From 04e2f239720571549c27af75429f45ab33bc57f9a73fa8ee9d281d520f621296 Mon Sep 17 00:00:00 2001
From: Martin Pluskal <mpluskal@suse.com>
Date: Wed, 27 Jun 2018 14:20:07 +0000
Subject: [PATCH] Accepting request 619404 from
 home:kstreitova:branches:Archiving

- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is
  unable to process Windows zip64 archives because Windows
  archivers set total_disks field to 0 but per standard, valid
  values are 1 and higher [bnc#910683]
- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap
  overflow for STORED field data [bnc#914442] [CVE-2014-9636]

- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is
  unable to process Windows zip64 archives because Windows
  archivers set total_disks field to 0 but per standard, valid
  values are 1 and higher [bnc#910683]
- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap
  overflow for STORED field data [bnc#914442] [CVE-2014-9636]

OBS-URL: https://build.opensuse.org/request/show/619404
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=49
---
 Fix-CVE-2014-9636-unzip-buffer-overflow.patch | 41 +++++++++++++++++++
 unzip-rcc.changes                             | 10 +++++
 unzip-rcc.spec                                |  4 ++
 unzip.changes                                 | 10 +++++
 unzip.spec                                    |  4 ++
 unzip60-total_disks_zero.patch                | 24 +++++++++++
 6 files changed, 93 insertions(+)
 create mode 100644 Fix-CVE-2014-9636-unzip-buffer-overflow.patch
 create mode 100644 unzip60-total_disks_zero.patch

diff --git a/Fix-CVE-2014-9636-unzip-buffer-overflow.patch b/Fix-CVE-2014-9636-unzip-buffer-overflow.patch
new file mode 100644
index 0000000..5901e54
--- /dev/null
+++ b/Fix-CVE-2014-9636-unzip-buffer-overflow.patch
@@ -0,0 +1,41 @@
+From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 11 Feb 2015
+Subject: Info-ZIP UnZip buffer overflow
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+---
+ extract.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+--- unzip60/extract.c	
++++ unzip60/extract.c	
+@@ -2230,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
++    ush method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2246,6 +2247,13 @@ static int test_compr_eb(__G__ eb, eb_si
+      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+         return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
++    method = makeword(eb + (EB_HEADSIZE + compr_offset));
++    if ((method == STORED) &&
++        (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
++        return PK_ERR;                    /* compressed & uncompressed
++                                          * should match in STORED
++                                          * method */
++
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/unzip-rcc.changes b/unzip-rcc.changes
index a3dc9e2..41990b0 100644
--- a/unzip-rcc.changes
+++ b/unzip-rcc.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jun 27 11:39:10 UTC 2018 - kstreitova@suse.com
+
+- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is
+  unable to process Windows zip64 archives because Windows
+  archivers set total_disks field to 0 but per standard, valid
+  values are 1 and higher [bnc#910683]
+- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap
+  overflow for STORED field data [bnc#914442] [CVE-2014-9636]
+
 -------------------------------------------------------------------
 Wed May 16 19:44:45 UTC 2018 - antoine.belvire@opensuse.org
 
diff --git a/unzip-rcc.spec b/unzip-rcc.spec
index 85288f4..2e838c1 100644
--- a/unzip-rcc.spec
+++ b/unzip-rcc.spec
@@ -57,6 +57,8 @@ Patch16:        CVE-2015-7697.patch
 Patch17:        CVE-2016-9844.patch
 Patch18:        CVE-2014-9913.patch
 Patch19:        CVE-2018-1000035.patch
+Patch20:        Fix-CVE-2014-9636-unzip-buffer-overflow.patch
+Patch21:        unzip60-total_disks_zero.patch
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
 Recommends:     %{_name}-doc
@@ -100,6 +102,8 @@ functionality. This version can also extract encrypted archives.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p0
+%patch20 -p1
+%patch21 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \
diff --git a/unzip.changes b/unzip.changes
index a3dc9e2..41990b0 100644
--- a/unzip.changes
+++ b/unzip.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jun 27 11:39:10 UTC 2018 - kstreitova@suse.com
+
+- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is
+  unable to process Windows zip64 archives because Windows
+  archivers set total_disks field to 0 but per standard, valid
+  values are 1 and higher [bnc#910683]
+- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap
+  overflow for STORED field data [bnc#914442] [CVE-2014-9636]
+
 -------------------------------------------------------------------
 Wed May 16 19:44:45 UTC 2018 - antoine.belvire@opensuse.org
 
diff --git a/unzip.spec b/unzip.spec
index 66cd178..84b319b 100644
--- a/unzip.spec
+++ b/unzip.spec
@@ -57,6 +57,8 @@ Patch16:        CVE-2015-7697.patch
 Patch17:        CVE-2016-9844.patch
 Patch18:        CVE-2014-9913.patch
 Patch19:        CVE-2018-1000035.patch
+Patch20:        Fix-CVE-2014-9636-unzip-buffer-overflow.patch
+Patch21:        unzip60-total_disks_zero.patch
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
 Recommends:     %{_name}-doc
@@ -100,6 +102,8 @@ functionality. This version can also extract encrypted archives.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p0
+%patch20 -p1
+%patch21 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \
diff --git a/unzip60-total_disks_zero.patch b/unzip60-total_disks_zero.patch
new file mode 100644
index 0000000..91a32ae
--- /dev/null
+++ b/unzip60-total_disks_zero.patch
@@ -0,0 +1,24 @@
+Index: unzip60/process.c
+===================================================================
+--- unzip60.orig/process.c
++++ unzip60/process.c
+@@ -1286,7 +1286,8 @@ static int find_ecrec64(__G__ searchlen)
+             G.ecrec.number_this_disk, ecloc64_total_disks); fflush(stdout);
+ #endif
+     if ((G.ecrec.number_this_disk != 0xFFFF) &&
+-        (G.ecrec.number_this_disk != ecloc64_total_disks - 1)) {
++        (G.ecrec.number_this_disk != ecloc64_total_disks - 1) &&
++        (ecloc64_total_disks != 0)) {
+       /* Note: For some unknown reason, the developers at PKWARE decided to
+          store the "zip64 total disks" value as a counter starting from 1,
+          whereas all other "split/span volume" related fields use 0-based
+@@ -1296,6 +1297,9 @@ static int find_ecrec64(__G__ searchlen)
+          When this is not the case, the found ecrec64 locator cannot be valid.
+          -> This is not a Zip64 archive.
+        */
++      /* There are archive creators that put 0 in total disks when it should
++         be 1.  We should handle this.  This is done by the added check above.
++      */
+       Trace((stderr,
+              "\ninvalid ECLOC64, differing disk# (ECR %u, ECL64 %lu)\n",
+              G.ecrec.number_this_disk, ecloc64_total_disks - 1));