pool/unzip
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
de75b402e7
unzip/Fix-CVE-2014-9636-unzip-buffer-overflow.patch
Martin Pluskal 04e2f23972 Accepting request 619404 from home:kstreitova:branches:Archiving 
- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is
  unable to process Windows zip64 archives because Windows
  archivers set total_disks field to 0 but per standard, valid
  values are 1 and higher [bnc#910683]
- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap
  overflow for STORED field data [bnc#914442] [CVE-2014-9636]

- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is
  unable to process Windows zip64 archives because Windows
  archivers set total_disks field to 0 but per standard, valid
  values are 1 and higher [bnc#910683]
- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap
  overflow for STORED field data [bnc#914442] [CVE-2014-9636]

OBS-URL: https://build.opensuse.org/request/show/619404
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=49
2018-06-27 14:20:07 +00:00

42 lines
1.6 KiB
Diff
Raw Blame History

From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Wed, 11 Feb 2015
Subject: Info-ZIP UnZip buffer overflow
By carefully crafting a corrupt ZIP archive with "extra fields" that
purport to have compressed blocks larger than the corresponding
uncompressed blocks in STORED no-compression mode, an attacker can
trigger a heap overflow that can result in application crash or
possibly have other unspecified impact.
This patch ensures that when extra fields use STORED mode, the
"compressed" and uncompressed block sizes match.
---
extract.c | 7 +++++++
1 file changed, 7 insertions(+)
--- unzip60/extract.c
+++ unzip60/extract.c
@@ -2230,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si
ulg eb_ucsize;
uch *eb_ucptr;
int r;
+ ush method;
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
@@ -2246,6 +2247,13 @@ static int test_compr_eb(__G__ eb, eb_si
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
return IZ_EF_TRUNC; /* no/bad compressed data! */
+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
+ if ((method == STORED) &&
+ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
+ return PK_ERR; /* compressed & uncompressed
+ * should match in STORED
+ * method */
+
if (
#ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||
Reference in New Issue View Git Blame Copy Permalink