From: Rongqing Li <rongqing.li@windriver.com>
To: akuster808 <akuster808@gmail.com>,
<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] unzip: fix four CVE defects
Date: Wed, 24 Jun 2015 08:46:30 +0800 [thread overview]
Message-ID: <5589FDE6.7020903@windriver.com> (raw)
In-Reply-To: <5589E0A7.7070509@gmail.com>
On 2015年06月24日 06:41, akuster808 wrote:
> CVE-2014-9636 is also mentioned in commit
>
> c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1
> unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
>
> can you clarify why its on both places?
>
sorry, it is duplicated, but I did not know why it can
be applied, I will resend it
thanks
-R
> - armin
>
> On 06/22/2015 10:32 PM, rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
>> cve-2014-8139
>> cve-2014-8140
>> cve-2014-8141
>> cve-2014-9636
>>
>> Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> ---
>> .../unzip/09-cve-2014-8139-crc-overflow.patch | 52 ++++++++
>> .../unzip/10-cve-2014-8140-test-compr-eb.patch | 33 +++++
>> .../unzip/11-cve-2014-8141-getzip64data.patch | 144
>> +++++++++++++++++++++
>> .../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 +++++++
>> meta/recipes-extended/unzip/unzip_6.0.bb | 4 +
>> 5 files changed, 278 insertions(+)
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>>
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
>>
>> new file mode 100644
>> index 0000000..e137f0d
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
>> @@ -0,0 +1,52 @@
>> +From: sms
>> +Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
>> +Bug-Debian: http://bugs.debian.org/773722
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -298,6 +298,8 @@
>> + #ifndef SFX
>> + static ZCONST char Far InconsistEFlength[] = "bad extra-field
>> entry:\n \
>> + EF block length (%u bytes) exceeds remaining EF data (%u
>> bytes)\n";
>> ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field
>> entry:\n \
>> ++ EF block length (%u bytes) invalid (< %d)\n";
>> + static ZCONST char Far InvalidComprDataEAs[] =
>> + " invalid compressed data for EAs\n";
>> + # if (defined(WIN32) && defined(NTSD_EAS))
>> +@@ -2023,7 +2025,8 @@
>> + ebID = makeword(ef);
>> + ebLen = (unsigned)makeword(ef+EB_LEN);
>> +
>> +- if (ebLen > (ef_len - EB_HEADSIZE)) {
>> ++ if (ebLen > (ef_len - EB_HEADSIZE))
>> ++ {
>> + /* Discovered some extra field inconsistency! */
>> + if (uO.qflag)
>> + Info(slide, 1, ((char *)slide, "%-22s ",
>> +@@ -2158,11 +2161,19 @@
>> + }
>> + break;
>> + case EF_PKVMS:
>> +- if (makelong(ef+EB_HEADSIZE) !=
>> ++ if (ebLen < 4)
>> ++ {
>> ++ Info(slide, 1,
>> ++ ((char *)slide, LoadFarString(TooSmallEBlength),
>> ++ ebLen, 4));
>> ++ }
>> ++ else if (makelong(ef+EB_HEADSIZE) !=
>> + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
>> + (extent)(ebLen-4)))
>> ++ {
>> + Info(slide, 1, ((char *)slide,
>> + LoadFarString(BadCRC_EAs)));
>> ++ }
>> + break;
>> + case EF_PKW32:
>> + case EF_PKUNIX:
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> new file mode 100644
>> index 0000000..edc7d51
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> @@ -0,0 +1,33 @@
>> +From: sms
>> +Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
>> +Bug-Debian: http://bugs.debian.org/773722
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -2232,10 +2232,17 @@
>> + if (compr_offset < 4) /* field is not compressed: */
>> + return PK_OK; /* do nothing and signal OK */
>> +
>> ++ /* Return no/bad-data error status if any problem is found:
>> ++ * 1. eb_size is too small to hold the uncompressed size
>> ++ * (eb_ucsize). (Else extract eb_ucsize.)
>> ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
>> ++ * 3. eb_ucsize is positive, but eb_size is too small to hold
>> ++ * the compressed data header.
>> ++ */
>> + if ((eb_size < (EB_UCSIZE_P + 4)) ||
>> +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
>> +- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
>> +- return IZ_EF_TRUNC; /* no compressed data! */
>> ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
>> ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset +
>> EB_CMPRHEADLEN))))
>> ++ return IZ_EF_TRUNC; /* no/bad compressed data! */
>> +
>> + if (
>> + #ifdef INT_16BIT
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
>>
>> new file mode 100644
>> index 0000000..d0c1db3
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
>> @@ -0,0 +1,144 @@
>> +From: sms
>> +Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
>> +Bug-Debian: http://bugs.debian.org/773722
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +
>> +--- a/fileio.c
>> ++++ b/fileio.c
>> +@@ -176,6 +176,8 @@
>> + #endif
>> + static ZCONST char Far ExtraFieldTooLong[] =
>> + "warning: extra field too long (%d). Ignoring...\n";
>> ++static ZCONST char Far ExtraFieldCorrupt[] =
>> ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
>> +
>> + #ifdef WINDLL
>> + static ZCONST char Far DiskFullQuery[] =
>> +@@ -2295,7 +2297,12 @@
>> + if (readbuf(__G__ (char *)G.extra_field, length) == 0)
>> + return PK_EOF;
>> + /* Looks like here is where extra fields are read */
>> +- getZip64Data(__G__ G.extra_field, length);
>> ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
>> ++ {
>> ++ Info(slide, 0x401, ((char *)slide,
>> ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
>> ++ error = PK_WARN;
>> ++ }
>> + #ifdef UNICODE_SUPPORT
>> + G.unipath_filename = NULL;
>> + if (G.UzO.U_flag < 2) {
>> +--- a/process.c
>> ++++ b/process.c
>> +@@ -1,5 +1,5 @@
>> + /*
>> +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
>> ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
>> +
>> + See the accompanying file LICENSE, version 2009-Jan-02 or later
>> + (the contents of which are also included in unzip.h) for terms of
>> use.
>> +@@ -1901,48 +1901,82 @@
>> + and a 4-byte version of disk start number.
>> + Sets both local header and central header fields. Not terribly
>> clever,
>> + but it means that this procedure is only called in one place.
>> ++
>> ++ 2014-12-05 SMS.
>> ++ Added checks to ensure that enough data are available before
>> calling
>> ++ makeint64() or makelong(). Replaced various sizeof() values with
>> ++ simple ("4" or "8") constants. (The Zip64 structures do not depend
>> ++ on our variable sizes.) Error handling is crude, but we should now
>> ++ stay within the buffer.
>> +
>> ---------------------------------------------------------------------------*/
>>
>> +
>> ++#define Z64FLGS 0xffff
>> ++#define Z64FLGL 0xffffffff
>> ++
>> + if (ef_len == 0 || ef_buf == NULL)
>> + return PK_COOL;
>> +
>> + Trace((stderr,"\ngetZip64Data: scanning extra field of length
>> %u\n",
>> + ef_len));
>> +
>> +- while (ef_len >= EB_HEADSIZE) {
>> ++ while (ef_len >= EB_HEADSIZE)
>> ++ {
>> + eb_id = makeword(EB_ID + ef_buf);
>> + eb_len = makeword(EB_LEN + ef_buf);
>> +
>> +- if (eb_len > (ef_len - EB_HEADSIZE)) {
>> +- /* discovered some extra field inconsistency! */
>> ++ if (eb_len > (ef_len - EB_HEADSIZE))
>> ++ {
>> ++ /* Extra block length exceeds remaining extra field
>> length. */
>> + Trace((stderr,
>> + "getZip64Data: block length %u > rest ef_size %u\n",
>> eb_len,
>> + ef_len - EB_HEADSIZE));
>> + break;
>> + }
>> +- if (eb_id == EF_PKSZ64) {
>> +-
>> ++ if (eb_id == EF_PKSZ64)
>> ++ {
>> + int offset = EB_HEADSIZE;
>> +
>> +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize ==
>> 0xffffffff){
>> +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
>> +- offset += sizeof(G.crec.ucsize);
>> ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
>> ++ {
>> ++ if (offset+ 8 > ef_len)
>> ++ return PK_ERR;
>> ++
>> ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
>> ++ offset += 8;
>> + }
>> +- if (G.crec.csize == 0xffffffff || G.lrec.csize ==
>> 0xffffffff){
>> +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset
>> + ef_buf);
>> +- offset += sizeof(G.crec.csize);
>> ++
>> ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
>> ++ {
>> ++ if (offset+ 8 > ef_len)
>> ++ return PK_ERR;
>> ++
>> ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset
>> + ef_buf);
>> ++ offset += 8;
>> + }
>> +- if (G.crec.relative_offset_local_header == 0xffffffff){
>> ++
>> ++ if (G.crec.relative_offset_local_header == Z64FLGL)
>> ++ {
>> ++ if (offset+ 8 > ef_len)
>> ++ return PK_ERR;
>> ++
>> + G.crec.relative_offset_local_header = makeint64(offset +
>> ef_buf);
>> +- offset += sizeof(G.crec.relative_offset_local_header);
>> ++ offset += 8;
>> + }
>> +- if (G.crec.disk_number_start == 0xffff){
>> ++
>> ++ if (G.crec.disk_number_start == Z64FLGS)
>> ++ {
>> ++ if (offset+ 4 > ef_len)
>> ++ return PK_ERR;
>> ++
>> + G.crec.disk_number_start = (zuvl_t)makelong(offset +
>> ef_buf);
>> +- offset += sizeof(G.crec.disk_number_start);
>> ++ offset += 4;
>> + }
>> ++#if 0
>> ++ break; /* Expect only one EF_PKSZ64 block. */
>> ++#endif /* 0 */
>> + }
>> +
>> +- /* Skip this extra field block */
>> ++ /* Skip this extra field block. */
>> + ef_buf += (eb_len + EB_HEADSIZE);
>> + ef_len -= (eb_len + EB_HEADSIZE);
>> + }
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>> b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>> new file mode 100644
>> index 0000000..b64dd99
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>> @@ -0,0 +1,45 @@
>> +From: mancha <mancha1 AT zoho DOT com>
>> +Date: Mon, 3 Nov 2014
>> +Subject: Info-ZIP UnZip buffer overflow
>> +Bug-Debian: http://bugs.debian.org/776589
>> +
>> +By carefully crafting a corrupt ZIP archive with "extra fields" that
>> +purport to have compressed blocks larger than the corresponding
>> +uncompressed blocks in STORED no-compression mode, an attacker can
>> +trigger a heap overflow that can result in application crash or
>> +possibly have other unspecified impact.
>> +
>> +This patch ensures that when extra fields use STORED mode, the
>> +"compressed" and uncompressed block sizes match.
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size,
>> compr_offset, test_uc_ebdata)
>> + uch *eb_ucptr;
>> + int r;
>> + ush method;
>> ++ ush eb_compr_method;
>> +
>> + if (compr_offset < 4) /* field is not compressed: */
>> + return PK_OK; /* do nothing and signal OK */
>> +@@ -2244,6 +2245,14 @@
>> + ((eb_ucsize > 0L) && (eb_size <= (compr_offset +
>> EB_CMPRHEADLEN))))
>> + return IZ_EF_TRUNC; /* no/bad compressed data! */
>> +
>> ++ /* 2014-11-03 Michal Zalewski, SMS.
>> ++ * For STORE method, compressed and uncompressed sizes must agree.
>> ++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
>> ++ */
>> ++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
>> ++ if ((eb_compr_method == STORED) && (eb_size - compr_offset !=
>> eb_ucsize))
>> ++ return PK_ERR;
>> ++
>> + if (
>> + #ifdef INT_16BIT
>> + (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
>> diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb
>> b/meta/recipes-extended/unzip/unzip_6.0.bb
>> index 5060d35..b022f21 100644
>> --- a/meta/recipes-extended/unzip/unzip_6.0.bb
>> +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
>> @@ -11,6 +11,10 @@ SRC_URI =
>> "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
>> file://define-ldflags.patch \
>> file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
>> file://unzip-6.0_overflow3.diff \
>> + file://09-cve-2014-8139-crc-overflow.patch \
>> + file://10-cve-2014-8140-test-compr-eb.patch \
>> + file://11-cve-2014-8141-getzip64data.patch \
>> + file://12-cve-2014-9636-test-compr-eb.patch \
>> "
>>
>> SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
>>
>
>
--
Best Reagrds,
Roy | RongQing Li
prev parent reply other threads:[~2015-06-24 0:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-23 5:32 [PATCH] unzip: fix four CVE defects rongqing.li
2015-06-23 22:41 ` akuster808
2015-06-24 0:46 ` Rongqing Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5589FDE6.7020903@windriver.com \
--to=rongqing.li@windriver.com \
--cc=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.