diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-10-13 14:58:28 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-10-13 14:58:28 +0000 |
commit | 9eef5b5c734653c8e3a23a789fdefd2edb0f895e (patch) | |
tree | df89cdbb7e47b8232b0681c6dcd1fd92f40a6a2a /main/unzip | |
parent | 1af3513c36a0040c0f09f9d448890656004204d9 (diff) | |
download | aports-9eef5b5c734653c8e3a23a789fdefd2edb0f895e.tar.bz2 aports-9eef5b5c734653c8e3a23a789fdefd2edb0f895e.tar.xz |
main/unzip: heap overflow and DoS security fix
Diffstat (limited to 'main/unzip')
-rw-r--r-- | main/unzip/APKBUILD | 13 | ||||
-rw-r--r-- | main/unzip/unzip-6.0-heap-overflow-infloop.patch | 104 |
2 files changed, 113 insertions, 4 deletions
diff --git a/main/unzip/APKBUILD b/main/unzip/APKBUILD index 00ae25fd74..b93e5930f1 100644 --- a/main/unzip/APKBUILD +++ b/main/unzip/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=unzip pkgver=6.0 -pkgrel=0 +pkgrel=1 pkgdesc="Extract PKZIP-compatible .zip files" url="http://www.info-zip.org/UnZip.html" arch="all" @@ -12,6 +12,8 @@ subpackages="$pkgname-doc" source="ftp://ftp.info-zip.org/pub/infozip/src/${pkgname}60.zip 10-unzip-handle-pkware-verify.patch 20-unzip-uidgid-fix.patch + unzip-6.0-heap-overflow-infloop.patch + " _builddir="$srcdir"/${pkgname}60 @@ -38,10 +40,13 @@ package() { md5sums="85da5203f01ab0b9403efef3b9bb4010 unzip60.zip b860a1557b48b2c3fa52541f9260ed72 10-unzip-handle-pkware-verify.patch -3de9dee957cb83615cdcb165375d00bd 20-unzip-uidgid-fix.patch" +3de9dee957cb83615cdcb165375d00bd 20-unzip-uidgid-fix.patch +4ff9673cf8337e80220e46c7eb95ac61 unzip-6.0-heap-overflow-infloop.patch" sha256sums="2bc3e70d412447595ac3bed58c1c1fdae289d9a652e55fd0eaadddfe111aa9e4 unzip60.zip 6829ce345b66d081cb1b8b5be37f092836fbcb71819594e45218fc03d8e80754 10-unzip-handle-pkware-verify.patch -3650b53a49742d7ffb2c7d5db2ef1cdeaf3d34d21daa976dc7024ceb605a9dee 20-unzip-uidgid-fix.patch" +3650b53a49742d7ffb2c7d5db2ef1cdeaf3d34d21daa976dc7024ceb605a9dee 20-unzip-uidgid-fix.patch +1a12fe030bb1127f54362c7023995d4b01528ef4f2d068497d390877d15aafea unzip-6.0-heap-overflow-infloop.patch" sha512sums="4a455d45b2c33bc28cab74b82d13f2f1bc5f4a2c45de125345181d2e712079727e825d25e5b7765f9f9c16b7746cd5342897dc8502cb55b8a9f2329b138a1614 unzip60.zip 9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch -57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch" +57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch +b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301 unzip-6.0-heap-overflow-infloop.patch" diff --git a/main/unzip/unzip-6.0-heap-overflow-infloop.patch b/main/unzip/unzip-6.0-heap-overflow-infloop.patch new file mode 100644 index 0000000000..160c512f96 --- /dev/null +++ b/main/unzip/unzip-6.0-heap-overflow-infloop.patch @@ -0,0 +1,104 @@ +From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001 +From: Petr Stodulka <pstodulk@redhat.com> +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: [PATCH 1/3] upstream fix for heap overflow + +https://bugzilla.redhat.com/attachment.cgi?id=1073002 +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/crypt.c b/crypt.c +index 784e411..a8975f2 100644 +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } +-- +2.4.6 + + +From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data + +Bug: https://sourceforge.net/p/infozip/patches/23/ +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/extract.c b/extract.c +index 7134bfe..29db027 100644 +--- a/extract.c ++++ b/extract.c +@@ -2733,6 +2733,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; +-- +2.4.6 + + +From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 29db027..b9ae667 100644 +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +-- +2.5.2 + |