From 2bf9165f5db5edd946a064dc5e877f97817dbae0 Mon Sep 17 00:00:00 2001 From: Roy Li Date: Tue, 23 Jun 2015 13:32:06 +0800 Subject: unzip: fix four CVE defects Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix: cve-2014-8139 cve-2014-8140 cve-2014-8141 cve-2014-9636 Signed-off-by: Roy Li Signed-off-by: Ross Burton --- .../unzip/09-cve-2014-8139-crc-overflow.patch | 52 ++++++++ .../unzip/10-cve-2014-8140-test-compr-eb.patch | 33 +++++ .../unzip/11-cve-2014-8141-getzip64data.patch | 144 +++++++++++++++++++++ .../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 +++++++ meta/recipes-extended/unzip/unzip_6.0.bb | 4 + 5 files changed, 278 insertions(+) create mode 100644 meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch create mode 100644 meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch create mode 100644 meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch create mode 100644 meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch (limited to 'meta/recipes-extended') diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch new file mode 100644 index 0000000000..e137f0dc76 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch @@ -0,0 +1,52 @@ +From: sms +Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow +Bug-Debian: http://bugs.debian.org/773722 + +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz + +Upstream-Status: Backport + +Signed-off-by: Roy Li + +--- a/extract.c ++++ b/extract.c +@@ -298,6 +298,8 @@ + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2023,7 +2025,8 @@ + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2158,11 +2161,19 @@ + } + break; + case EF_PKVMS: +- if (makelong(ef+EB_HEADSIZE) != ++ if (ebLen < 4) ++ { ++ Info(slide, 1, ++ ((char *)slide, LoadFarString(TooSmallEBlength), ++ ebLen, 4)); ++ } ++ else if (makelong(ef+EB_HEADSIZE) != + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), + (extent)(ebLen-4))) ++ { + Info(slide, 1, ((char *)slide, + LoadFarString(BadCRC_EAs))); ++ } + break; + case EF_PKW32: + case EF_PKUNIX: diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch new file mode 100644 index 0000000000..edc7d515b0 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch @@ -0,0 +1,33 @@ +From: sms +Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() +Bug-Debian: http://bugs.debian.org/773722 + +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz + +Upstream-Status: Backport + +Signed-off-by: Roy Li + +--- a/extract.c ++++ b/extract.c +@@ -2232,10 +2232,17 @@ + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ + ++ /* Return no/bad-data error status if any problem is found: ++ * 1. eb_size is too small to hold the uncompressed size ++ * (eb_ucsize). (Else extract eb_ucsize.) ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. ++ * 3. eb_ucsize is positive, but eb_size is too small to hold ++ * the compressed data header. ++ */ + if ((eb_size < (EB_UCSIZE_P + 4)) || +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && +- eb_size <= (compr_offset + EB_CMPRHEADLEN))) +- return IZ_EF_TRUNC; /* no compressed data! */ ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) ++ return IZ_EF_TRUNC; /* no/bad compressed data! */ + + if ( + #ifdef INT_16BIT diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch new file mode 100644 index 0000000000..d0c1db3925 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch @@ -0,0 +1,144 @@ +From: sms +Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() +Bug-Debian: http://bugs.debian.org/773722 + +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz + +Upstream-Status: Backport + +Signed-off-by: Roy Li + + +--- a/fileio.c ++++ b/fileio.c +@@ -176,6 +176,8 @@ + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; ++static ZCONST char Far ExtraFieldCorrupt[] = ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; + + #ifdef WINDLL + static ZCONST char Far DiskFullQuery[] = +@@ -2295,7 +2297,12 @@ + if (readbuf(__G__ (char *)G.extra_field, length) == 0) + return PK_EOF; + /* Looks like here is where extra fields are read */ +- getZip64Data(__G__ G.extra_field, length); ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) ++ { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); ++ error = PK_WARN; ++ } + #ifdef UNICODE_SUPPORT + G.unipath_filename = NULL; + if (G.UzO.U_flag < 2) { +--- a/process.c ++++ b/process.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1901,48 +1901,82 @@ + and a 4-byte version of disk start number. + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. ++ ++ 2014-12-05 SMS. ++ Added checks to ensure that enough data are available before calling ++ makeint64() or makelong(). Replaced various sizeof() values with ++ simple ("4" or "8") constants. (The Zip64 structures do not depend ++ on our variable sizes.) Error handling is crude, but we should now ++ stay within the buffer. + ---------------------------------------------------------------------------*/ + ++#define Z64FLGS 0xffff ++#define Z64FLGL 0xffffffff ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", + ef_len)); + +- while (ef_len >= EB_HEADSIZE) { ++ while (ef_len >= EB_HEADSIZE) ++ { + eb_id = makeword(EB_ID + ef_buf); + eb_len = makeword(EB_LEN + ef_buf); + +- if (eb_len > (ef_len - EB_HEADSIZE)) { +- /* discovered some extra field inconsistency! */ ++ if (eb_len > (ef_len - EB_HEADSIZE)) ++ { ++ /* Extra block length exceeds remaining extra field length. */ + Trace((stderr, + "getZip64Data: block length %u > rest ef_size %u\n", eb_len, + ef_len - EB_HEADSIZE)); + break; + } +- if (eb_id == EF_PKSZ64) { +- ++ if (eb_id == EF_PKSZ64) ++ { + int offset = EB_HEADSIZE; + +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.ucsize); ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.csize); ++ ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.relative_offset_local_header == 0xffffffff){ ++ ++ if (G.crec.relative_offset_local_header == Z64FLGL) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.relative_offset_local_header); ++ offset += 8; + } +- if (G.crec.disk_number_start == 0xffff){ ++ ++ if (G.crec.disk_number_start == Z64FLGS) ++ { ++ if (offset+ 4 > ef_len) ++ return PK_ERR; ++ + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); +- offset += sizeof(G.crec.disk_number_start); ++ offset += 4; + } ++#if 0 ++ break; /* Expect only one EF_PKSZ64 block. */ ++#endif /* 0 */ + } + +- /* Skip this extra field block */ ++ /* Skip this extra field block. */ + ef_buf += (eb_len + EB_HEADSIZE); + ef_len -= (eb_len + EB_HEADSIZE); + } diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch new file mode 100644 index 0000000000..b64dd99244 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch @@ -0,0 +1,45 @@ +From: mancha +Date: Mon, 3 Nov 2014 +Subject: Info-ZIP UnZip buffer overflow +Bug-Debian: http://bugs.debian.org/776589 + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. + +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz + +Upstream-Status: Backport + +Signed-off-by: Roy Li + +--- a/extract.c ++++ b/extract.c +@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + uch *eb_ucptr; + int r; + ush method; ++ ush eb_compr_method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2244,6 +2245,14 @@ + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ + ++ /* 2014-11-03 Michal Zalewski, SMS. ++ * For STORE method, compressed and uncompressed sizes must agree. ++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 ++ */ ++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); ++ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ return PK_ERR; ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 5060d35546..b022f21844 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \ file://define-ldflags.patch \ file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ file://unzip-6.0_overflow3.diff \ + file://09-cve-2014-8139-crc-overflow.patch \ + file://10-cve-2014-8140-test-compr-eb.patch \ + file://11-cve-2014-8141-getzip64data.patch \ + file://12-cve-2014-9636-test-compr-eb.patch \ " SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" -- cgit 1.2.3-korg