mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-21 03:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

unzip: drop 12-cve-2014-9636-test-compr-eb.patch

Browse Source 
12-cve-2014-9636-test-compr-eb.patch is same as unzip-6.0_overflow3.diff,
is to fix CVE-2014-9636

(From OE-Core rev: 43cc77f6dd1615ec6797a159647a1ad677c1df23)

(From OE-Core rev: 0a849983d066cd1beee64cef94b2c8421275b45c)

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Roy Li
2015-06-29 16:06:57 +08:00
committed by Richard Purdie
parent 3773a7d16c
commit ee88b51cf2
2 changed files with 0 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
View File

@@ -1,45 +0,0 @@
From: mancha <mancha1 AT zoho DOT com>
Date: Mon, 3 Nov 2014
Subject: Info-ZIP UnZip buffer overflow
Bug-Debian: http://bugs.debian.org/776589
By carefully crafting a corrupt ZIP archive with "extra fields" that
purport to have compressed blocks larger than the corresponding
uncompressed blocks in STORED no-compression mode, an attacker can
trigger a heap overflow that can result in application crash or
possibly have other unspecified impact.
This patch ensures that when extra fields use STORED mode, the
"compressed" and uncompressed block sizes match.
The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
Upstream-Status: Backport
Signed-off-by: Roy Li <rongqing.li@windriver.com>
--- a/extract.c
+++ b/extract.c
@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
uch *eb_ucptr;
int r;
ush method;
+ ush eb_compr_method;
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
@@ -2244,6 +2245,14 @@
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
return IZ_EF_TRUNC; /* no/bad compressed data! */
+ /* 2014-11-03 Michal Zalewski, SMS.
+ * For STORE method, compressed and uncompressed sizes must agree.
+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+ */
+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
+ return PK_ERR;
+
if (
#ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||

1
meta/recipes-extended/unzip/unzip_6.0.bb
View File

@@ -14,7 +14,6 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
file://09-cve-2014-8139-crc-overflow.patch \
file://10-cve-2014-8140-test-compr-eb.patch \
file://11-cve-2014-8141-getzip64data.patch \
file://12-cve-2014-9636-test-compr-eb.patch \
"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"