Accepting request 508580 from home:NicoK:branches:Archiving

apply newer version of Fix-CVE-2014-8139-unzip.patch that fixes jar file testing, taken from Fedora

OBS-URL: https://build.opensuse.org/request/show/508580
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=43

Fix-CVE-2014-8139-unzip.patch

@@ -1,15 +1,5 @@
-From 916cf1e7907f9d660bd160eb9a84f6e1cab3af5a Mon Sep 17 00:00:00 2001
-From: Thorsten Behrens <tbehrens@suse.com>
-Date: Sat, 20 Dec 2014 00:24:54 +0100
-Subject: [PATCH 1/2] Fix CVE-2014-8139 unzip
-
-Fix heap overflow condition in the CRC32 verification.
----
- extract.c | 17 +++++++++++++++--
- 1 file changed, 15 insertions(+), 2 deletions(-)
-
 diff --git a/extract.c b/extract.c
-index 9582da5..78f637e 100644
+index 9ef80b3..c741b5f 100644
 --- a/extract.c
 +++ b/extract.c
 @@ -1,5 +1,5 @@
@@ -23,12 +13,12 @@ index 9582da5..78f637e 100644
  #ifndef SFX
     static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
       EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
-+   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++   static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
 +     EF block length (%u bytes) invalid (< %d)\n";
     static ZCONST char Far InvalidComprDataEAs[] =
       " invalid compressed data for EAs\n";
  #  if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len)
+@@ -2020,7 +2022,8 @@ static int TestExtraField(__G__ ef, ef_len)
          ebID = makeword(ef);
          ebLen = (unsigned)makeword(ef+EB_LEN);
  
@@ -38,23 +28,51 @@ index 9582da5..78f637e 100644
             /* Discovered some extra field inconsistency! */
              if (uO.qflag)
                  Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_len)
-               ebLen, (ef_len - EB_HEADSIZE)));
-             return PK_ERR;
-         }
-+        else if (ebLen < EB_HEADSIZE)
-+        {
-+            /* Extra block length smaller than header length. */
-+            if (uO.qflag)
-+                Info(slide, 1, ((char *)slide, "%-22s ",
-+                  FnFilter1(G.filename)));
-+            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
-+              ebLen, EB_HEADSIZE));
-+            return PK_ERR;
-+        }
+@@ -2155,11 +2158,29 @@ static int TestExtraField(__G__ ef, ef_len)
+                 }
+                 break;
+             case EF_PKVMS:
+-                if (makelong(ef+EB_HEADSIZE) !=
+-                    crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+-                          (extent)(ebLen-4)))
+-                    Info(slide, 1, ((char *)slide,
+-                      LoadFarString(BadCRC_EAs)));
++                /* 2015-01-30 SMS.  Added sufficient-bytes test/message
++                 * here.  (Removed defective ebLen test above.)
++                 *
++                 * If sufficient bytes (EB_PKVMS_MINLEN) are available,
++                 * then compare the stored CRC value with the calculated
++                 * CRC for the remainder of the data (and complain about
++                 * a mismatch).
++                 */
++                if (ebLen < EB_PKVMS_MINLEN)
++                {
++                    /* Insufficient bytes available. */
++                    Info( slide, 1,
++                     ((char *)slide, LoadFarString( TooSmallEBlength),
++                     ebLen, EB_PKVMS_MINLEN));
++                }
++                else if (makelong(ef+ EB_HEADSIZE) !=
++                 crc32(CRCVAL_INITIAL,
++                 (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN),
++                 (extent)(ebLen- EB_PKVMS_MINLEN)))
++                {
++                     Info(slide, 1, ((char *)slide,
++                       LoadFarString(BadCRC_EAs)));
++                }
+                 break;
+             case EF_PKW32:
+             case EF_PKUNIX:
+diff --git a/unzpriv.h b/unzpriv.h
+index 005cee0..5c83a6e 100644
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -1806,6 +1806,8 @@
+ #define EB_NTSD_VERSION   4    /* offset of NTSD version byte */
+ #define EB_NTSD_MAX_VER   (0)  /* maximum version # we know how to handle */
+ 
++#define EB_PKVMS_MINLEN   4    /* minimum data length of PKVMS extra block */
++
+ #define EB_ASI_CRC32      0    /* offset of ASI Unix field's crc32 checksum */
+ #define EB_ASI_MODE       4    /* offset of ASI Unix permission mode field */
  
-         switch (ebID) {
-             case EF_OS2:
--- 
-1.8.4.5
-

unzip-rcc.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Jul  6 13:25:44 UTC 2017 - nico.kruber@gmail.com
+
+- Updated Fix-CVE-2014-8139-unzip.patch: the original patch was
+  causing errors testing valid jar files:
+  $ unzip -t foo.jar
+  Archive:  foo.jar
+      testing: META-INF/               bad extra-field entry:
+        EF block length (0 bytes) invalid (< 4)
+      testing: META-INF/MANIFEST.MF     OK
+      testing: foo                      OK
+  (see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139
+   where the updated patch was taken from)
+
 -------------------------------------------------------------------
 Wed Feb 15 08:31:05 UTC 2017 - josef.moellers@suse.com
 

unzip-rcc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package unzip-rcc
 #
-# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -50,6 +50,7 @@ Patch10:        unzip-5.52-use_librcc.patch
 Patch11:        unzip-no-build-date.patch
 Patch12:        unzip-dont_call_isprint.patch
 Patch13:        Fix-CVE-2014-8139-unzip.patch
+# http://pkgs.fedoraproject.org/cgit/rpms/unzip.git/plain/unzip-6.0-cve-2014-8139.patch
 Patch14:        Fix-CVE-2014-8140-and-CVE-2014-8141.patch
 Patch15:        CVE-2015-7696.patch
 Patch16:        CVE-2015-7697.patch

unzip.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Jul  6 13:25:44 UTC 2017 - nico.kruber@gmail.com
+
+- Updated Fix-CVE-2014-8139-unzip.patch: the original patch was
+  causing errors testing valid jar files:
+  $ unzip -t foo.jar
+  Archive:  foo.jar
+      testing: META-INF/               bad extra-field entry:
+        EF block length (0 bytes) invalid (< 4)
+      testing: META-INF/MANIFEST.MF     OK
+      testing: foo                      OK
+  (see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139
+   where the updated patch was taken from)
+
 -------------------------------------------------------------------
 Wed Feb 15 08:31:05 UTC 2017 - josef.moellers@suse.com
 

unzip.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package unzip
 #
-# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -50,6 +50,7 @@ Patch10:        unzip-5.52-use_librcc.patch
 Patch11:        unzip-no-build-date.patch
 Patch12:        unzip-dont_call_isprint.patch
 Patch13:        Fix-CVE-2014-8139-unzip.patch
+# http://pkgs.fedoraproject.org/cgit/rpms/unzip.git/plain/unzip-6.0-cve-2014-8139.patch
 Patch14:        Fix-CVE-2014-8140-and-CVE-2014-8141.patch
 Patch15:        CVE-2015-7696.patch
 Patch16:        CVE-2015-7697.patch