cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fixes for:

Browse Source 
CVE-2018-1000035 (heap overflow in processing password-protected archives)
CVE-2019-13232 (mishandles the overlapping of files inside a ZIP container)
From Moritz Buhl
This commit is contained in:
naddy 2020-03-11 21:57:31 +00:00
parent 920b2c4ccb
commit caf1a0257d
8 changed files with 423 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
archivers/unzip/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.64 2019/07/12 20:43:30 sthen Exp $ # $OpenBSD: Makefile,v 1.65 2020/03/11 21:57:31 naddy Exp $
PORTROACH = skipv:551,552 PORTROACH = skipv:551,552
@ -7,7 +7,7 @@ COMMENT = extract, list & test files in a ZIP archive
VERSION = 6.0 VERSION = 6.0
DISTNAME = unzip${VERSION:S/.//} DISTNAME = unzip${VERSION:S/.//}
PKGNAME = unzip-${VERSION} PKGNAME = unzip-${VERSION}
REVISION = 12 REVISION = 13
CATEGORIES = archivers CATEGORIES = archivers
MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=infozip/} \ MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=infozip/} \
ftp://ftp.info-zip.org/pub/infozip/src/ ftp://ftp.info-zip.org/pub/infozip/src/

256
archivers/unzip/patches/patch-extract_c
View File

@ -1,4 +1,4 @@
$OpenBSD: patch-extract_c,v 1.2 2017/03/23 17:26:17 bluhm Exp $ $OpenBSD: patch-extract_c,v 1.3 2020/03/11 21:57:32 naddy Exp $
Fix CVE-2015-7696: prevent unsigned overflow on invalid input Fix CVE-2015-7696: prevent unsigned overflow on invalid input
https://bugzilla.redhat.com/attachment.cgi?id=1075942 https://bugzilla.redhat.com/attachment.cgi?id=1075942
@ -12,9 +12,12 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
https://bugs.debian.org/802160 https://bugs.debian.org/802160
https://bugzilla.redhat.com/show_bug.cgi?id=1260944 https://bugzilla.redhat.com/show_bug.cgi?id=1260944
https://bugzilla.redhat.com/attachment.cgi?id=1073339 https://bugzilla.redhat.com/attachment.cgi?id=1073339
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
--- extract.c.orig Sat Mar 14 02:32:52 2009 Index: extract.c
+++ extract.c Tue Mar 21 16:10:27 2017 --- extract.c.orig
+++ extract.c
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* /*
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
@ -31,7 +34,190 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
static ZCONST char Far InvalidComprDataEAs[] = static ZCONST char Far InvalidComprDataEAs[] =
" invalid compressed data for EAs\n"; " invalid compressed data for EAs\n";
# if (defined(WIN32) && defined(NTSD_EAS)) # if (defined(WIN32) && defined(NTSD_EAS))
@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, @@ -319,11 +321,130 @@ static ZCONST char Far UnsupportedExtraField[] =
"\nerror: unsupported extra-field compression type (%u)--skipping\n";
static ZCONST char Far BadExtraFieldCRC[] =
"error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
+static ZCONST char Far NotEnoughMemCover[] =
+ "error: not enough memory for bomb detection\n";
+static ZCONST char Far OverlappedComponents[] =
+ "error: invalid zip file with overlapped components (possible zip bomb)\n";
+/* A growable list of spans. */
+typedef zoff_t bound_t;
+typedef struct {
+ bound_t beg; /* start of the span */
+ bound_t end; /* one past the end of the span */
+} span_t;
+typedef struct {
+ span_t *span; /* allocated, distinct, and sorted list of spans */
+ size_t num; /* number of spans in the list */
+ size_t max; /* allocated number of spans (num <= max) */
+} cover_t;
+
+/*
+ * Return the index of the first span in cover whose beg is greater than val.
+ * If there is no such span, then cover->num is returned.
+ */
+static size_t cover_find(cover, val)
+ cover_t *cover;
+ bound_t val;
+{
+ size_t lo = 0, hi = cover->num;
+ while (lo < hi) {
+ size_t mid = (lo + hi) >> 1;
+ if (val < cover->span[mid].beg)
+ hi = mid;
+ else
+ lo = mid + 1;
+ }
+ return hi;
+}
+
+/* Return true if val lies within any one of the spans in cover. */
+static int cover_within(cover, val)
+ cover_t *cover;
+ bound_t val;
+{
+ size_t pos = cover_find(cover, val);
+ return pos > 0 && val < cover->span[pos - 1].end;
+}
+
+/*
+ * Add a new span to the list, but only if the new span does not overlap any
+ * spans already in the list. The new span covers the values beg..end-1. beg
+ * must be less than end.
+ *
+ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
+ * the list as needed. On success, 0 is returned. If the new span overlaps any
+ * existing spans, then 1 is returned and the new span is not added to the
+ * list. If the new span is invalid because beg is greater than or equal to
+ * end, then -1 is returned. If the list needs to be grown but the memory
+ * allocation fails, then -2 is returned.
+ */
+static int cover_add(cover, beg, end)
+ cover_t *cover;
+ bound_t beg;
+ bound_t end;
+{
+ size_t pos;
+ int prec, foll;
+
+ if (beg >= end)
+ /* The new span is invalid. */
+ return -1;
+
+ /* Find where the new span should go, and make sure that it does not
+ overlap with any existing spans. */
+ pos = cover_find(cover, beg);
+ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
+ (pos < cover->num && end > cover->span[pos].beg))
+ return 1;
+
+ /* Check for adjacencies. */
+ prec = pos > 0 && beg == cover->span[pos - 1].end;
+ foll = pos < cover->num && end == cover->span[pos].beg;
+ if (prec && foll) {
+ /* The new span connects the preceding and following spans. Merge the
+ following span into the preceding span, and delete the following
+ span. */
+ cover->span[pos - 1].end = cover->span[pos].end;
+ cover->num--;
+ memmove(cover->span + pos, cover->span + pos + 1,
+ (cover->num - pos) * sizeof(span_t));
+ }
+ else if (prec)
+ /* The new span is adjacent only to the preceding span. Extend the end
+ of the preceding span. */
+ cover->span[pos - 1].end = end;
+ else if (foll)
+ /* The new span is adjacent only to the following span. Extend the
+ beginning of the following span. */
+ cover->span[pos].beg = beg;
+ else {
+ /* The new span has gaps between both the preceding and the following
+ spans. Assure that there is room and insert the span. */
+ if (cover->num == cover->max) {
+ size_t max = cover->max == 0 ? 16 : cover->max << 1;
+ span_t *span = realloc(cover->span, max * sizeof(span_t));
+ if (span == NULL)
+ return -2;
+ cover->span = span;
+ cover->max = max;
+ }
+ memmove(cover->span + pos + 1, cover->span + pos,
+ (cover->num - pos) * sizeof(span_t));
+ cover->num++;
+ cover->span[pos].beg = beg;
+ cover->span[pos].end = end;
+ }
+ return 0;
+}
+
+
+
+
+
/**************************************/
/* Function extract_or_test_files() */
/**************************************/
@@ -374,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type er
}
#endif /* !SFX || SFX_EXDIR */
+ /* One more: initialize cover structure for bomb detection. Start with a
+ span that covers the central directory though the end of the file. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+ ((cover_t *)G.cover)->span = NULL;
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+ if ((G.extra_bytes != 0 &&
+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+ cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+ G.ziplen) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+
/*---------------------------------------------------------------------------
The basic idea of this function is as follows. Since the central di-
rectory lies at the end of the zipfile and the member files lie at the
@@ -591,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type er
if (error > error_in_archive)
error_in_archive = error;
/* ...and keep going (unless disk full or user break) */
- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
+ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
+ error == PK_BOMB) {
/* clear reached_end to signal premature stop ... */
reached_end = FALSE;
/* ... and cancel scanning the central directory */
@@ -1060,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
/* seek_zipf(__G__ pInfo->offset); */
request = G.pInfo->offset + G.extra_bytes;
+ if (cover_within((cover_t *)G.cover, request)) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
inbuf_offset = request % INBUFSIZ;
bufstart = request - inbuf_offset;
@@ -1255,8 +1405,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
if (G.lrec.compression_method == STORED) { if (G.lrec.compression_method == STORED) {
zusz_t csiz_decrypted = G.lrec.csize; zusz_t csiz_decrypted = G.lrec.csize;
@ -50,7 +236,61 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
if (G.lrec.ucsize != csiz_decrypted) { if (G.lrec.ucsize != csiz_decrypted) {
Info(slide, 0x401, ((char *)slide, Info(slide, 0x401, ((char *)slide,
LoadFarStringSmall2(WrnStorUCSizCSizDiff), LoadFarStringSmall2(WrnStorUCSizCSizDiff),
@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_len) @@ -1591,6 +1750,18 @@ reprompt:
return IZ_CTRLC; /* cancel operation by user request */
}
#endif
+ error = cover_add((cover_t *)G.cover, request,
+ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
+ if (error < 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+ if (error != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
#ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
UserStop();
#endif
@@ -1992,6 +2163,34 @@ static int extract_or_test_member(__G) /* return PK
}
undefer_input(__G);
+
+ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
+ /* skip over data descriptor (harder than it sounds, due to signature
+ * ambiguity)
+ */
+# define SIG 0x08074b50
+# define LOW 0xffffffff
+ uch buf[12];
+ unsigned shy = 12 - readbuf((char *)buf, 12);
+ ulg crc = shy ? 0 : makelong(buf);
+ ulg clen = shy ? 0 : makelong(buf + 4);
+ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
+ if (crc == SIG && /* if not SIG, no signature */
+ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
+ (clen == SIG && /* if not SIG, no signature */
+ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
+ (ulen == SIG && /* if not SIG, no signature */
+ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
+ /* if not SIG, have signature */
+ )))))
+ /* skip four more bytes to account for signature */
+ shy += 4 - readbuf((char *)buf, 4);
+ if (G.zip64)
+ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
+ if (shy)
+ error = PK_ERR;
+ }
+
return error;
} /* end function extract_or_test_member() */
@@ -2023,7 +2222,8 @@ static int TestExtraField(__G__ ef, ef_len)
ebID = makeword(ef); ebID = makeword(ef);
ebLen = (unsigned)makeword(ef+EB_LEN); ebLen = (unsigned)makeword(ef+EB_LEN);
@ -60,7 +300,7 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
/* Discovered some extra field inconsistency! */ /* Discovered some extra field inconsistency! */
if (uO.qflag) if (uO.qflag)
Info(slide, 1, ((char *)slide, "%-22s ", Info(slide, 1, ((char *)slide, "%-22s ",
@@ -2158,11 +2170,19 @@ static int TestExtraField(__G__ ef, ef_len) @@ -2158,11 +2358,19 @@ static int TestExtraField(__G__ ef, ef_len)
} }
break; break;
case EF_PKVMS: case EF_PKVMS:
@ -81,7 +321,7 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
break; break;
case EF_PKW32: case EF_PKW32:
case EF_PKUNIX: case EF_PKUNIX:
@@ -2217,15 +2237,32 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offs @@ -2217,15 +2425,32 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offs
ulg eb_ucsize; ulg eb_ucsize;
uch *eb_ucptr; uch *eb_ucptr;
int r; int r;
@ -117,7 +357,7 @@ Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
if ( if (
#ifdef INT_16BIT #ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) || (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
@@ -2700,6 +2737,12 @@ __GDEF @@ -2700,6 +2925,12 @@ __GDEF
int err=BZ_OK; int err=BZ_OK;
int repeated_buf_err; int repeated_buf_err;
bz_stream bstrm; bz_stream bstrm;

55
archivers/unzip/patches/patch-fileio_c
View File

@ -1,9 +1,14 @@
$OpenBSD: patch-fileio_c,v 1.1 2015/02/06 21:37:04 naddy Exp $ $OpenBSD: patch-fileio_c,v 1.2 2020/03/11 21:57:32 naddy Exp $
Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
Fix CVE-2018-1000035: buffer overflow for password-protected archives
https://security-tracker.debian.org/tracker/CVE-2018-1000035
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
--- fileio.c.orig Mon Apr 20 02:03:44 2009 Index: fileio.c
+++ fileio.c Thu Feb 5 18:57:59 2015 --- fileio.c.orig
+++ fileio.c
@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTrunc[] = @@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
#endif #endif
static ZCONST char Far ExtraFieldTooLong[] = static ZCONST char Far ExtraFieldTooLong[] =
@ -13,7 +18,49 @@ Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
#ifdef WINDLL #ifdef WINDLL
static ZCONST char Far DiskFullQuery[] = static ZCONST char Far DiskFullQuery[] =
@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* return PK-typ @@ -530,8 +532,10 @@ void undefer_input(__G)
* This condition was checked when G.incnt_leftover was set > 0 in
* defer_leftover_input(), and it is NOT allowed to touch G.csize
* before calling undefer_input() when (G.incnt_leftover > 0)
- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
+ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
*/
+ if (G.csize < 0L)
+ G.csize = 0L;
G.incnt = G.incnt_leftover + (int)G.csize;
G.inptr = G.inptr_leftover - (int)G.csize;
G.incnt_leftover = 0;
@@ -1580,7 +1584,11 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, ef
int r = IZ_PW_ENTERED;
char *m;
char *prompt;
-
+ char *zfnf;
+ char *efnf;
+ size_t zfnfl;
+ int isOverflow;
+
#ifndef REENTRANT
/* tell picky compilers to shut up about "unused variable" warnings */
pG = pG;
@@ -1588,7 +1596,15 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, ef
if (*rcnt == 0) { /* First call for current entry */
*rcnt = 2;
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+ zfnf = FnFilter1(zfn);
+ efnf = FnFilter2(efn);
+ zfnfl = strlen(zfnf);
+ isOverflow = TRUE;
+ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
+ {
+ isOverflow = FALSE;
+ }
+ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
sprintf(prompt, LoadFarString(PasswPrompt),
FnFilter1(zfn), FnFilter2(efn));
m = prompt;
@@ -2295,7 +2311,12 @@ int do_string(__G__ length, option) /* return PK-typ
if (readbuf(__G__ (char *)G.extra_field, length) == 0) if (readbuf(__G__ (char *)G.extra_field, length) == 0)
return PK_EOF; return PK_EOF;
/* Looks like here is where extra fields are read */ /* Looks like here is where extra fields are read */

15
archivers/unzip/patches/patch-globals_c Normal file
View File

@ -0,0 +1,15 @@
$OpenBSD: patch-globals_c,v 1.1 2020/03/11 21:57:32 naddy Exp $
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
--- globals.c.orig
+++ globals.c
@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
# if (!defined(NO_TIMESTAMPS))
uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
# endif
+ G.cover = NULL; /* not allocated yet */
#endif
uO.lflag=(-1);

23
archivers/unzip/patches/patch-globals_h Normal file
View File

@ -0,0 +1,23 @@
$OpenBSD: patch-globals_h,v 1.1 2020/03/11 21:57:32 naddy Exp $
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
--- globals.h.orig
+++ globals.h
@@ -260,12 +260,15 @@ typedef struct Globals {
ecdir_rec ecrec; /* used in unzip.c, extract.c */
z_stat statbuf; /* used by main, mapname, check_for_newer */
+ int zip64; /* true if Zip64 info in extra field */
+
int mem_mode;
uch *outbufptr; /* extract.c static */
ulg outsize; /* extract.c static */
int reported_backslash; /* extract.c static */
int disk_full;
int newfile;
+ void **cover; /* used in extract.c for bomb detection */
int didCRlast; /* fileio static */
ulg numlines; /* fileio static: number of lines printed */

34
archivers/unzip/patches/patch-list_c
View File

@ -1,14 +1,16 @@
$OpenBSD: patch-list_c,v 1.1 2017/03/23 17:26:17 bluhm Exp $ $OpenBSD: patch-list_c,v 1.2 2020/03/11 21:57:32 naddy Exp $
Fix: increase size of cfactorstr array to avoid buffer overflow Fix CVE-2018-18384: increase size of cfactorstr array to avoid buffer overflow
https://bugs.debian.org/741384 https://bugs.debian.org/741384
https://sourceforge.net/p/infozip/bugs/53/
Fix CVE-2014-9913: buffer overflow in unzip Fix CVE-2014-9913: buffer overflow in unzip
https://sourceforge.net/p/infozip/bugs/27/ https://sourceforge.net/p/infozip/bugs/27/
https://bugs.debian.org/847485 https://bugs.debian.org/847485
https://launchpad.net/bugs/387350 https://launchpad.net/bugs/387350
--- list.c.orig Sun Feb 8 18:11:34 2009 Index: list.c
+++ list.c Tue Mar 21 16:10:27 2017 --- list.c.orig
+++ list.c
@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */ @@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */
{ {
int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
@ -38,3 +40,27 @@ Fix CVE-2014-9913: buffer overflow in unzip
} }
#if 0 /* GRR/Euro: add this? */ #if 0 /* GRR/Euro: add this? */
@@ -378,9 +389,9 @@ int list_files(__G) /* return PK-type error code */
}
#else /* !WINDLL */
if (cfactor == 100)
- sprintf(cfactorstr, LoadFarString(CompFactor100));
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
else
- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
if (longhdr)
Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
FmZofft(G.crec.ucsize, "8", "u"), methbuf,
@@ -460,9 +471,9 @@ int list_files(__G) /* return PK-type error code */
#else /* !WINDLL */
if (cfactor == 100)
- sprintf(cfactorstr, LoadFarString(CompFactor100));
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
else
- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
+ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
if (longhdr) {
Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),

48
archivers/unzip/patches/patch-process_c
View File

@ -1,4 +1,4 @@
$OpenBSD: patch-process_c,v 1.3 2017/03/23 17:26:17 bluhm Exp $ $OpenBSD: patch-process_c,v 1.4 2020/03/11 21:57:32 naddy Exp $
Fix: handle the PKWare verification bit of internal attributes Fix: handle the PKWare verification bit of internal attributes
https://bugs.debian.org/630078 https://bugs.debian.org/630078
@ -8,9 +8,12 @@ Fix: do not ignore extra fields containing Unix Timestamps
https://bugs.debian.org/842993 https://bugs.debian.org/842993
Fix: restore uid and gid information when requested Fix: restore uid and gid information when requested
https://bugs.debian.org/689212 https://bugs.debian.org/689212
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
--- process.c.orig Fri Mar 6 02:25:10 2009 Index: process.c
+++ process.c Tue Mar 21 16:10:27 2017 --- process.c.orig
+++ process.c
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* /*
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
@ -18,7 +21,21 @@ Fix: restore uid and gid information when requested
See the accompanying file LICENSE, version 2009-Jan-02 or later See the accompanying file LICENSE, version 2009-Jan-02 or later
(the contents of which are also included in unzip.h) for terms of use. (the contents of which are also included in unzip.h) for terms of use.
@@ -1729,6 +1729,13 @@ int process_cdir_file_hdr(__G) /* return PK-type er @@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory al
}
#endif
+ /* Free the cover span list and the cover structure. */
+ if (G.cover != NULL) {
+ free(*(G.cover));
+ free(G.cover);
+ G.cover = NULL;
+ }
+
} /* end function free_G_buffers() */
@@ -1729,6 +1736,13 @@ int process_cdir_file_hdr(__G) /* return PK-type er
else if (uO.L_flag > 1) /* let -LL force lower case for all names */ else if (uO.L_flag > 1) /* let -LL force lower case for all names */
G.pInfo->lcflag = 1; G.pInfo->lcflag = 1;
@ -32,7 +49,7 @@ Fix: restore uid and gid information when requested
/* do Amigas (AMIGA_) also have volume labels? */ /* do Amigas (AMIGA_) also have volume labels? */
if (IS_VOLID(G.crec.external_file_attributes) && if (IS_VOLID(G.crec.external_file_attributes) &&
(G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ || (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ ||
@@ -1751,6 +1758,12 @@ int process_cdir_file_hdr(__G) /* return PK-type er @@ -1751,6 +1765,12 @@ int process_cdir_file_hdr(__G) /* return PK-type er
= (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11); = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
#endif #endif
@ -45,7 +62,7 @@ Fix: restore uid and gid information when requested
return PK_COOL; return PK_COOL;
} /* end function process_cdir_file_hdr() */ } /* end function process_cdir_file_hdr() */
@@ -1888,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len) @@ -1888,48 +1908,84 @@ int getZip64Data(__G__ ef_buf, ef_len)
and a 4-byte version of disk start number. and a 4-byte version of disk start number.
Sets both local header and central header fields. Not terribly clever, Sets both local header and central header fields. Not terribly clever,
but it means that this procedure is only called in one place. but it means that this procedure is only called in one place.
@ -60,6 +77,8 @@ Fix: restore uid and gid information when requested
+#define Z64FLGS 0xffff +#define Z64FLGS 0xffff
+#define Z64FLGL 0xffffffff +#define Z64FLGL 0xffffffff
+
+ G.zip64 = FALSE;
+ +
if (ef_len == 0 || ef_buf == NULL) if (ef_len == 0 || ef_buf == NULL)
return PK_COOL; return PK_COOL;
@ -144,7 +163,16 @@ Fix: restore uid and gid information when requested
ef_buf += (eb_len + EB_HEADSIZE); ef_buf += (eb_len + EB_HEADSIZE);
ef_len -= (eb_len + EB_HEADSIZE); ef_len -= (eb_len + EB_HEADSIZE);
} }
@@ -2867,10 +2914,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos @@ -2037,6 +2093,8 @@ int getUnicodeData(__G__ ef_buf, ef_len)
(ZCONST char *)(offset + ef_buf), ULen);
G.unipath_filename[ULen] = '\0';
}
+
+ G.zip64 = TRUE;
}
/* Skip this extra field block */
@@ -2867,10 +2925,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
break; break;
case EF_IZUNIX2: case EF_IZUNIX2:
@ -160,7 +188,7 @@ Fix: restore uid and gid information when requested
#ifdef IZ_HAVE_UXUIDGID #ifdef IZ_HAVE_UXUIDGID
if (have_new_type_eb > 1) if (have_new_type_eb > 1)
break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */ break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
@@ -2886,6 +2936,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos @@ -2886,6 +2947,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
/* new 3rd generation Unix ef */ /* new 3rd generation Unix ef */
have_new_type_eb = 2; have_new_type_eb = 2;
@ -169,7 +197,7 @@ Fix: restore uid and gid information when requested
/* /*
Version 1 byte version of this extra field, currently 1 Version 1 byte version of this extra field, currently 1
UIDSize 1 byte Size of UID field UIDSize 1 byte Size of UID field
@@ -2897,7 +2949,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos @@ -2897,7 +2960,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
#ifdef IZ_HAVE_UXUIDGID #ifdef IZ_HAVE_UXUIDGID
if (eb_len >= EB_UX3_MINLEN if (eb_len >= EB_UX3_MINLEN
&& z_uidgid != NULL && z_uidgid != NULL
@ -178,7 +206,7 @@ Fix: restore uid and gid information when requested
/* only know about version 1 */ /* only know about version 1 */
{ {
uch uid_size; uch uid_size;
@@ -2906,13 +2958,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos @@ -2906,13 +2969,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
uid_size = *((EB_HEADSIZE + 1) + ef_buf); uid_size = *((EB_HEADSIZE + 1) + ef_buf);
gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf); gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);

16
archivers/unzip/patches/patch-unzip_h Normal file
View File

@ -0,0 +1,16 @@
$OpenBSD: patch-unzip_h,v 1.1 2020/03/11 21:57:32 naddy Exp $
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
Index: unzip.h
--- unzip.h.orig
+++ unzip.h
@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
#define PK_NOZIP 9 /* zipfile not found */
#define PK_PARAM 10 /* bad or illegal parameters specified */
#define PK_FIND 11 /* no files found */
+#define PK_BOMB 12 /* likely zip bomb */
#define PK_DISK 50 /* disk full */
#define PK_EOF 51 /* unexpected EOF */