zlib: fix CVE-2014-9485

Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive. Reference: https://security-tracker.debian.org/tracker/CVE-2014-9485 Upstream-patch: https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01 (From OE-Core rev: 32c4b28fc06e39ab8ef86aebc5e1e1ae19934495) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-03-27 11:16:08 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-04-04 08:42:47 -0700
commit: 68c9f9f44982e8caabc82c25292cbdf93877aef6 (patch)
tree: 46ce5fa01aaa83c89a149ff0a8744cd836279536
parent: ccd6eee7fcc83b32278319c3526a13fe856a74bc (diff)
download: poky-68c9f9f44982e8caabc82c25292cbdf93877aef6.tar.gz
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch b/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch
new file mode 100644
index 0000000000..bf575d59f7
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch
@@ -0,0 +1,64 @@
+From 14a5f8f266c16c87ab6c086fc52b770b27701e01 Mon Sep 17 00:00:00 2001
+From: Matt Wilson <msw@amazon.com>
+Date: Wed, 17 Jan 2024 14:46:18 -0800
+Subject: [PATCH] Neutralize zip file traversal attacks in miniunz.
+Archive formats such as .zip files are generally susceptible to
+so-called "traversal attacks". This allows an attacker to craft
+an archive that writes to unexpected locations of the file system
+(e.g., /etc/shadow) if an unspecting root user were to unpack a
+malicious archive.
+This patch neutralizes absolute paths such as /tmp/moo and deeply
+relative paths such as dummy/../../../../../../../../../../tmp/moo
+The Debian project requested CVE-2014-9485 be allocated for the
+first identified weakness. The fix was incomplete, resulting in a
+revised patch applied here. Since there wasn't an updated version
+released by Debian with the incomplete fix, I suggest we use this
+CVE to identify both issues.
+Link: https://security.snyk.io/research/zip-slip-vulnerability
+Link: https://bugs.debian.org/774321
+Link: https://bugs.debian.org/776831
+Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
+Reported-by: Jakub Wilk <jwilk@debian.org>
+Fixed-by: Michael Gilbert <mgilbert@debian.org>
+CVE: CVE-2014-9485
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ contrib/minizip/miniunz.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/contrib/minizip/miniunz.c b/contrib/minizip/miniunz.c
+index 3d65401..479e475 100644
+--- a/contrib/minizip/miniunz.c
+++ b/contrib/minizip/miniunz.c
+@@ -367,6 +367,20 @@ int do_extract_currentfile(uf,popt_extract_without_path,popt_overwrite,password)
+         else
+             write_filename = filename_withoutpath;
+ 
+        if (write_filename[0]!='\0')
+        {
+            const char* relative_check = write_filename;
+            while (relative_check[1]!='\0')
+            {
+                if (relative_check[0]=='.' && relative_check[1]=='.')
+                    write_filename = relative_check;
+                relative_check++;
+            }
+        }
+
+        while (write_filename[0]=='/' || write_filename[0]=='.')
+            write_filename++;
+
+         err = unzOpenCurrentFilePassword(uf,password);
+         if (err!=UNZ_OK)
+         {
+-- 
+2.40.0
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb
index 393ac61e3d..dc8f7c6c85 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
           file://run-ptest \
            file://CVE-2022-37434.patch \
           file://CVE-2023-45853.patch \
+           file://CVE-2014-9485.patch \
           "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
author	Divya Chellam <divya.chellam@windriver.com>	2025-03-27 11:16:08 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-04-04 08:42:47 -0700
commit	68c9f9f44982e8caabc82c25292cbdf93877aef6 (patch)
tree	46ce5fa01aaa83c89a149ff0a8744cd836279536
parent	ccd6eee7fcc83b32278319c3526a13fe856a74bc (diff)
download	poky-68c9f9f44982e8caabc82c25292cbdf93877aef6.tar.gz

diff --git a/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch b/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch new file mode 100644 index 0000000000..bf575d59f7 --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch
@@ -0,0 +1,64 @@
		1	From 14a5f8f266c16c87ab6c086fc52b770b27701e01 Mon Sep 17 00:00:00 2001
		2	From: Matt Wilson <msw@amazon.com>
		3	Date: Wed, 17 Jan 2024 14:46:18 -0800
		4	Subject: [PATCH] Neutralize zip file traversal attacks in miniunz.
		5
		6	Archive formats such as .zip files are generally susceptible to
		7	so-called "traversal attacks". This allows an attacker to craft
		8	an archive that writes to unexpected locations of the file system
		9	(e.g., /etc/shadow) if an unspecting root user were to unpack a
		10	malicious archive.
		11
		12	This patch neutralizes absolute paths such as /tmp/moo and deeply
		13	relative paths such as dummy/../../../../../../../../../../tmp/moo
		14
		15	The Debian project requested CVE-2014-9485 be allocated for the
		16	first identified weakness. The fix was incomplete, resulting in a
		17	revised patch applied here. Since there wasn't an updated version
		18	released by Debian with the incomplete fix, I suggest we use this
		19	CVE to identify both issues.
		20
		21	Link: https://security.snyk.io/research/zip-slip-vulnerability
		22	Link: https://bugs.debian.org/774321
		23	Link: https://bugs.debian.org/776831
		24	Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
		25	Reported-by: Jakub Wilk <jwilk@debian.org>
		26	Fixed-by: Michael Gilbert <mgilbert@debian.org>
		27
		28	CVE: CVE-2014-9485
		29
		30	Upstream-Status: Backport [https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01]
		31
		32	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		33	---
		34	contrib/minizip/miniunz.c \| 14 ++++++++++++++
		35	1 file changed, 14 insertions(+)
		36
		37	diff --git a/contrib/minizip/miniunz.c b/contrib/minizip/miniunz.c
		38	index 3d65401..479e475 100644
		39	--- a/contrib/minizip/miniunz.c
		40	+++ b/contrib/minizip/miniunz.c
		41	@@ -367,6 +367,20 @@ int do_extract_currentfile(uf,popt_extract_without_path,popt_overwrite,password)
		42	else
		43	write_filename = filename_withoutpath;
		44
		45	+ if (write_filename[0]!='\0')
		46	+ {
		47	+ const char* relative_check = write_filename;
		48	+ while (relative_check[1]!='\0')
		49	+ {
		50	+ if (relative_check[0]=='.' && relative_check[1]=='.')
		51	+ write_filename = relative_check;
		52	+ relative_check++;
		53	+ }
		54	+ }
		55	+
		56	+ while (write_filename[0]=='/' \|\| write_filename[0]=='.')
		57	+ write_filename++;
		58	+
		59	err = unzOpenCurrentFilePassword(uf,password);
		60	if (err!=UNZ_OK)
		61	{
		62	--
		63	2.40.0
		64


diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb index 393ac61e3d..dc8f7c6c85 100644 --- a/meta/recipes-core/zlib/zlib_1.2.11.bb +++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
13	file://run-ptest \	13	file://run-ptest \
14	file://CVE-2022-37434.patch \	14	file://CVE-2022-37434.patch \
15	file://CVE-2023-45853.patch \	15	file://CVE-2023-45853.patch \
		16	file://CVE-2014-9485.patch \
16	"	17	"
17	UPSTREAM_CHECK_URI = "http://zlib.net/"	18	UPSTREAM_CHECK_URI = "http://zlib.net/"
18		19