From: Joshua Lock <joshua.lock@collabora.co.uk>
To: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] unzip: CVE-2015-7696, CVE-2015-7697
Date: Thu, 5 Nov 2015 22:05:10 +0000 [thread overview]
Message-ID: <563BD296.40408@collabora.co.uk> (raw)
In-Reply-To: <56318C62.1080101@gmail.com>
On 29/10/15 03:02, akuster808 wrote:
> Patches should apply to Fido and Dizzy. both are have the same version.
>
> Thanks for the patches.
Patch applies and I've pushed this change to my joshuagl/fido-next
branch of openembedded-core-contrib and am testing it now.
Thanks,
Joshua
1.
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
> regards,
> - armin
>
> On 10/28/2015 05:14 PM, Tudor Florea wrote:
>> CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
>> CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping
>>
>> References:
>> http://www.openwall.com/lists/oss-security/2015/10/11/5
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697
>>
>> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
>> ---
>> .../unzip/unzip/CVE-2015-7696.patch | 38 ++++++++++++++++++++++
>> .../unzip/unzip/CVE-2015-7697.patch | 31 ++++++++++++++++++
>> meta/recipes-extended/unzip/unzip_6.0.bb | 2 ++
>> 3 files changed, 71 insertions(+)
>> create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
>> create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
>>
>> diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
>> new file mode 100644
>> index 0000000..ea93823
>> --- /dev/null
>> +++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
>> @@ -0,0 +1,38 @@
>> +Upstream-Status: Backport
>> +Signed-off-by: Tudor Florea <tudor.flore@enea.com>
>> +
>> +From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001
>> +From: Petr Stodulka <pstodulk@redhat.com>
>> +Date: Mon, 14 Sep 2015 18:23:17 +0200
>> +Subject: [PATCH 1/2] upstream fix for heap overflow
>> +
>> +https://bugzilla.redhat.com/attachment.cgi?id=1073002
>> +---
>> + crypt.c | 12 +++++++++++-
>> + 1 file changed, 11 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/crypt.c b/crypt.c
>> +index 784e411..a8975f2 100644
>> +--- a/crypt.c
>> ++++ b/crypt.c
>> +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
>> + GLOBAL(pInfo->encrypted) = FALSE;
>> + defer_leftover_input(__G);
>> + for (n = 0; n < RAND_HEAD_LEN; n++) {
>> +- b = NEXTBYTE;
>> ++ /* 2012-11-23 SMS. (OUSPG report.)
>> ++ * Quit early if compressed size < HEAD_LEN. The resulting
>> ++ * error message ("unable to get password") could be improved,
>> ++ * but it's better than trying to read nonexistent data, and
>> ++ * then continuing with a negative G.csize. (See
>> ++ * fileio.c:readbyte()).
>> ++ */
>> ++ if ((b = NEXTBYTE) == (ush)EOF)
>> ++ {
>> ++ return PK_ERR;
>> ++ }
>> + h[n] = (uch)b;
>> + Trace((stdout, " (%02x)", h[n]));
>> + }
>> +--
>> +2.4.6
>> diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
>> new file mode 100644
>> index 0000000..da68988
>> --- /dev/null
>> +++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
>> @@ -0,0 +1,31 @@
>> +Upstream-Status: Backport
>> +Signed-off-by: Tudor Florea <tudor.flore@enea.com>
>> +
>> +From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001
>> +From: Kamil Dudka <kdudka@redhat.com>
>> +Date: Mon, 14 Sep 2015 18:24:56 +0200
>> +Subject: [PATCH 2/2] fix infinite loop when extracting empty bzip2 data
>> +
>> +---
>> + extract.c | 6 ++++++
>> + 1 file changed, 6 insertions(+)
>> +
>> +diff --git a/extract.c b/extract.c
>> +index 7134bfe..29db027 100644
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -2733,6 +2733,12 @@ __GDEF
>> + int repeated_buf_err;
>> + bz_stream bstrm;
>> +
>> ++ if (G.incnt <= 0 && G.csize <= 0L) {
>> ++ /* avoid an infinite loop */
>> ++ Trace((stderr, "UZbunzip2() got empty input\n"));
>> ++ return 2;
>> ++ }
>> ++
>> + #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
>> + if (G.redirect_slide)
>> + wsize = G.redirect_size, redirSlide = G.redirect_buffer;
>> +--
>> +2.4.6
>> diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
>> index 4a0a713..9e63d3a 100644
>> --- a/meta/recipes-extended/unzip/unzip_6.0.bb
>> +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
>> @@ -14,6 +14,8 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
>> file://09-cve-2014-8139-crc-overflow.patch \
>> file://10-cve-2014-8140-test-compr-eb.patch \
>> file://11-cve-2014-8141-getzip64data.patch \
>> + file://CVE-2015-7696.patch \
>> + file://CVE-2015-7697.patch \
>> "
>>
>> SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
>>
prev parent reply other threads:[~2015-11-05 22:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-29 0:14 [PATCH] unzip: CVE-2015-7696, CVE-2015-7697 Tudor Florea
2015-10-29 3:02 ` akuster808
2015-11-05 22:05 ` Joshua Lock [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=563BD296.40408@collabora.co.uk \
--to=joshua.lock@collabora.co.uk \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.