mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: unzip: Add various fixes.
* gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch: Delete file. Replace with ... * gnu/packages/patches/unzip-overflow-long-fsize.patch: ... this new file. * gnu/packages/patches/unzip-attribs-overflow.patch, gnu/packages/patches/unzip-fix-overflows-and-infloop.patch, gnu/packages/patches/unzip-format-secure.patch: New files. * gnu/packages/patches/unzip-CVE-2014-9636.patch: Replace contents with fixed patch from Fedora. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/zip.scm (unzip)[source]: Adjust list of patches.
This commit is contained in:
parent
e91e28d60c
commit
48e4a9f32f
8 changed files with 279 additions and 47 deletions
|
@ -641,8 +641,11 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/unzip-CVE-2014-8141.patch \
|
||||
gnu/packages/patches/unzip-CVE-2014-9636.patch \
|
||||
gnu/packages/patches/unzip-allow-greater-hostver-values.patch \
|
||||
gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch \
|
||||
gnu/packages/patches/unzip-attribs-overflow.patch \
|
||||
gnu/packages/patches/unzip-fix-overflows-and-infloop.patch \
|
||||
gnu/packages/patches/unzip-format-secure.patch \
|
||||
gnu/packages/patches/unzip-initialize-symlink-flag.patch \
|
||||
gnu/packages/patches/unzip-overflow-long-fsize.patch \
|
||||
gnu/packages/patches/unzip-remove-build-date.patch \
|
||||
gnu/packages/patches/util-linux-tests.patch \
|
||||
gnu/packages/patches/upower-builddir.patch \
|
||||
|
|
|
@ -1,40 +1,28 @@
|
|||
Copied from Debian.
|
||||
Copied from Fedora.
|
||||
|
||||
From: mancha <mancha1 AT zoho DOT com>
|
||||
Date: Mon, 3 Nov 2014
|
||||
Subject: Info-ZIP UnZip buffer overflow
|
||||
Bug-Debian: http://bugs.debian.org/776589
|
||||
|
||||
By carefully crafting a corrupt ZIP archive with "extra fields" that
|
||||
purport to have compressed blocks larger than the corresponding
|
||||
uncompressed blocks in STORED no-compression mode, an attacker can
|
||||
trigger a heap overflow that can result in application crash or
|
||||
possibly have other unspecified impact.
|
||||
|
||||
This patch ensures that when extra fields use STORED mode, the
|
||||
"compressed" and uncompressed block sizes match.
|
||||
http://pkgs.fedoraproject.org/cgit/unzip.git/plain/unzip-6.0-overflow.patch?id=d18f821e
|
||||
|
||||
diff --git a/extract.c b/extract.c
|
||||
index a0a4929..9ef80b3 100644
|
||||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -2228,6 +2228,7 @@
|
||||
@@ -2214,6 +2214,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
|
||||
ulg eb_ucsize;
|
||||
uch *eb_ucptr;
|
||||
int r;
|
||||
+ ush eb_compr_method;
|
||||
+ ush method;
|
||||
|
||||
if (compr_offset < 4) /* field is not compressed: */
|
||||
return PK_OK; /* do nothing and signal OK */
|
||||
@@ -2244,6 +2245,14 @@
|
||||
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
|
||||
return IZ_EF_TRUNC; /* no/bad compressed data! */
|
||||
@@ -2223,6 +2224,12 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
|
||||
eb_size <= (compr_offset + EB_CMPRHEADLEN)))
|
||||
return IZ_EF_TRUNC; /* no compressed data! */
|
||||
|
||||
+ /* 2014-11-03 Michal Zalewski, SMS.
|
||||
+ * For STORE method, compressed and uncompressed sizes must agree.
|
||||
+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
|
||||
+ */
|
||||
+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
|
||||
+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
|
||||
+ return PK_ERR;
|
||||
+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
|
||||
+ if ((method == STORED) && (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
|
||||
+ return PK_ERR; /* compressed & uncompressed
|
||||
+ * should match in STORED
|
||||
+ * method */
|
||||
+
|
||||
if (
|
||||
#ifdef INT_16BIT
|
||||
|
|
16
gnu/packages/patches/unzip-attribs-overflow.patch
Normal file
16
gnu/packages/patches/unzip-attribs-overflow.patch
Normal file
|
@ -0,0 +1,16 @@
|
|||
Copied from Fedora.
|
||||
|
||||
http://pkgs.fedoraproject.org/cgit/unzip.git/plain/unzip-6.0-attribs-overflow.patch?id=d18f821e
|
||||
|
||||
diff -up unzip60/zipinfo.c.attribs-overflow unzip60/zipinfo.c
|
||||
--- unzip60/zipinfo.c.attribs-overflow 2009-11-30 09:55:39.000000000 +0100
|
||||
+++ unzip60/zipinfo.c 2009-11-30 09:56:42.844263244 +0100
|
||||
@@ -1881,7 +1881,7 @@ static int zi_short(__G) /* return PK-
|
||||
#endif
|
||||
int k, error, error_in_archive=PK_COOL;
|
||||
unsigned hostnum, hostver, methid, methnum, xattr;
|
||||
- char *p, workspace[12], attribs[16];
|
||||
+ char *p, workspace[12], attribs[17];
|
||||
char methbuf[5];
|
||||
static ZCONST char dtype[5]="NXFS"; /* normal, maximum, fast, superfast */
|
||||
static ZCONST char Far os[NUM_HOSTS+1][4] = {
|
108
gnu/packages/patches/unzip-fix-overflows-and-infloop.patch
Normal file
108
gnu/packages/patches/unzip-fix-overflows-and-infloop.patch
Normal file
|
@ -0,0 +1,108 @@
|
|||
Copied from Fedora.
|
||||
|
||||
http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e
|
||||
|
||||
From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Stodulka <pstodulk@redhat.com>
|
||||
Date: Mon, 14 Sep 2015 18:23:17 +0200
|
||||
Subject: [PATCH 1/3] upstream fix for heap overflow
|
||||
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=1073002
|
||||
---
|
||||
crypt.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypt.c b/crypt.c
|
||||
index 784e411..a8975f2 100644
|
||||
--- a/crypt.c
|
||||
+++ b/crypt.c
|
||||
@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
|
||||
GLOBAL(pInfo->encrypted) = FALSE;
|
||||
defer_leftover_input(__G);
|
||||
for (n = 0; n < RAND_HEAD_LEN; n++) {
|
||||
- b = NEXTBYTE;
|
||||
+ /* 2012-11-23 SMS. (OUSPG report.)
|
||||
+ * Quit early if compressed size < HEAD_LEN. The resulting
|
||||
+ * error message ("unable to get password") could be improved,
|
||||
+ * but it's better than trying to read nonexistent data, and
|
||||
+ * then continuing with a negative G.csize. (See
|
||||
+ * fileio.c:readbyte()).
|
||||
+ */
|
||||
+ if ((b = NEXTBYTE) == (ush)EOF)
|
||||
+ {
|
||||
+ return PK_ERR;
|
||||
+ }
|
||||
h[n] = (uch)b;
|
||||
Trace((stdout, " (%02x)", h[n]));
|
||||
}
|
||||
--
|
||||
2.4.6
|
||||
|
||||
|
||||
From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Mon, 14 Sep 2015 18:24:56 +0200
|
||||
Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data
|
||||
|
||||
Bug: https://sourceforge.net/p/infozip/patches/23/
|
||||
---
|
||||
extract.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/extract.c b/extract.c
|
||||
index 7134bfe..29db027 100644
|
||||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -2733,6 +2733,12 @@ __GDEF
|
||||
int repeated_buf_err;
|
||||
bz_stream bstrm;
|
||||
|
||||
+ if (G.incnt <= 0 && G.csize <= 0L) {
|
||||
+ /* avoid an infinite loop */
|
||||
+ Trace((stderr, "UZbunzip2() got empty input\n"));
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
#if (defined(DLL) && !defined(NO_SLIDE_REDIR))
|
||||
if (G.redirect_slide)
|
||||
wsize = G.redirect_size, redirSlide = G.redirect_buffer;
|
||||
--
|
||||
2.4.6
|
||||
|
||||
|
||||
From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Tue, 22 Sep 2015 18:52:23 +0200
|
||||
Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input
|
||||
|
||||
Suggested-by: Stefan Cornelius
|
||||
---
|
||||
extract.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extract.c b/extract.c
|
||||
index 29db027..b9ae667 100644
|
||||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
|
||||
if (G.lrec.compression_method == STORED) {
|
||||
zusz_t csiz_decrypted = G.lrec.csize;
|
||||
|
||||
- if (G.pInfo->encrypted)
|
||||
+ if (G.pInfo->encrypted) {
|
||||
+ if (csiz_decrypted <= 12) {
|
||||
+ /* handle the error now to prevent unsigned overflow */
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarStringSmall(ErrUnzipNoFile),
|
||||
+ LoadFarString(InvalidComprData),
|
||||
+ LoadFarStringSmall2(Inflate)));
|
||||
+ return PK_ERR;
|
||||
+ }
|
||||
csiz_decrypted -= 12;
|
||||
+ }
|
||||
if (G.lrec.ucsize != csiz_decrypted) {
|
||||
Info(slide, 0x401, ((char *)slide,
|
||||
LoadFarStringSmall2(WrnStorUCSizCSizDiff),
|
||||
--
|
||||
2.5.2
|
||||
|
94
gnu/packages/patches/unzip-format-secure.patch
Normal file
94
gnu/packages/patches/unzip-format-secure.patch
Normal file
|
@ -0,0 +1,94 @@
|
|||
Copied from Fedora.
|
||||
|
||||
http://pkgs.fedoraproject.org/cgit/unzip.git/plain/unzip-6.0-format-secure.patch?id=d18f821e
|
||||
|
||||
diff --git a/extract.c b/extract.c
|
||||
index eeb2f57..a0a4929 100644
|
||||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -472,8 +472,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
|
||||
*/
|
||||
Info(slide, 0x401, ((char *)slide,
|
||||
LoadFarString(CentSigMsg), j + blknum*DIR_BLKSIZ + 1));
|
||||
- Info(slide, 0x401, ((char *)slide,
|
||||
- LoadFarString(ReportMsg)));
|
||||
+ Info(slide, 0x401,
|
||||
+ ((char *)slide,"%s", LoadFarString(ReportMsg)));
|
||||
error_in_archive = PK_BADERR;
|
||||
}
|
||||
reached_end = TRUE; /* ...so no more left to do */
|
||||
@@ -752,8 +752,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
|
||||
|
||||
#ifndef SFX
|
||||
if (no_endsig_found) { /* just to make sure */
|
||||
- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
|
||||
- Info(slide, 0x401, ((char *)slide, LoadFarString(ReportMsg)));
|
||||
+ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg)));
|
||||
+ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(ReportMsg)));
|
||||
if (!error_in_archive) /* don't overwrite stronger error */
|
||||
error_in_archive = PK_WARN;
|
||||
}
|
||||
diff --git a/list.c b/list.c
|
||||
index 15e0011..f7359c3 100644
|
||||
--- a/list.c
|
||||
+++ b/list.c
|
||||
@@ -181,7 +181,7 @@ int list_files(__G) /* return PK-type error code */
|
||||
Info(slide, 0x401,
|
||||
((char *)slide, LoadFarString(CentSigMsg), j));
|
||||
Info(slide, 0x401,
|
||||
- ((char *)slide, LoadFarString(ReportMsg)));
|
||||
+ ((char *)slide,"%s", LoadFarString(ReportMsg)));
|
||||
return PK_BADERR; /* sig not found */
|
||||
}
|
||||
}
|
||||
@@ -507,7 +507,8 @@ int list_files(__G) /* return PK-type error code */
|
||||
&& (!G.ecrec.is_zip64_archive)
|
||||
&& (memcmp(G.sig, end_central_sig, 4) != 0)
|
||||
) { /* just to make sure again */
|
||||
- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
|
||||
+ Info(slide, 0x401,
|
||||
+ ((char *)slide,"%s", LoadFarString(EndSigMsg)));
|
||||
error_in_archive = PK_WARN; /* didn't find sig */
|
||||
}
|
||||
|
||||
@@ -591,7 +592,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */
|
||||
Info(slide, 0x401,
|
||||
((char *)slide, LoadFarString(CentSigMsg), j));
|
||||
Info(slide, 0x401,
|
||||
- ((char *)slide, LoadFarString(ReportMsg)));
|
||||
+ ((char *)slide,"%s", LoadFarString(ReportMsg)));
|
||||
return PK_BADERR; /* sig not found */
|
||||
}
|
||||
}
|
||||
@@ -674,7 +675,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */
|
||||
---------------------------------------------------------------------------*/
|
||||
|
||||
if (memcmp(G.sig, end_central_sig, 4)) { /* just to make sure again */
|
||||
- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
|
||||
+ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg)));
|
||||
error_in_archive = PK_WARN;
|
||||
}
|
||||
if (*nmember == 0L && error_in_archive <= PK_WARN)
|
||||
diff --git a/zipinfo.c b/zipinfo.c
|
||||
index 6e22cc8..ac5c61b 100644
|
||||
--- a/zipinfo.c
|
||||
+++ b/zipinfo.c
|
||||
@@ -771,7 +771,7 @@ int zipinfo(__G) /* return PK-type error code */
|
||||
Info(slide, 0x401,
|
||||
((char *)slide, LoadFarString(CentSigMsg), j));
|
||||
Info(slide, 0x401,
|
||||
- ((char *)slide, LoadFarString(ReportMsg)));
|
||||
+ ((char *)slide,"%s", LoadFarString(ReportMsg)));
|
||||
error_in_archive = PK_BADERR; /* sig not found */
|
||||
break;
|
||||
}
|
||||
@@ -960,7 +960,8 @@ int zipinfo(__G) /* return PK-type error code */
|
||||
&& (!G.ecrec.is_zip64_archive)
|
||||
&& (memcmp(G.sig, end_central_sig, 4) != 0)
|
||||
) { /* just to make sure again */
|
||||
- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
|
||||
+ Info(slide, 0x401,
|
||||
+ ((char *)slide,"%s", LoadFarString(EndSigMsg)));
|
||||
error_in_archive = PK_WARN; /* didn't find sig */
|
||||
}
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
Copied from Debian.
|
||||
|
||||
From: sms
|
||||
Subject: Increase size of cfactorstr array to avoid buffer overflow
|
||||
Bug-Debian: http://bugs.debian.org/741384
|
||||
X-Debian-version: 6.0-11
|
||||
|
||||
--- a/list.c
|
||||
+++ b/list.c
|
||||
@@ -97,7 +97,7 @@
|
||||
{
|
||||
int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
|
||||
#ifndef WINDLL
|
||||
- char sgn, cfactorstr[10];
|
||||
+ char sgn, cfactorstr[12];
|
||||
int longhdr=(uO.vflag>1);
|
||||
#endif
|
||||
int date_format;
|
38
gnu/packages/patches/unzip-overflow-long-fsize.patch
Normal file
38
gnu/packages/patches/unzip-overflow-long-fsize.patch
Normal file
|
@ -0,0 +1,38 @@
|
|||
Copied from Fedora.
|
||||
|
||||
http://pkgs.fedoraproject.org/cgit/unzip.git/plain/unzip-6.0-overflow-long-fsize.patch?id=d18f821e
|
||||
|
||||
diff --git a/list.c b/list.c
|
||||
index f7359c3..4c3d703 100644
|
||||
--- a/list.c
|
||||
+++ b/list.c
|
||||
@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */
|
||||
{
|
||||
int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
|
||||
#ifndef WINDLL
|
||||
- char sgn, cfactorstr[10];
|
||||
+ char sgn, cfactorstr[13];
|
||||
int longhdr=(uO.vflag>1);
|
||||
#endif
|
||||
int date_format;
|
||||
@@ -339,7 +339,19 @@ int list_files(__G) /* return PK-type error code */
|
||||
G.crec.compression_method == ENHDEFLATED) {
|
||||
methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
|
||||
} else if (methnum >= NUM_METHODS) {
|
||||
- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
|
||||
+ /* 2013-02-26 SMS.
|
||||
+ * http://sourceforge.net/tracker/?func=detail
|
||||
+ * &aid=2861648&group_id=118012&atid=679786
|
||||
+ * Unexpectedly large compression methods overflow
|
||||
+ * &methbuf[]. Use the old, three-digit decimal format
|
||||
+ * for values which fit. Otherwise, sacrifice the
|
||||
+ * colon, and use four-digit hexadecimal.
|
||||
+ */
|
||||
+ if (G.crec.compression_method <= 999) {
|
||||
+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
|
||||
+ } else {
|
||||
+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
|
||||
+ }
|
||||
}
|
||||
|
||||
#if 0 /* GRR/Euro: add this? */
|
|
@ -86,9 +86,12 @@ (define-public unzip
|
|||
"unzip-CVE-2014-8141.patch"
|
||||
"unzip-CVE-2014-9636.patch"
|
||||
"unzip-allow-greater-hostver-values.patch"
|
||||
"unzip-increase-size-of-cfactorstr.patch"
|
||||
"unzip-initialize-symlink-flag.patch"
|
||||
"unzip-remove-build-date.patch")))))
|
||||
"unzip-remove-build-date.patch"
|
||||
"unzip-attribs-overflow.patch"
|
||||
"unzip-fix-overflows-and-infloop.patch"
|
||||
"unzip-format-secure.patch"
|
||||
"unzip-overflow-long-fsize.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
;; no inputs; bzip2 is not supported, since not compiled with BZ_NO_STDIO
|
||||
(arguments
|
||||
|
|
Loading…
Reference in a new issue