diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-06-23 13:32:06 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-06-26 14:08:03 +0100 |
commit | 5e9f29b1c212f7a067772699e7fc9b6e233baa34 (patch) | |
tree | 6e6d6efcbf0f6b7408256b11014593d844c434f2 /meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch | |
parent | 496b3ffba6755bb76709c88cf81399c9d23f830a (diff) | |
download | openembedded-core-contrib-5e9f29b1c212f7a067772699e7fc9b6e233baa34.tar.gz |
unzip: fix four CVE defects
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
cve-2014-8139
cve-2014-8140
cve-2014-8141
cve-2014-9636
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch new file mode 100644 index 0000000000..e137f0dc76 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch @@ -0,0 +1,52 @@ +From: sms +Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow +Bug-Debian: http://bugs.debian.org/773722 + +The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz + +Upstream-Status: Backport + +Signed-off-by: Roy Li <rongqing.li@windriver.com> + +--- a/extract.c ++++ b/extract.c +@@ -298,6 +298,8 @@ + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2023,7 +2025,8 @@ + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2158,11 +2161,19 @@ + } + break; + case EF_PKVMS: +- if (makelong(ef+EB_HEADSIZE) != ++ if (ebLen < 4) ++ { ++ Info(slide, 1, ++ ((char *)slide, LoadFarString(TooSmallEBlength), ++ ebLen, 4)); ++ } ++ else if (makelong(ef+EB_HEADSIZE) != + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), + (extent)(ebLen-4))) ++ { + Info(slide, 1, ((char *)slide, + LoadFarString(BadCRC_EAs))); ++ } + break; + case EF_PKW32: + case EF_PKUNIX: |