Security fixes for:
CVE-2018-1000035 (heap overflow in processing password-protected archives) CVE-2019-13232 (mishandles the overlapping of files inside a ZIP container) From Moritz Buhl
This commit is contained in:
parent
920b2c4ccb
commit
caf1a0257d
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.64 2019/07/12 20:43:30 sthen Exp $
|
||||
# $OpenBSD: Makefile,v 1.65 2020/03/11 21:57:31 naddy Exp $
|
||||
|
||||
PORTROACH = skipv:551,552
|
||||
|
||||
@ -7,7 +7,7 @@ COMMENT = extract, list & test files in a ZIP archive
|
||||
VERSION = 6.0
|
||||
DISTNAME = unzip${VERSION:S/.//}
|
||||
PKGNAME = unzip-${VERSION}
|
||||
REVISION = 12
|
||||
REVISION = 13
|
||||
CATEGORIES = archivers
|
||||
MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=infozip/} \
|
||||
ftp://ftp.info-zip.org/pub/infozip/src/
|
||||
|
@ -1,4 +1,4 @@
|
||||
$OpenBSD: patch-extract_c,v 1.2 2017/03/23 17:26:17 bluhm Exp $
|
||||
$OpenBSD: patch-extract_c,v 1.3 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix CVE-2015-7696: prevent unsigned overflow on invalid input
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=1075942
|
||||
@ -12,9 +12,12 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
|
||||
https://bugs.debian.org/802160
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1260944
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=1073339
|
||||
Fix CVE-2019-13232: a zip bomb using overlapped entries
|
||||
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
|
||||
|
||||
--- extract.c.orig Sat Mar 14 02:32:52 2009
|
||||
+++ extract.c Tue Mar 21 16:10:27 2017
|
||||
Index: extract.c
|
||||
--- extract.c.orig
|
||||
+++ extract.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
|
||||
@ -31,7 +34,190 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
|
||||
static ZCONST char Far InvalidComprDataEAs[] =
|
||||
" invalid compressed data for EAs\n";
|
||||
# if (defined(WIN32) && defined(NTSD_EAS))
|
||||
@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
|
||||
@@ -319,11 +321,130 @@ static ZCONST char Far UnsupportedExtraField[] =
|
||||
"\nerror: unsupported extra-field compression type (%u)--skipping\n";
|
||||
static ZCONST char Far BadExtraFieldCRC[] =
|
||||
"error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
|
||||
+static ZCONST char Far NotEnoughMemCover[] =
|
||||
+ "error: not enough memory for bomb detection\n";
|
||||
+static ZCONST char Far OverlappedComponents[] =
|
||||
+ "error: invalid zip file with overlapped components (possible zip bomb)\n";
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+/* A growable list of spans. */
|
||||
+typedef zoff_t bound_t;
|
||||
+typedef struct {
|
||||
+ bound_t beg; /* start of the span */
|
||||
+ bound_t end; /* one past the end of the span */
|
||||
+} span_t;
|
||||
+typedef struct {
|
||||
+ span_t *span; /* allocated, distinct, and sorted list of spans */
|
||||
+ size_t num; /* number of spans in the list */
|
||||
+ size_t max; /* allocated number of spans (num <= max) */
|
||||
+} cover_t;
|
||||
+
|
||||
+/*
|
||||
+ * Return the index of the first span in cover whose beg is greater than val.
|
||||
+ * If there is no such span, then cover->num is returned.
|
||||
+ */
|
||||
+static size_t cover_find(cover, val)
|
||||
+ cover_t *cover;
|
||||
+ bound_t val;
|
||||
+{
|
||||
+ size_t lo = 0, hi = cover->num;
|
||||
+ while (lo < hi) {
|
||||
+ size_t mid = (lo + hi) >> 1;
|
||||
+ if (val < cover->span[mid].beg)
|
||||
+ hi = mid;
|
||||
+ else
|
||||
+ lo = mid + 1;
|
||||
+ }
|
||||
+ return hi;
|
||||
+}
|
||||
+
|
||||
+/* Return true if val lies within any one of the spans in cover. */
|
||||
+static int cover_within(cover, val)
|
||||
+ cover_t *cover;
|
||||
+ bound_t val;
|
||||
+{
|
||||
+ size_t pos = cover_find(cover, val);
|
||||
+ return pos > 0 && val < cover->span[pos - 1].end;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Add a new span to the list, but only if the new span does not overlap any
|
||||
+ * spans already in the list. The new span covers the values beg..end-1. beg
|
||||
+ * must be less than end.
|
||||
+ *
|
||||
+ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
|
||||
+ * the list as needed. On success, 0 is returned. If the new span overlaps any
|
||||
+ * existing spans, then 1 is returned and the new span is not added to the
|
||||
+ * list. If the new span is invalid because beg is greater than or equal to
|
||||
+ * end, then -1 is returned. If the list needs to be grown but the memory
|
||||
+ * allocation fails, then -2 is returned.
|
||||
+ */
|
||||
+static int cover_add(cover, beg, end)
|
||||
+ cover_t *cover;
|
||||
+ bound_t beg;
|
||||
+ bound_t end;
|
||||
+{
|
||||
+ size_t pos;
|
||||
+ int prec, foll;
|
||||
+
|
||||
+ if (beg >= end)
|
||||
+ /* The new span is invalid. */
|
||||
+ return -1;
|
||||
+
|
||||
+ /* Find where the new span should go, and make sure that it does not
|
||||
+ overlap with any existing spans. */
|
||||
+ pos = cover_find(cover, beg);
|
||||
+ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
|
||||
+ (pos < cover->num && end > cover->span[pos].beg))
|
||||
+ return 1;
|
||||
+
|
||||
+ /* Check for adjacencies. */
|
||||
+ prec = pos > 0 && beg == cover->span[pos - 1].end;
|
||||
+ foll = pos < cover->num && end == cover->span[pos].beg;
|
||||
+ if (prec && foll) {
|
||||
+ /* The new span connects the preceding and following spans. Merge the
|
||||
+ following span into the preceding span, and delete the following
|
||||
+ span. */
|
||||
+ cover->span[pos - 1].end = cover->span[pos].end;
|
||||
+ cover->num--;
|
||||
+ memmove(cover->span + pos, cover->span + pos + 1,
|
||||
+ (cover->num - pos) * sizeof(span_t));
|
||||
+ }
|
||||
+ else if (prec)
|
||||
+ /* The new span is adjacent only to the preceding span. Extend the end
|
||||
+ of the preceding span. */
|
||||
+ cover->span[pos - 1].end = end;
|
||||
+ else if (foll)
|
||||
+ /* The new span is adjacent only to the following span. Extend the
|
||||
+ beginning of the following span. */
|
||||
+ cover->span[pos].beg = beg;
|
||||
+ else {
|
||||
+ /* The new span has gaps between both the preceding and the following
|
||||
+ spans. Assure that there is room and insert the span. */
|
||||
+ if (cover->num == cover->max) {
|
||||
+ size_t max = cover->max == 0 ? 16 : cover->max << 1;
|
||||
+ span_t *span = realloc(cover->span, max * sizeof(span_t));
|
||||
+ if (span == NULL)
|
||||
+ return -2;
|
||||
+ cover->span = span;
|
||||
+ cover->max = max;
|
||||
+ }
|
||||
+ memmove(cover->span + pos + 1, cover->span + pos,
|
||||
+ (cover->num - pos) * sizeof(span_t));
|
||||
+ cover->num++;
|
||||
+ cover->span[pos].beg = beg;
|
||||
+ cover->span[pos].end = end;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
+
|
||||
+
|
||||
/**************************************/
|
||||
/* Function extract_or_test_files() */
|
||||
/**************************************/
|
||||
@@ -374,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type er
|
||||
}
|
||||
#endif /* !SFX || SFX_EXDIR */
|
||||
|
||||
+ /* One more: initialize cover structure for bomb detection. Start with a
|
||||
+ span that covers the central directory though the end of the file. */
|
||||
+ if (G.cover == NULL) {
|
||||
+ G.cover = malloc(sizeof(cover_t));
|
||||
+ if (G.cover == NULL) {
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarString(NotEnoughMemCover)));
|
||||
+ return PK_MEM;
|
||||
+ }
|
||||
+ ((cover_t *)G.cover)->span = NULL;
|
||||
+ ((cover_t *)G.cover)->max = 0;
|
||||
+ }
|
||||
+ ((cover_t *)G.cover)->num = 0;
|
||||
+ if ((G.extra_bytes != 0 &&
|
||||
+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
|
||||
+ cover_add((cover_t *)G.cover,
|
||||
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
|
||||
+ G.ziplen) != 0) {
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarString(NotEnoughMemCover)));
|
||||
+ return PK_MEM;
|
||||
+ }
|
||||
+
|
||||
/*---------------------------------------------------------------------------
|
||||
The basic idea of this function is as follows. Since the central di-
|
||||
rectory lies at the end of the zipfile and the member files lie at the
|
||||
@@ -591,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type er
|
||||
if (error > error_in_archive)
|
||||
error_in_archive = error;
|
||||
/* ...and keep going (unless disk full or user break) */
|
||||
- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
|
||||
+ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
|
||||
+ error == PK_BOMB) {
|
||||
/* clear reached_end to signal premature stop ... */
|
||||
reached_end = FALSE;
|
||||
/* ... and cancel scanning the central directory */
|
||||
@@ -1060,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
|
||||
|
||||
/* seek_zipf(__G__ pInfo->offset); */
|
||||
request = G.pInfo->offset + G.extra_bytes;
|
||||
+ if (cover_within((cover_t *)G.cover, request)) {
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarString(OverlappedComponents)));
|
||||
+ return PK_BOMB;
|
||||
+ }
|
||||
inbuf_offset = request % INBUFSIZ;
|
||||
bufstart = request - inbuf_offset;
|
||||
|
||||
@@ -1255,8 +1405,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
|
||||
if (G.lrec.compression_method == STORED) {
|
||||
zusz_t csiz_decrypted = G.lrec.csize;
|
||||
|
||||
@ -50,7 +236,61 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
|
||||
if (G.lrec.ucsize != csiz_decrypted) {
|
||||
Info(slide, 0x401, ((char *)slide,
|
||||
LoadFarStringSmall2(WrnStorUCSizCSizDiff),
|
||||
@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_len)
|
||||
@@ -1591,6 +1750,18 @@ reprompt:
|
||||
return IZ_CTRLC; /* cancel operation by user request */
|
||||
}
|
||||
#endif
|
||||
+ error = cover_add((cover_t *)G.cover, request,
|
||||
+ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
|
||||
+ if (error < 0) {
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarString(NotEnoughMemCover)));
|
||||
+ return PK_MEM;
|
||||
+ }
|
||||
+ if (error != 0) {
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarString(OverlappedComponents)));
|
||||
+ return PK_BOMB;
|
||||
+ }
|
||||
#ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
|
||||
UserStop();
|
||||
#endif
|
||||
@@ -1992,6 +2163,34 @@ static int extract_or_test_member(__G) /* return PK
|
||||
}
|
||||
|
||||
undefer_input(__G);
|
||||
+
|
||||
+ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
|
||||
+ /* skip over data descriptor (harder than it sounds, due to signature
|
||||
+ * ambiguity)
|
||||
+ */
|
||||
+# define SIG 0x08074b50
|
||||
+# define LOW 0xffffffff
|
||||
+ uch buf[12];
|
||||
+ unsigned shy = 12 - readbuf((char *)buf, 12);
|
||||
+ ulg crc = shy ? 0 : makelong(buf);
|
||||
+ ulg clen = shy ? 0 : makelong(buf + 4);
|
||||
+ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
|
||||
+ if (crc == SIG && /* if not SIG, no signature */
|
||||
+ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
|
||||
+ (clen == SIG && /* if not SIG, no signature */
|
||||
+ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
|
||||
+ (ulen == SIG && /* if not SIG, no signature */
|
||||
+ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
|
||||
+ /* if not SIG, have signature */
|
||||
+ )))))
|
||||
+ /* skip four more bytes to account for signature */
|
||||
+ shy += 4 - readbuf((char *)buf, 4);
|
||||
+ if (G.zip64)
|
||||
+ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
|
||||
+ if (shy)
|
||||
+ error = PK_ERR;
|
||||
+ }
|
||||
+
|
||||
return error;
|
||||
|
||||
} /* end function extract_or_test_member() */
|
||||
@@ -2023,7 +2222,8 @@ static int TestExtraField(__G__ ef, ef_len)
|
||||
ebID = makeword(ef);
|
||||
ebLen = (unsigned)makeword(ef+EB_LEN);
|
||||
|
||||
@ -60,7 +300,7 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
|
||||
/* Discovered some extra field inconsistency! */
|
||||
if (uO.qflag)
|
||||
Info(slide, 1, ((char *)slide, "%-22s ",
|
||||
@@ -2158,11 +2170,19 @@ static int TestExtraField(__G__ ef, ef_len)
|
||||
@@ -2158,11 +2358,19 @@ static int TestExtraField(__G__ ef, ef_len)
|
||||
}
|
||||
break;
|
||||
case EF_PKVMS:
|
||||
@ -81,7 +321,7 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
|
||||
break;
|
||||
case EF_PKW32:
|
||||
case EF_PKUNIX:
|
||||
@@ -2217,15 +2237,32 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offs
|
||||
@@ -2217,15 +2425,32 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offs
|
||||
ulg eb_ucsize;
|
||||
uch *eb_ucptr;
|
||||
int r;
|
||||
@ -117,7 +357,7 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
|
||||
if (
|
||||
#ifdef INT_16BIT
|
||||
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||
|
||||
@@ -2700,6 +2737,12 @@ __GDEF
|
||||
@@ -2700,6 +2925,12 @@ __GDEF
|
||||
int err=BZ_OK;
|
||||
int repeated_buf_err;
|
||||
bz_stream bstrm;
|
||||
|
@ -1,9 +1,14 @@
|
||||
$OpenBSD: patch-fileio_c,v 1.1 2015/02/06 21:37:04 naddy Exp $
|
||||
$OpenBSD: patch-fileio_c,v 1.2 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
|
||||
Fix CVE-2018-1000035: buffer overflow for password-protected archives
|
||||
https://security-tracker.debian.org/tracker/CVE-2018-1000035
|
||||
Fix CVE-2019-13232: a zip bomb using overlapped entries
|
||||
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
|
||||
|
||||
--- fileio.c.orig Mon Apr 20 02:03:44 2009
|
||||
+++ fileio.c Thu Feb 5 18:57:59 2015
|
||||
Index: fileio.c
|
||||
--- fileio.c.orig
|
||||
+++ fileio.c
|
||||
@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
|
||||
#endif
|
||||
static ZCONST char Far ExtraFieldTooLong[] =
|
||||
@ -13,7 +18,49 @@ Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
|
||||
|
||||
#ifdef WINDLL
|
||||
static ZCONST char Far DiskFullQuery[] =
|
||||
@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* return PK-typ
|
||||
@@ -530,8 +532,10 @@ void undefer_input(__G)
|
||||
* This condition was checked when G.incnt_leftover was set > 0 in
|
||||
* defer_leftover_input(), and it is NOT allowed to touch G.csize
|
||||
* before calling undefer_input() when (G.incnt_leftover > 0)
|
||||
- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
|
||||
+ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
|
||||
*/
|
||||
+ if (G.csize < 0L)
|
||||
+ G.csize = 0L;
|
||||
G.incnt = G.incnt_leftover + (int)G.csize;
|
||||
G.inptr = G.inptr_leftover - (int)G.csize;
|
||||
G.incnt_leftover = 0;
|
||||
@@ -1580,7 +1584,11 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, ef
|
||||
int r = IZ_PW_ENTERED;
|
||||
char *m;
|
||||
char *prompt;
|
||||
-
|
||||
+ char *zfnf;
|
||||
+ char *efnf;
|
||||
+ size_t zfnfl;
|
||||
+ int isOverflow;
|
||||
+
|
||||
#ifndef REENTRANT
|
||||
/* tell picky compilers to shut up about "unused variable" warnings */
|
||||
pG = pG;
|
||||
@@ -1588,7 +1596,15 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, ef
|
||||
|
||||
if (*rcnt == 0) { /* First call for current entry */
|
||||
*rcnt = 2;
|
||||
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
|
||||
+ zfnf = FnFilter1(zfn);
|
||||
+ efnf = FnFilter2(efn);
|
||||
+ zfnfl = strlen(zfnf);
|
||||
+ isOverflow = TRUE;
|
||||
+ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
|
||||
+ {
|
||||
+ isOverflow = FALSE;
|
||||
+ }
|
||||
+ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
|
||||
sprintf(prompt, LoadFarString(PasswPrompt),
|
||||
FnFilter1(zfn), FnFilter2(efn));
|
||||
m = prompt;
|
||||
@@ -2295,7 +2311,12 @@ int do_string(__G__ length, option) /* return PK-typ
|
||||
if (readbuf(__G__ (char *)G.extra_field, length) == 0)
|
||||
return PK_EOF;
|
||||
/* Looks like here is where extra fields are read */
|
||||
|
15
archivers/unzip/patches/patch-globals_c
Normal file
15
archivers/unzip/patches/patch-globals_c
Normal file
@ -0,0 +1,15 @@
|
||||
$OpenBSD: patch-globals_c,v 1.1 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix CVE-2019-13232: a zip bomb using overlapped entries
|
||||
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
|
||||
|
||||
--- globals.c.orig
|
||||
+++ globals.c
|
||||
@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
|
||||
# if (!defined(NO_TIMESTAMPS))
|
||||
uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
|
||||
# endif
|
||||
+ G.cover = NULL; /* not allocated yet */
|
||||
#endif
|
||||
|
||||
uO.lflag=(-1);
|
23
archivers/unzip/patches/patch-globals_h
Normal file
23
archivers/unzip/patches/patch-globals_h
Normal file
@ -0,0 +1,23 @@
|
||||
$OpenBSD: patch-globals_h,v 1.1 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix CVE-2019-13232: a zip bomb using overlapped entries
|
||||
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
|
||||
|
||||
--- globals.h.orig
|
||||
+++ globals.h
|
||||
@@ -260,12 +260,15 @@ typedef struct Globals {
|
||||
ecdir_rec ecrec; /* used in unzip.c, extract.c */
|
||||
z_stat statbuf; /* used by main, mapname, check_for_newer */
|
||||
|
||||
+ int zip64; /* true if Zip64 info in extra field */
|
||||
+
|
||||
int mem_mode;
|
||||
uch *outbufptr; /* extract.c static */
|
||||
ulg outsize; /* extract.c static */
|
||||
int reported_backslash; /* extract.c static */
|
||||
int disk_full;
|
||||
int newfile;
|
||||
+ void **cover; /* used in extract.c for bomb detection */
|
||||
|
||||
int didCRlast; /* fileio static */
|
||||
ulg numlines; /* fileio static: number of lines printed */
|
@ -1,14 +1,16 @@
|
||||
$OpenBSD: patch-list_c,v 1.1 2017/03/23 17:26:17 bluhm Exp $
|
||||
$OpenBSD: patch-list_c,v 1.2 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix: increase size of cfactorstr array to avoid buffer overflow
|
||||
Fix CVE-2018-18384: increase size of cfactorstr array to avoid buffer overflow
|
||||
https://bugs.debian.org/741384
|
||||
https://sourceforge.net/p/infozip/bugs/53/
|
||||
Fix CVE-2014-9913: buffer overflow in unzip
|
||||
https://sourceforge.net/p/infozip/bugs/27/
|
||||
https://bugs.debian.org/847485
|
||||
https://launchpad.net/bugs/387350
|
||||
|
||||
--- list.c.orig Sun Feb 8 18:11:34 2009
|
||||
+++ list.c Tue Mar 21 16:10:27 2017
|
||||
Index: list.c
|
||||
--- list.c.orig
|
||||
+++ list.c
|
||||
@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */
|
||||
{
|
||||
int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
|
||||
@ -38,3 +40,27 @@ Fix CVE-2014-9913: buffer overflow in unzip
|
||||
}
|
||||
|
||||
#if 0 /* GRR/Euro: add this? */
|
||||
@@ -378,9 +389,9 @@ int list_files(__G) /* return PK-type error code */
|
||||
}
|
||||
#else /* !WINDLL */
|
||||
if (cfactor == 100)
|
||||
- sprintf(cfactorstr, LoadFarString(CompFactor100));
|
||||
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
|
||||
else
|
||||
- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
|
||||
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
|
||||
if (longhdr)
|
||||
Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
|
||||
FmZofft(G.crec.ucsize, "8", "u"), methbuf,
|
||||
@@ -460,9 +471,9 @@ int list_files(__G) /* return PK-type error code */
|
||||
|
||||
#else /* !WINDLL */
|
||||
if (cfactor == 100)
|
||||
- sprintf(cfactorstr, LoadFarString(CompFactor100));
|
||||
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
|
||||
else
|
||||
- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
|
||||
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
|
||||
if (longhdr) {
|
||||
Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
|
||||
FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),
|
||||
|
@ -1,4 +1,4 @@
|
||||
$OpenBSD: patch-process_c,v 1.3 2017/03/23 17:26:17 bluhm Exp $
|
||||
$OpenBSD: patch-process_c,v 1.4 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix: handle the PKWare verification bit of internal attributes
|
||||
https://bugs.debian.org/630078
|
||||
@ -8,9 +8,12 @@ Fix: do not ignore extra fields containing Unix Timestamps
|
||||
https://bugs.debian.org/842993
|
||||
Fix: restore uid and gid information when requested
|
||||
https://bugs.debian.org/689212
|
||||
Fix CVE-2019-13232: a zip bomb using overlapped entries
|
||||
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
|
||||
|
||||
--- process.c.orig Fri Mar 6 02:25:10 2009
|
||||
+++ process.c Tue Mar 21 16:10:27 2017
|
||||
Index: process.c
|
||||
--- process.c.orig
|
||||
+++ process.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
|
||||
@ -18,7 +21,21 @@ Fix: restore uid and gid information when requested
|
||||
|
||||
See the accompanying file LICENSE, version 2009-Jan-02 or later
|
||||
(the contents of which are also included in unzip.h) for terms of use.
|
||||
@@ -1729,6 +1729,13 @@ int process_cdir_file_hdr(__G) /* return PK-type er
|
||||
@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory al
|
||||
}
|
||||
#endif
|
||||
|
||||
+ /* Free the cover span list and the cover structure. */
|
||||
+ if (G.cover != NULL) {
|
||||
+ free(*(G.cover));
|
||||
+ free(G.cover);
|
||||
+ G.cover = NULL;
|
||||
+ }
|
||||
+
|
||||
} /* end function free_G_buffers() */
|
||||
|
||||
|
||||
@@ -1729,6 +1736,13 @@ int process_cdir_file_hdr(__G) /* return PK-type er
|
||||
else if (uO.L_flag > 1) /* let -LL force lower case for all names */
|
||||
G.pInfo->lcflag = 1;
|
||||
|
||||
@ -32,7 +49,7 @@ Fix: restore uid and gid information when requested
|
||||
/* do Amigas (AMIGA_) also have volume labels? */
|
||||
if (IS_VOLID(G.crec.external_file_attributes) &&
|
||||
(G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ ||
|
||||
@@ -1751,6 +1758,12 @@ int process_cdir_file_hdr(__G) /* return PK-type er
|
||||
@@ -1751,6 +1765,12 @@ int process_cdir_file_hdr(__G) /* return PK-type er
|
||||
= (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
|
||||
#endif
|
||||
|
||||
@ -45,7 +62,7 @@ Fix: restore uid and gid information when requested
|
||||
return PK_COOL;
|
||||
|
||||
} /* end function process_cdir_file_hdr() */
|
||||
@@ -1888,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
|
||||
@@ -1888,48 +1908,84 @@ int getZip64Data(__G__ ef_buf, ef_len)
|
||||
and a 4-byte version of disk start number.
|
||||
Sets both local header and central header fields. Not terribly clever,
|
||||
but it means that this procedure is only called in one place.
|
||||
@ -60,6 +77,8 @@ Fix: restore uid and gid information when requested
|
||||
|
||||
+#define Z64FLGS 0xffff
|
||||
+#define Z64FLGL 0xffffffff
|
||||
+
|
||||
+ G.zip64 = FALSE;
|
||||
+
|
||||
if (ef_len == 0 || ef_buf == NULL)
|
||||
return PK_COOL;
|
||||
@ -144,7 +163,16 @@ Fix: restore uid and gid information when requested
|
||||
ef_buf += (eb_len + EB_HEADSIZE);
|
||||
ef_len -= (eb_len + EB_HEADSIZE);
|
||||
}
|
||||
@@ -2867,10 +2914,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
@@ -2037,6 +2093,8 @@ int getUnicodeData(__G__ ef_buf, ef_len)
|
||||
(ZCONST char *)(offset + ef_buf), ULen);
|
||||
G.unipath_filename[ULen] = '\0';
|
||||
}
|
||||
+
|
||||
+ G.zip64 = TRUE;
|
||||
}
|
||||
|
||||
/* Skip this extra field block */
|
||||
@@ -2867,10 +2925,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
break;
|
||||
|
||||
case EF_IZUNIX2:
|
||||
@ -160,7 +188,7 @@ Fix: restore uid and gid information when requested
|
||||
#ifdef IZ_HAVE_UXUIDGID
|
||||
if (have_new_type_eb > 1)
|
||||
break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
|
||||
@@ -2886,6 +2936,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
@@ -2886,6 +2947,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
/* new 3rd generation Unix ef */
|
||||
have_new_type_eb = 2;
|
||||
|
||||
@ -169,7 +197,7 @@ Fix: restore uid and gid information when requested
|
||||
/*
|
||||
Version 1 byte version of this extra field, currently 1
|
||||
UIDSize 1 byte Size of UID field
|
||||
@@ -2897,7 +2949,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
@@ -2897,7 +2960,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
#ifdef IZ_HAVE_UXUIDGID
|
||||
if (eb_len >= EB_UX3_MINLEN
|
||||
&& z_uidgid != NULL
|
||||
@ -178,7 +206,7 @@ Fix: restore uid and gid information when requested
|
||||
/* only know about version 1 */
|
||||
{
|
||||
uch uid_size;
|
||||
@@ -2906,13 +2958,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
@@ -2906,13 +2969,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
|
||||
uid_size = *((EB_HEADSIZE + 1) + ef_buf);
|
||||
gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
|
||||
|
||||
|
16
archivers/unzip/patches/patch-unzip_h
Normal file
16
archivers/unzip/patches/patch-unzip_h
Normal file
@ -0,0 +1,16 @@
|
||||
$OpenBSD: patch-unzip_h,v 1.1 2020/03/11 21:57:32 naddy Exp $
|
||||
|
||||
Fix CVE-2019-13232: a zip bomb using overlapped entries
|
||||
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
|
||||
|
||||
Index: unzip.h
|
||||
--- unzip.h.orig
|
||||
+++ unzip.h
|
||||
@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
|
||||
#define PK_NOZIP 9 /* zipfile not found */
|
||||
#define PK_PARAM 10 /* bad or illegal parameters specified */
|
||||
#define PK_FIND 11 /* no files found */
|
||||
+#define PK_BOMB 12 /* likely zip bomb */
|
||||
#define PK_DISK 50 /* disk full */
|
||||
#define PK_EOF 51 /* unexpected EOF */
|
||||
|
Loading…
Reference in New Issue
Block a user