diff options
| -rw-r--r-- | meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch | 63 | ||||
| -rw-r--r-- | meta-oe/recipes-extended/p7zip/p7zip_16.02.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch new file mode 100644 index 0000000000..586c0e82dc --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From 633f61e2eaf6530cf7e53c702c06de1b7a840fa7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Vrushti Dabhi <vdabhi@cisco.com> | ||
| 3 | Date: Thu, 27 Nov 2025 01:36:55 -0800 | ||
| 4 | Subject: [PATCH] Fix out-of-bounds read in ZIP archive processing | ||
| 5 | (CVE-2022-47069) | ||
| 6 | |||
| 7 | Add bounds checking and replace unsafe pointer arithmetic with index-based | ||
| 8 | access in FindCd() to prevent out-of-bounds read when processing malformed | ||
| 9 | ZIP archives. | ||
| 10 | |||
| 11 | Testing: | ||
| 12 | - Verified fix using steps mentioned at [1], trace not observed. | ||
| 13 | - Validated against known malicious ZIP samples [1] | ||
| 14 | - Changes merged in upstream p7zip via [2] | ||
| 15 | |||
| 16 | CVE: CVE-2022-47069 | ||
| 17 | Upstream-Status: Pending | ||
| 18 | |||
| 19 | References: | ||
| 20 | [1] https://sourceforge.net/p/p7zip/bugs/241/ | ||
| 21 | [2] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2 | ||
| 22 | [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069 | ||
| 23 | |||
| 24 | Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com> | ||
| 25 | --- | ||
| 26 | CPP/7zip/Archive/Zip/ZipIn.cpp | 10 ++++++---- | ||
| 27 | 1 file changed, 6 insertions(+), 4 deletions(-) | ||
| 28 | |||
| 29 | diff --git a/CPP/7zip/Archive/Zip/ZipIn.cpp b/CPP/7zip/Archive/Zip/ZipIn.cpp | ||
| 30 | index c71c40f..84213b4 100644 | ||
| 31 | --- a/CPP/7zip/Archive/Zip/ZipIn.cpp | ||
| 32 | +++ b/CPP/7zip/Archive/Zip/ZipIn.cpp | ||
| 33 | @@ -1095,11 +1095,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode) | ||
| 34 | |||
| 35 | if (i >= kEcd64Locator_Size) | ||
| 36 | { | ||
| 37 | - const Byte *locatorPtr = buf + i - kEcd64Locator_Size; | ||
| 38 | - if (Get32(locatorPtr) == NSignature::kEcd64Locator) | ||
| 39 | + const size_t locatorIndex = i - kEcd64Locator_Size; | ||
| 40 | + if (Get32(buf + locatorIndex) == NSignature::kEcd64Locator) | ||
| 41 | { | ||
| 42 | CLocator locator; | ||
| 43 | - locator.Parse(locatorPtr + 4); | ||
| 44 | + locator.Parse(buf + locatorIndex + 4); | ||
| 45 | if ((cdInfo.ThisDisk == locator.NumDisks - 1 || cdInfo.ThisDisk == 0xFFFF) | ||
| 46 | && locator.Ecd64Disk < locator.NumDisks) | ||
| 47 | { | ||
| 48 | @@ -1110,9 +1110,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode) | ||
| 49 | // we try relative backward reading. | ||
| 50 | |||
| 51 | UInt64 absEcd64 = endPos - bufSize + i - (kEcd64Locator_Size + kEcd64_FullSize); | ||
| 52 | + | ||
| 53 | + if (locatorIndex >= kEcd64_FullSize) | ||
| 54 | if (checkOffsetMode || absEcd64 == locator.Ecd64Offset) | ||
| 55 | { | ||
| 56 | - const Byte *ecd64 = locatorPtr - kEcd64_FullSize; | ||
| 57 | + const Byte *ecd64 = buf + locatorIndex - kEcd64_FullSize; | ||
| 58 | if (Get32(ecd64) == NSignature::kEcd64) | ||
| 59 | { | ||
| 60 | UInt64 mainEcd64Size = Get64(ecd64 + 4); | ||
| 61 | -- | ||
| 62 | 2.35.6 | ||
| 63 | |||
diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb index 31a12fdb04..3ac0ed03cd 100644 --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb | |||
| @@ -13,6 +13,7 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al | |||
| 13 | file://CVE-2018-5996.patch \ | 13 | file://CVE-2018-5996.patch \ |
| 14 | file://CVE-2016-9296.patch \ | 14 | file://CVE-2016-9296.patch \ |
| 15 | file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \ | 15 | file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \ |
| 16 | file://CVE-2022-47069.patch \ | ||
| 16 | " | 17 | " |
| 17 | 18 | ||
| 18 | SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" | 19 | SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" |
