diff --git a/CVE-2015-7696.patch b/CVE-2015-7696.patch new file mode 100644 index 0000000..113b7f5 --- /dev/null +++ b/CVE-2015-7696.patch @@ -0,0 +1,35 @@ +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +Index: unzip60/crypt.c +=================================================================== +--- unzip60.orig/crypt.c ++++ unzip60/crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/CVE-2015-7697.patch b/CVE-2015-7697.patch new file mode 100644 index 0000000..91eba93 --- /dev/null +++ b/CVE-2015-7697.patch @@ -0,0 +1,28 @@ +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: unzip60/extract.c +=================================================================== +--- unzip60.orig/extract.c ++++ unzip60/extract.c +@@ -2721,6 +2721,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; diff --git a/unzip-rcc.changes b/unzip-rcc.changes index 464e497..4e5df31 100644 --- a/unzip-rcc.changes +++ b/unzip-rcc.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Oct 12 07:24:12 UTC 2016 - josef.moellers@suse.com + +- When decrypting an encrypted file, + quit early if compressed size < HEAD_LEN. + When extracting avoid an infinite loop + if a file never finishes unzipping. + (bsc#950110, bsc#950111, CVE-2015-7696, CVE-2015-7697, + CVE-2015-7696.patch, CVE-2015-7697.patch) + ------------------------------------------------------------------- Thu Jun 16 14:58:41 UTC 2016 - tchvatal@suse.com diff --git a/unzip-rcc.spec b/unzip-rcc.spec index c4698d1..7afd381 100644 --- a/unzip-rcc.spec +++ b/unzip-rcc.spec @@ -1,7 +1,7 @@ # # spec file for package unzip-rcc # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,6 +51,8 @@ Patch11: unzip-no-build-date.patch Patch12: unzip-dont_call_isprint.patch Patch13: Fix-CVE-2014-8139-unzip.patch Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch +Patch15: CVE-2015-7696.patch +Patch16: CVE-2015-7697.patch Requires(post): update-alternatives Requires(preun): update-alternatives Recommends: %{_name}-doc @@ -89,6 +91,8 @@ functionality. This version can also extract encrypted archives. %patch12 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build export RPM_OPT_FLAGS="%{optflags} \ diff --git a/unzip.changes b/unzip.changes index 464e497..6a2ba1d 100644 --- a/unzip.changes +++ b/unzip.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Oct 12 07:23:03 UTC 2016 - josef.moellers@suse.com + +- When decrypting an encrypted file, + quit early if compressed size < HEAD_LEN. + When extracting avoid an infinite loop + if a file never finishes unzipping. + (bsc#950110, bsc#950111, CVE-2015-7696, CVE-2015-7697, + CVE-2015-7696.patch, CVE-2015-7697.patch) + ------------------------------------------------------------------- Thu Jun 16 14:58:41 UTC 2016 - tchvatal@suse.com diff --git a/unzip.spec b/unzip.spec index 4ae2f4d..a599059 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,7 +1,7 @@ # # spec file for package unzip # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,6 +51,8 @@ Patch11: unzip-no-build-date.patch Patch12: unzip-dont_call_isprint.patch Patch13: Fix-CVE-2014-8139-unzip.patch Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch +Patch15: CVE-2015-7696.patch +Patch16: CVE-2015-7697.patch Requires(post): update-alternatives Requires(preun): update-alternatives Recommends: %{_name}-doc @@ -89,6 +91,8 @@ functionality. This version can also extract encrypted archives. %patch12 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build export RPM_OPT_FLAGS="%{optflags} \