* [PATCH] unzip: fix four CVE defects
@ 2015-06-23 5:32 rongqing.li
2015-06-23 22:41 ` akuster808
0 siblings, 1 reply; 3+ messages in thread
From: rongqing.li @ 2015-06-23 5:32 UTC (permalink / raw)
To: openembedded-core
From: Roy Li <rongqing.li@windriver.com>
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
cve-2014-8139
cve-2014-8140
cve-2014-8141
cve-2014-9636
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../unzip/09-cve-2014-8139-crc-overflow.patch | 52 ++++++++
.../unzip/10-cve-2014-8140-test-compr-eb.patch | 33 +++++
.../unzip/11-cve-2014-8141-getzip64data.patch | 144 +++++++++++++++++++++
.../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 +++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 4 +
5 files changed, 278 insertions(+)
create mode 100644 meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
create mode 100644 meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
create mode 100644 meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
create mode 100644 meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
new file mode 100644
index 0000000..e137f0d
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
@@ -0,0 +1,52 @@
+From: sms
+Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
+Bug-Debian: http://bugs.debian.org/773722
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- a/extract.c
++++ b/extract.c
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
++ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+ # if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@
+ ebID = makeword(ef);
+ ebLen = (unsigned)makeword(ef+EB_LEN);
+
+- if (ebLen > (ef_len - EB_HEADSIZE)) {
++ if (ebLen > (ef_len - EB_HEADSIZE))
++ {
+ /* Discovered some extra field inconsistency! */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2158,11 +2161,19 @@
+ }
+ break;
+ case EF_PKVMS:
+- if (makelong(ef+EB_HEADSIZE) !=
++ if (ebLen < 4)
++ {
++ Info(slide, 1,
++ ((char *)slide, LoadFarString(TooSmallEBlength),
++ ebLen, 4));
++ }
++ else if (makelong(ef+EB_HEADSIZE) !=
+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+ (extent)(ebLen-4)))
++ {
+ Info(slide, 1, ((char *)slide,
+ LoadFarString(BadCRC_EAs)));
++ }
+ break;
+ case EF_PKW32:
+ case EF_PKUNIX:
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
new file mode 100644
index 0000000..edc7d51
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
@@ -0,0 +1,33 @@
+From: sms
+Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+Bug-Debian: http://bugs.debian.org/773722
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- a/extract.c
++++ b/extract.c
+@@ -2232,10 +2232,17 @@
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+
++ /* Return no/bad-data error status if any problem is found:
++ * 1. eb_size is too small to hold the uncompressed size
++ * (eb_ucsize). (Else extract eb_ucsize.)
++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
++ * 3. eb_ucsize is positive, but eb_size is too small to hold
++ * the compressed data header.
++ */
+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+- return IZ_EF_TRUNC; /* no compressed data! */
++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+ if (
+ #ifdef INT_16BIT
diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
new file mode 100644
index 0000000..d0c1db3
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
+From: sms
+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+Bug-Debian: http://bugs.debian.org/773722
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -176,6 +176,8 @@
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
+
+ #ifdef WINDLL
+ static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@
+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+ return PK_EOF;
+ /* Looks like here is where extra fields are read */
+- getZip64Data(__G__ G.extra_field, length);
++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++ {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++ error = PK_WARN;
++ }
+ #ifdef UNICODE_SUPPORT
+ G.unipath_filename = NULL;
+ if (G.UzO.U_flag < 2) {
+--- a/process.c
++++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@
+ and a 4-byte version of disk start number.
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
++
++ 2014-12-05 SMS.
++ Added checks to ensure that enough data are available before calling
++ makeint64() or makelong(). Replaced various sizeof() values with
++ simple ("4" or "8") constants. (The Zip64 structures do not depend
++ on our variable sizes.) Error handling is crude, but we should now
++ stay within the buffer.
+ ---------------------------------------------------------------------------*/
+
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+ ef_len));
+
+- while (ef_len >= EB_HEADSIZE) {
++ while (ef_len >= EB_HEADSIZE)
++ {
+ eb_id = makeword(EB_ID + ef_buf);
+ eb_len = makeword(EB_LEN + ef_buf);
+
+- if (eb_len > (ef_len - EB_HEADSIZE)) {
+- /* discovered some extra field inconsistency! */
++ if (eb_len > (ef_len - EB_HEADSIZE))
++ {
++ /* Extra block length exceeds remaining extra field length. */
+ Trace((stderr,
+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+ ef_len - EB_HEADSIZE));
+ break;
+ }
+- if (eb_id == EF_PKSZ64) {
+-
++ if (eb_id == EF_PKSZ64)
++ {
+ int offset = EB_HEADSIZE;
+
+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.csize);
++
++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.relative_offset_local_header == 0xffffffff){
++
++ if (G.crec.relative_offset_local_header == Z64FLGL)
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.relative_offset_local_header);
++ offset += 8;
+ }
+- if (G.crec.disk_number_start == 0xffff){
++
++ if (G.crec.disk_number_start == Z64FLGS)
++ {
++ if (offset+ 4 > ef_len)
++ return PK_ERR;
++
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+- offset += sizeof(G.crec.disk_number_start);
++ offset += 4;
+ }
++#if 0
++ break; /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+ }
+
+- /* Skip this extra field block */
++ /* Skip this extra field block. */
+ ef_buf += (eb_len + EB_HEADSIZE);
+ ef_len -= (eb_len + EB_HEADSIZE);
+ }
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
new file mode 100644
index 0000000..b64dd99
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
@@ -0,0 +1,45 @@
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: http://bugs.debian.org/776589
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- a/extract.c
++++ b/extract.c
+@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+ uch *eb_ucptr;
+ int r;
+ ush method;
++ ush eb_compr_method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ /* 2014-11-03 Michal Zalewski, SMS.
++ * For STORE method, compressed and uncompressed sizes must agree.
++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++ */
++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR;
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 5060d35..b022f21 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
file://define-ldflags.patch \
file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
file://unzip-6.0_overflow3.diff \
+ file://09-cve-2014-8139-crc-overflow.patch \
+ file://10-cve-2014-8140-test-compr-eb.patch \
+ file://11-cve-2014-8141-getzip64data.patch \
+ file://12-cve-2014-9636-test-compr-eb.patch \
"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] unzip: fix four CVE defects
2015-06-23 5:32 [PATCH] unzip: fix four CVE defects rongqing.li
@ 2015-06-23 22:41 ` akuster808
2015-06-24 0:46 ` Rongqing Li
0 siblings, 1 reply; 3+ messages in thread
From: akuster808 @ 2015-06-23 22:41 UTC (permalink / raw)
To: rongqing.li, openembedded-core
CVE-2014-9636 is also mentioned in commit
c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1
unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
can you clarify why its on both places?
- armin
On 06/22/2015 10:32 PM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
> cve-2014-8139
> cve-2014-8140
> cve-2014-8141
> cve-2014-9636
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
> .../unzip/09-cve-2014-8139-crc-overflow.patch | 52 ++++++++
> .../unzip/10-cve-2014-8140-test-compr-eb.patch | 33 +++++
> .../unzip/11-cve-2014-8141-getzip64data.patch | 144 +++++++++++++++++++++
> .../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 +++++++
> meta/recipes-extended/unzip/unzip_6.0.bb | 4 +
> 5 files changed, 278 insertions(+)
> create mode 100644 meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
> create mode 100644 meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
> create mode 100644 meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
> create mode 100644 meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>
> diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
> new file mode 100644
> index 0000000..e137f0d
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
> @@ -0,0 +1,52 @@
> +From: sms
> +Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
> +Bug-Debian: http://bugs.debian.org/773722
> +
> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +
> +--- a/extract.c
> ++++ b/extract.c
> +@@ -298,6 +298,8 @@
> + #ifndef SFX
> + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
> + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
> ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
> ++ EF block length (%u bytes) invalid (< %d)\n";
> + static ZCONST char Far InvalidComprDataEAs[] =
> + " invalid compressed data for EAs\n";
> + # if (defined(WIN32) && defined(NTSD_EAS))
> +@@ -2023,7 +2025,8 @@
> + ebID = makeword(ef);
> + ebLen = (unsigned)makeword(ef+EB_LEN);
> +
> +- if (ebLen > (ef_len - EB_HEADSIZE)) {
> ++ if (ebLen > (ef_len - EB_HEADSIZE))
> ++ {
> + /* Discovered some extra field inconsistency! */
> + if (uO.qflag)
> + Info(slide, 1, ((char *)slide, "%-22s ",
> +@@ -2158,11 +2161,19 @@
> + }
> + break;
> + case EF_PKVMS:
> +- if (makelong(ef+EB_HEADSIZE) !=
> ++ if (ebLen < 4)
> ++ {
> ++ Info(slide, 1,
> ++ ((char *)slide, LoadFarString(TooSmallEBlength),
> ++ ebLen, 4));
> ++ }
> ++ else if (makelong(ef+EB_HEADSIZE) !=
> + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
> + (extent)(ebLen-4)))
> ++ {
> + Info(slide, 1, ((char *)slide,
> + LoadFarString(BadCRC_EAs)));
> ++ }
> + break;
> + case EF_PKW32:
> + case EF_PKUNIX:
> diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
> new file mode 100644
> index 0000000..edc7d51
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
> @@ -0,0 +1,33 @@
> +From: sms
> +Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
> +Bug-Debian: http://bugs.debian.org/773722
> +
> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +
> +--- a/extract.c
> ++++ b/extract.c
> +@@ -2232,10 +2232,17 @@
> + if (compr_offset < 4) /* field is not compressed: */
> + return PK_OK; /* do nothing and signal OK */
> +
> ++ /* Return no/bad-data error status if any problem is found:
> ++ * 1. eb_size is too small to hold the uncompressed size
> ++ * (eb_ucsize). (Else extract eb_ucsize.)
> ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
> ++ * 3. eb_ucsize is positive, but eb_size is too small to hold
> ++ * the compressed data header.
> ++ */
> + if ((eb_size < (EB_UCSIZE_P + 4)) ||
> +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
> +- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
> +- return IZ_EF_TRUNC; /* no compressed data! */
> ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
> ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
> ++ return IZ_EF_TRUNC; /* no/bad compressed data! */
> +
> + if (
> + #ifdef INT_16BIT
> diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
> new file mode 100644
> index 0000000..d0c1db3
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
> @@ -0,0 +1,144 @@
> +From: sms
> +Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
> +Bug-Debian: http://bugs.debian.org/773722
> +
> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +
> +
> +--- a/fileio.c
> ++++ b/fileio.c
> +@@ -176,6 +176,8 @@
> + #endif
> + static ZCONST char Far ExtraFieldTooLong[] =
> + "warning: extra field too long (%d). Ignoring...\n";
> ++static ZCONST char Far ExtraFieldCorrupt[] =
> ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
> +
> + #ifdef WINDLL
> + static ZCONST char Far DiskFullQuery[] =
> +@@ -2295,7 +2297,12 @@
> + if (readbuf(__G__ (char *)G.extra_field, length) == 0)
> + return PK_EOF;
> + /* Looks like here is where extra fields are read */
> +- getZip64Data(__G__ G.extra_field, length);
> ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
> ++ {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
> ++ error = PK_WARN;
> ++ }
> + #ifdef UNICODE_SUPPORT
> + G.unipath_filename = NULL;
> + if (G.UzO.U_flag < 2) {
> +--- a/process.c
> ++++ b/process.c
> +@@ -1,5 +1,5 @@
> + /*
> +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
> ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
> +
> + See the accompanying file LICENSE, version 2009-Jan-02 or later
> + (the contents of which are also included in unzip.h) for terms of use.
> +@@ -1901,48 +1901,82 @@
> + and a 4-byte version of disk start number.
> + Sets both local header and central header fields. Not terribly clever,
> + but it means that this procedure is only called in one place.
> ++
> ++ 2014-12-05 SMS.
> ++ Added checks to ensure that enough data are available before calling
> ++ makeint64() or makelong(). Replaced various sizeof() values with
> ++ simple ("4" or "8") constants. (The Zip64 structures do not depend
> ++ on our variable sizes.) Error handling is crude, but we should now
> ++ stay within the buffer.
> + ---------------------------------------------------------------------------*/
> +
> ++#define Z64FLGS 0xffff
> ++#define Z64FLGL 0xffffffff
> ++
> + if (ef_len == 0 || ef_buf == NULL)
> + return PK_COOL;
> +
> + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
> + ef_len));
> +
> +- while (ef_len >= EB_HEADSIZE) {
> ++ while (ef_len >= EB_HEADSIZE)
> ++ {
> + eb_id = makeword(EB_ID + ef_buf);
> + eb_len = makeword(EB_LEN + ef_buf);
> +
> +- if (eb_len > (ef_len - EB_HEADSIZE)) {
> +- /* discovered some extra field inconsistency! */
> ++ if (eb_len > (ef_len - EB_HEADSIZE))
> ++ {
> ++ /* Extra block length exceeds remaining extra field length. */
> + Trace((stderr,
> + "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
> + ef_len - EB_HEADSIZE));
> + break;
> + }
> +- if (eb_id == EF_PKSZ64) {
> +-
> ++ if (eb_id == EF_PKSZ64)
> ++ {
> + int offset = EB_HEADSIZE;
> +
> +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
> +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
> +- offset += sizeof(G.crec.ucsize);
> ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
> ++ {
> ++ if (offset+ 8 > ef_len)
> ++ return PK_ERR;
> ++
> ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
> ++ offset += 8;
> + }
> +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
> +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
> +- offset += sizeof(G.crec.csize);
> ++
> ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
> ++ {
> ++ if (offset+ 8 > ef_len)
> ++ return PK_ERR;
> ++
> ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
> ++ offset += 8;
> + }
> +- if (G.crec.relative_offset_local_header == 0xffffffff){
> ++
> ++ if (G.crec.relative_offset_local_header == Z64FLGL)
> ++ {
> ++ if (offset+ 8 > ef_len)
> ++ return PK_ERR;
> ++
> + G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
> +- offset += sizeof(G.crec.relative_offset_local_header);
> ++ offset += 8;
> + }
> +- if (G.crec.disk_number_start == 0xffff){
> ++
> ++ if (G.crec.disk_number_start == Z64FLGS)
> ++ {
> ++ if (offset+ 4 > ef_len)
> ++ return PK_ERR;
> ++
> + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
> +- offset += sizeof(G.crec.disk_number_start);
> ++ offset += 4;
> + }
> ++#if 0
> ++ break; /* Expect only one EF_PKSZ64 block. */
> ++#endif /* 0 */
> + }
> +
> +- /* Skip this extra field block */
> ++ /* Skip this extra field block. */
> + ef_buf += (eb_len + EB_HEADSIZE);
> + ef_len -= (eb_len + EB_HEADSIZE);
> + }
> diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
> new file mode 100644
> index 0000000..b64dd99
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
> @@ -0,0 +1,45 @@
> +From: mancha <mancha1 AT zoho DOT com>
> +Date: Mon, 3 Nov 2014
> +Subject: Info-ZIP UnZip buffer overflow
> +Bug-Debian: http://bugs.debian.org/776589
> +
> +By carefully crafting a corrupt ZIP archive with "extra fields" that
> +purport to have compressed blocks larger than the corresponding
> +uncompressed blocks in STORED no-compression mode, an attacker can
> +trigger a heap overflow that can result in application crash or
> +possibly have other unspecified impact.
> +
> +This patch ensures that when extra fields use STORED mode, the
> +"compressed" and uncompressed block sizes match.
> +
> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +
> +--- a/extract.c
> ++++ b/extract.c
> +@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
> + uch *eb_ucptr;
> + int r;
> + ush method;
> ++ ush eb_compr_method;
> +
> + if (compr_offset < 4) /* field is not compressed: */
> + return PK_OK; /* do nothing and signal OK */
> +@@ -2244,6 +2245,14 @@
> + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
> + return IZ_EF_TRUNC; /* no/bad compressed data! */
> +
> ++ /* 2014-11-03 Michal Zalewski, SMS.
> ++ * For STORE method, compressed and uncompressed sizes must agree.
> ++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
> ++ */
> ++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
> ++ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
> ++ return PK_ERR;
> ++
> + if (
> + #ifdef INT_16BIT
> + (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
> diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
> index 5060d35..b022f21 100644
> --- a/meta/recipes-extended/unzip/unzip_6.0.bb
> +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
> @@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
> file://define-ldflags.patch \
> file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
> file://unzip-6.0_overflow3.diff \
> + file://09-cve-2014-8139-crc-overflow.patch \
> + file://10-cve-2014-8140-test-compr-eb.patch \
> + file://11-cve-2014-8141-getzip64data.patch \
> + file://12-cve-2014-9636-test-compr-eb.patch \
> "
>
> SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] unzip: fix four CVE defects
2015-06-23 22:41 ` akuster808
@ 2015-06-24 0:46 ` Rongqing Li
0 siblings, 0 replies; 3+ messages in thread
From: Rongqing Li @ 2015-06-24 0:46 UTC (permalink / raw)
To: akuster808, openembedded-core
On 2015年06月24日 06:41, akuster808 wrote:
> CVE-2014-9636 is also mentioned in commit
>
> c9ec5427609f084d9cbfb7336777fe1e3d0f3ef1
> unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
>
> can you clarify why its on both places?
>
sorry, it is duplicated, but I did not know why it can
be applied, I will resend it
thanks
-R
> - armin
>
> On 06/22/2015 10:32 PM, rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
>> cve-2014-8139
>> cve-2014-8140
>> cve-2014-8141
>> cve-2014-9636
>>
>> Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> ---
>> .../unzip/09-cve-2014-8139-crc-overflow.patch | 52 ++++++++
>> .../unzip/10-cve-2014-8140-test-compr-eb.patch | 33 +++++
>> .../unzip/11-cve-2014-8141-getzip64data.patch | 144
>> +++++++++++++++++++++
>> .../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 +++++++
>> meta/recipes-extended/unzip/unzip_6.0.bb | 4 +
>> 5 files changed, 278 insertions(+)
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
>> create mode 100644
>> meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>>
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
>>
>> new file mode 100644
>> index 0000000..e137f0d
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
>> @@ -0,0 +1,52 @@
>> +From: sms
>> +Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
>> +Bug-Debian: http://bugs.debian.org/773722
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -298,6 +298,8 @@
>> + #ifndef SFX
>> + static ZCONST char Far InconsistEFlength[] = "bad extra-field
>> entry:\n \
>> + EF block length (%u bytes) exceeds remaining EF data (%u
>> bytes)\n";
>> ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field
>> entry:\n \
>> ++ EF block length (%u bytes) invalid (< %d)\n";
>> + static ZCONST char Far InvalidComprDataEAs[] =
>> + " invalid compressed data for EAs\n";
>> + # if (defined(WIN32) && defined(NTSD_EAS))
>> +@@ -2023,7 +2025,8 @@
>> + ebID = makeword(ef);
>> + ebLen = (unsigned)makeword(ef+EB_LEN);
>> +
>> +- if (ebLen > (ef_len - EB_HEADSIZE)) {
>> ++ if (ebLen > (ef_len - EB_HEADSIZE))
>> ++ {
>> + /* Discovered some extra field inconsistency! */
>> + if (uO.qflag)
>> + Info(slide, 1, ((char *)slide, "%-22s ",
>> +@@ -2158,11 +2161,19 @@
>> + }
>> + break;
>> + case EF_PKVMS:
>> +- if (makelong(ef+EB_HEADSIZE) !=
>> ++ if (ebLen < 4)
>> ++ {
>> ++ Info(slide, 1,
>> ++ ((char *)slide, LoadFarString(TooSmallEBlength),
>> ++ ebLen, 4));
>> ++ }
>> ++ else if (makelong(ef+EB_HEADSIZE) !=
>> + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
>> + (extent)(ebLen-4)))
>> ++ {
>> + Info(slide, 1, ((char *)slide,
>> + LoadFarString(BadCRC_EAs)));
>> ++ }
>> + break;
>> + case EF_PKW32:
>> + case EF_PKUNIX:
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> new file mode 100644
>> index 0000000..edc7d51
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
>> @@ -0,0 +1,33 @@
>> +From: sms
>> +Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
>> +Bug-Debian: http://bugs.debian.org/773722
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -2232,10 +2232,17 @@
>> + if (compr_offset < 4) /* field is not compressed: */
>> + return PK_OK; /* do nothing and signal OK */
>> +
>> ++ /* Return no/bad-data error status if any problem is found:
>> ++ * 1. eb_size is too small to hold the uncompressed size
>> ++ * (eb_ucsize). (Else extract eb_ucsize.)
>> ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
>> ++ * 3. eb_ucsize is positive, but eb_size is too small to hold
>> ++ * the compressed data header.
>> ++ */
>> + if ((eb_size < (EB_UCSIZE_P + 4)) ||
>> +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
>> +- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
>> +- return IZ_EF_TRUNC; /* no compressed data! */
>> ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
>> ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset +
>> EB_CMPRHEADLEN))))
>> ++ return IZ_EF_TRUNC; /* no/bad compressed data! */
>> +
>> + if (
>> + #ifdef INT_16BIT
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
>>
>> new file mode 100644
>> index 0000000..d0c1db3
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
>> @@ -0,0 +1,144 @@
>> +From: sms
>> +Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
>> +Bug-Debian: http://bugs.debian.org/773722
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +
>> +--- a/fileio.c
>> ++++ b/fileio.c
>> +@@ -176,6 +176,8 @@
>> + #endif
>> + static ZCONST char Far ExtraFieldTooLong[] =
>> + "warning: extra field too long (%d). Ignoring...\n";
>> ++static ZCONST char Far ExtraFieldCorrupt[] =
>> ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
>> +
>> + #ifdef WINDLL
>> + static ZCONST char Far DiskFullQuery[] =
>> +@@ -2295,7 +2297,12 @@
>> + if (readbuf(__G__ (char *)G.extra_field, length) == 0)
>> + return PK_EOF;
>> + /* Looks like here is where extra fields are read */
>> +- getZip64Data(__G__ G.extra_field, length);
>> ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
>> ++ {
>> ++ Info(slide, 0x401, ((char *)slide,
>> ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
>> ++ error = PK_WARN;
>> ++ }
>> + #ifdef UNICODE_SUPPORT
>> + G.unipath_filename = NULL;
>> + if (G.UzO.U_flag < 2) {
>> +--- a/process.c
>> ++++ b/process.c
>> +@@ -1,5 +1,5 @@
>> + /*
>> +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
>> ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
>> +
>> + See the accompanying file LICENSE, version 2009-Jan-02 or later
>> + (the contents of which are also included in unzip.h) for terms of
>> use.
>> +@@ -1901,48 +1901,82 @@
>> + and a 4-byte version of disk start number.
>> + Sets both local header and central header fields. Not terribly
>> clever,
>> + but it means that this procedure is only called in one place.
>> ++
>> ++ 2014-12-05 SMS.
>> ++ Added checks to ensure that enough data are available before
>> calling
>> ++ makeint64() or makelong(). Replaced various sizeof() values with
>> ++ simple ("4" or "8") constants. (The Zip64 structures do not depend
>> ++ on our variable sizes.) Error handling is crude, but we should now
>> ++ stay within the buffer.
>> +
>> ---------------------------------------------------------------------------*/
>>
>> +
>> ++#define Z64FLGS 0xffff
>> ++#define Z64FLGL 0xffffffff
>> ++
>> + if (ef_len == 0 || ef_buf == NULL)
>> + return PK_COOL;
>> +
>> + Trace((stderr,"\ngetZip64Data: scanning extra field of length
>> %u\n",
>> + ef_len));
>> +
>> +- while (ef_len >= EB_HEADSIZE) {
>> ++ while (ef_len >= EB_HEADSIZE)
>> ++ {
>> + eb_id = makeword(EB_ID + ef_buf);
>> + eb_len = makeword(EB_LEN + ef_buf);
>> +
>> +- if (eb_len > (ef_len - EB_HEADSIZE)) {
>> +- /* discovered some extra field inconsistency! */
>> ++ if (eb_len > (ef_len - EB_HEADSIZE))
>> ++ {
>> ++ /* Extra block length exceeds remaining extra field
>> length. */
>> + Trace((stderr,
>> + "getZip64Data: block length %u > rest ef_size %u\n",
>> eb_len,
>> + ef_len - EB_HEADSIZE));
>> + break;
>> + }
>> +- if (eb_id == EF_PKSZ64) {
>> +-
>> ++ if (eb_id == EF_PKSZ64)
>> ++ {
>> + int offset = EB_HEADSIZE;
>> +
>> +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize ==
>> 0xffffffff){
>> +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
>> +- offset += sizeof(G.crec.ucsize);
>> ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
>> ++ {
>> ++ if (offset+ 8 > ef_len)
>> ++ return PK_ERR;
>> ++
>> ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
>> ++ offset += 8;
>> + }
>> +- if (G.crec.csize == 0xffffffff || G.lrec.csize ==
>> 0xffffffff){
>> +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset
>> + ef_buf);
>> +- offset += sizeof(G.crec.csize);
>> ++
>> ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
>> ++ {
>> ++ if (offset+ 8 > ef_len)
>> ++ return PK_ERR;
>> ++
>> ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset
>> + ef_buf);
>> ++ offset += 8;
>> + }
>> +- if (G.crec.relative_offset_local_header == 0xffffffff){
>> ++
>> ++ if (G.crec.relative_offset_local_header == Z64FLGL)
>> ++ {
>> ++ if (offset+ 8 > ef_len)
>> ++ return PK_ERR;
>> ++
>> + G.crec.relative_offset_local_header = makeint64(offset +
>> ef_buf);
>> +- offset += sizeof(G.crec.relative_offset_local_header);
>> ++ offset += 8;
>> + }
>> +- if (G.crec.disk_number_start == 0xffff){
>> ++
>> ++ if (G.crec.disk_number_start == Z64FLGS)
>> ++ {
>> ++ if (offset+ 4 > ef_len)
>> ++ return PK_ERR;
>> ++
>> + G.crec.disk_number_start = (zuvl_t)makelong(offset +
>> ef_buf);
>> +- offset += sizeof(G.crec.disk_number_start);
>> ++ offset += 4;
>> + }
>> ++#if 0
>> ++ break; /* Expect only one EF_PKSZ64 block. */
>> ++#endif /* 0 */
>> + }
>> +
>> +- /* Skip this extra field block */
>> ++ /* Skip this extra field block. */
>> + ef_buf += (eb_len + EB_HEADSIZE);
>> + ef_len -= (eb_len + EB_HEADSIZE);
>> + }
>> diff --git
>> a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>> b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>> new file mode 100644
>> index 0000000..b64dd99
>> --- /dev/null
>> +++
>> b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
>> @@ -0,0 +1,45 @@
>> +From: mancha <mancha1 AT zoho DOT com>
>> +Date: Mon, 3 Nov 2014
>> +Subject: Info-ZIP UnZip buffer overflow
>> +Bug-Debian: http://bugs.debian.org/776589
>> +
>> +By carefully crafting a corrupt ZIP archive with "extra fields" that
>> +purport to have compressed blocks larger than the corresponding
>> +uncompressed blocks in STORED no-compression mode, an attacker can
>> +trigger a heap overflow that can result in application crash or
>> +possibly have other unspecified impact.
>> +
>> +This patch ensures that when extra fields use STORED mode, the
>> +"compressed" and uncompressed block sizes match.
>> +
>> +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
>> +
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +
>> +--- a/extract.c
>> ++++ b/extract.c
>> +@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size,
>> compr_offset, test_uc_ebdata)
>> + uch *eb_ucptr;
>> + int r;
>> + ush method;
>> ++ ush eb_compr_method;
>> +
>> + if (compr_offset < 4) /* field is not compressed: */
>> + return PK_OK; /* do nothing and signal OK */
>> +@@ -2244,6 +2245,14 @@
>> + ((eb_ucsize > 0L) && (eb_size <= (compr_offset +
>> EB_CMPRHEADLEN))))
>> + return IZ_EF_TRUNC; /* no/bad compressed data! */
>> +
>> ++ /* 2014-11-03 Michal Zalewski, SMS.
>> ++ * For STORE method, compressed and uncompressed sizes must agree.
>> ++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
>> ++ */
>> ++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
>> ++ if ((eb_compr_method == STORED) && (eb_size - compr_offset !=
>> eb_ucsize))
>> ++ return PK_ERR;
>> ++
>> + if (
>> + #ifdef INT_16BIT
>> + (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
>> diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb
>> b/meta/recipes-extended/unzip/unzip_6.0.bb
>> index 5060d35..b022f21 100644
>> --- a/meta/recipes-extended/unzip/unzip_6.0.bb
>> +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
>> @@ -11,6 +11,10 @@ SRC_URI =
>> "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
>> file://define-ldflags.patch \
>> file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
>> file://unzip-6.0_overflow3.diff \
>> + file://09-cve-2014-8139-crc-overflow.patch \
>> + file://10-cve-2014-8140-test-compr-eb.patch \
>> + file://11-cve-2014-8141-getzip64data.patch \
>> + file://12-cve-2014-9636-test-compr-eb.patch \
>> "
>>
>> SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
>>
>
>
--
Best Reagrds,
Roy | RongQing Li
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-06-24 0:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-23 5:32 [PATCH] unzip: fix four CVE defects rongqing.li
2015-06-23 22:41 ` akuster808
2015-06-24 0:46 ` Rongqing Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox