From 68c9f9f44982e8caabc82c25292cbdf93877aef6 Mon Sep 17 00:00:00 2001 From: Divya Chellam Date: Thu, 27 Mar 2025 11:16:08 +0000 Subject: zlib: fix CVE-2014-9485 Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive. Reference: https://security-tracker.debian.org/tracker/CVE-2014-9485 Upstream-patch: https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01 (From OE-Core rev: 32c4b28fc06e39ab8ef86aebc5e1e1ae19934495) Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- meta/recipes-core/zlib/zlib/CVE-2014-9485.patch | 64 +++++++++++++++++++++++++ meta/recipes-core/zlib/zlib_1.2.11.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib/CVE-2014-9485.patch diff --git a/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch b/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch new file mode 100644 index 0000000000..bf575d59f7 --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2014-9485.patch @@ -0,0 +1,64 @@ +From 14a5f8f266c16c87ab6c086fc52b770b27701e01 Mon Sep 17 00:00:00 2001 +From: Matt Wilson +Date: Wed, 17 Jan 2024 14:46:18 -0800 +Subject: [PATCH] Neutralize zip file traversal attacks in miniunz. + +Archive formats such as .zip files are generally susceptible to +so-called "traversal attacks". This allows an attacker to craft +an archive that writes to unexpected locations of the file system +(e.g., /etc/shadow) if an unspecting root user were to unpack a +malicious archive. + +This patch neutralizes absolute paths such as /tmp/moo and deeply +relative paths such as dummy/../../../../../../../../../../tmp/moo + +The Debian project requested CVE-2014-9485 be allocated for the +first identified weakness. The fix was incomplete, resulting in a +revised patch applied here. Since there wasn't an updated version +released by Debian with the incomplete fix, I suggest we use this +CVE to identify both issues. + +Link: https://security.snyk.io/research/zip-slip-vulnerability +Link: https://bugs.debian.org/774321 +Link: https://bugs.debian.org/776831 +Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485 +Reported-by: Jakub Wilk +Fixed-by: Michael Gilbert + +CVE: CVE-2014-9485 + +Upstream-Status: Backport [https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01] + +Signed-off-by: Divya Chellam +--- + contrib/minizip/miniunz.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/contrib/minizip/miniunz.c b/contrib/minizip/miniunz.c +index 3d65401..479e475 100644 +--- a/contrib/minizip/miniunz.c ++++ b/contrib/minizip/miniunz.c +@@ -367,6 +367,20 @@ int do_extract_currentfile(uf,popt_extract_without_path,popt_overwrite,password) + else + write_filename = filename_withoutpath; + ++ if (write_filename[0]!='\0') ++ { ++ const char* relative_check = write_filename; ++ while (relative_check[1]!='\0') ++ { ++ if (relative_check[0]=='.' && relative_check[1]=='.') ++ write_filename = relative_check; ++ relative_check++; ++ } ++ } ++ ++ while (write_filename[0]=='/' || write_filename[0]=='.') ++ write_filename++; ++ + err = unzOpenCurrentFilePassword(uf,password); + if (err!=UNZ_OK) + { +-- +2.40.0 + diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb index 393ac61e3d..dc8f7c6c85 100644 --- a/meta/recipes-core/zlib/zlib_1.2.11.bb +++ b/meta/recipes-core/zlib/zlib_1.2.11.bb @@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ file://run-ptest \ file://CVE-2022-37434.patch \ file://CVE-2023-45853.patch \ + file://CVE-2014-9485.patch \ " UPSTREAM_CHECK_URI = "http://zlib.net/" -- cgit v1.2.3-54-g00ecf