diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch')
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/import-layers/yocto-poky/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch deleted file mode 100644 index c48c23f30..000000000 --- a/import-layers/yocto-poky/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch +++ /dev/null @@ -1,145 +0,0 @@ -From: sms -Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() -Bug-Debian: http://bugs.debian.org/773722 - -The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz - -Upstream-Status: Backport -CVE: CVE-2014-8141 - -Signed-off-by: Roy Li <rongqing.li@windriver.com> - - ---- a/fileio.c -+++ b/fileio.c -@@ -176,6 +176,8 @@ - #endif - static ZCONST char Far ExtraFieldTooLong[] = - "warning: extra field too long (%d). Ignoring...\n"; -+static ZCONST char Far ExtraFieldCorrupt[] = -+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; - - #ifdef WINDLL - static ZCONST char Far DiskFullQuery[] = -@@ -2295,7 +2297,12 @@ - if (readbuf(__G__ (char *)G.extra_field, length) == 0) - return PK_EOF; - /* Looks like here is where extra fields are read */ -- getZip64Data(__G__ G.extra_field, length); -+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) -+ { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); -+ error = PK_WARN; -+ } - #ifdef UNICODE_SUPPORT - G.unipath_filename = NULL; - if (G.UzO.U_flag < 2) { ---- a/process.c -+++ b/process.c -@@ -1,5 +1,5 @@ - /* -- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. -+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. - - See the accompanying file LICENSE, version 2009-Jan-02 or later - (the contents of which are also included in unzip.h) for terms of use. -@@ -1901,48 +1901,82 @@ - and a 4-byte version of disk start number. - Sets both local header and central header fields. Not terribly clever, - but it means that this procedure is only called in one place. -+ -+ 2014-12-05 SMS. -+ Added checks to ensure that enough data are available before calling -+ makeint64() or makelong(). Replaced various sizeof() values with -+ simple ("4" or "8") constants. (The Zip64 structures do not depend -+ on our variable sizes.) Error handling is crude, but we should now -+ stay within the buffer. - ---------------------------------------------------------------------------*/ - -+#define Z64FLGS 0xffff -+#define Z64FLGL 0xffffffff -+ - if (ef_len == 0 || ef_buf == NULL) - return PK_COOL; - - Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", - ef_len)); - -- while (ef_len >= EB_HEADSIZE) { -+ while (ef_len >= EB_HEADSIZE) -+ { - eb_id = makeword(EB_ID + ef_buf); - eb_len = makeword(EB_LEN + ef_buf); - -- if (eb_len > (ef_len - EB_HEADSIZE)) { -- /* discovered some extra field inconsistency! */ -+ if (eb_len > (ef_len - EB_HEADSIZE)) -+ { -+ /* Extra block length exceeds remaining extra field length. */ - Trace((stderr, - "getZip64Data: block length %u > rest ef_size %u\n", eb_len, - ef_len - EB_HEADSIZE)); - break; - } -- if (eb_id == EF_PKSZ64) { -- -+ if (eb_id == EF_PKSZ64) -+ { - int offset = EB_HEADSIZE; - -- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ -- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); -- offset += sizeof(G.crec.ucsize); -+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) -+ { -+ if (offset+ 8 > ef_len) -+ return PK_ERR; -+ -+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); -+ offset += 8; - } -- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ -- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); -- offset += sizeof(G.crec.csize); -+ -+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) -+ { -+ if (offset+ 8 > ef_len) -+ return PK_ERR; -+ -+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); -+ offset += 8; - } -- if (G.crec.relative_offset_local_header == 0xffffffff){ -+ -+ if (G.crec.relative_offset_local_header == Z64FLGL) -+ { -+ if (offset+ 8 > ef_len) -+ return PK_ERR; -+ - G.crec.relative_offset_local_header = makeint64(offset + ef_buf); -- offset += sizeof(G.crec.relative_offset_local_header); -+ offset += 8; - } -- if (G.crec.disk_number_start == 0xffff){ -+ -+ if (G.crec.disk_number_start == Z64FLGS) -+ { -+ if (offset+ 4 > ef_len) -+ return PK_ERR; -+ - G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); -- offset += sizeof(G.crec.disk_number_start); -+ offset += 4; - } -+#if 0 -+ break; /* Expect only one EF_PKSZ64 block. */ -+#endif /* 0 */ - } - -- /* Skip this extra field block */ -+ /* Skip this extra field block. */ - ef_buf += (eb_len + EB_HEADSIZE); - ef_len -= (eb_len + EB_HEADSIZE); - } |
