::kEcd64Locator)
39+ const size_t locatorIndex = i - kEcd64Locator_Size;
40+ if (Get32(buf + locatorIndex) == NSignature::kEcd64Locator)
41 {
42 CLocator locator;
43- locator.Parse(locatorPtr + 4);
44+ locator.Parse(buf + locatorIndex + 4);
45 if ((cdInfo.ThisDisk == locator.NumDisks - 1 || cdInfo.ThisDisk == 0xFFFF)
46 && locator.Ecd64Disk < locator.NumDisks)
47 {
48@@ -1110,9 +1110,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
49 // we try relative backward reading.
50
51 UInt64 absEcd64 = endPos - bufSize + i - (kEcd64Locator_Size + kEcd64_FullSize);
52+
53+ if (locatorIndex >= kEcd64_FullSize)
54 if (checkOffsetMode || absEcd64 == locator.Ecd64Offset)
55 {
56- const Byte *ecd64 = locatorPtr - kEcd64_FullSize;
57+ const Byte *ecd64 = buf + locatorIndex - kEcd64_FullSize;
58 if (Get32(ecd64) == NSignature::kEcd64)
59 {
60 UInt64 mainEcd64Size = Get64(ecd64 + 4);
61--
622.35.6
63
diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
index 31a12fdb04..3ac0ed03cd 100644
--- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
+++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
13 file://CVE-2018-5996.patch \ 13 file://CVE-2018-5996.patch \
14 file://CVE-2016-9296.patch \ 14 file://CVE-2016-9296.patch \
15 file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \ 15 file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \
16 file://CVE-2022-47069.patch \
16 " 17 "
17 18
18SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" 19SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"