Accepting request 282876 from home:netsroth:branches:Archiving

OBS-URL: https://build.opensuse.org/request/show/282876
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=32

Fix-CVE-2014-8139-unzip.patch

@@ -0,0 +1,60 @@
+From 916cf1e7907f9d660bd160eb9a84f6e1cab3af5a Mon Sep 17 00:00:00 2001
+From: Thorsten Behrens <tbehrens@suse.com>
+Date: Sat, 20 Dec 2014 00:24:54 +0100
+Subject: [PATCH 1/2] Fix CVE-2014-8139 unzip
+
+Fix heap overflow condition in the CRC32 verification.
+---
+ extract.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 9582da5..78f637e 100644
+--- a/extract.c
++++ b/extract.c
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
++  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
+ #ifndef SFX
+    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++     EF block length (%u bytes) invalid (< %d)\n";
+    static ZCONST char Far InvalidComprDataEAs[] =
+      " invalid compressed data for EAs\n";
+ #  if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len)
+         ebID = makeword(ef);
+         ebLen = (unsigned)makeword(ef+EB_LEN);
+ 
+-        if (ebLen > (ef_len - EB_HEADSIZE)) {
++        if (ebLen > (ef_len - EB_HEADSIZE))
++        {
+            /* Discovered some extra field inconsistency! */
+             if (uO.qflag)
+                 Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_len)
+               ebLen, (ef_len - EB_HEADSIZE)));
+             return PK_ERR;
+         }
++        else if (ebLen < EB_HEADSIZE)
++        {
++            /* Extra block length smaller than header length. */
++            if (uO.qflag)
++                Info(slide, 1, ((char *)slide, "%-22s ",
++                  FnFilter1(G.filename)));
++            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
++              ebLen, EB_HEADSIZE));
++            return PK_ERR;
++        }
+ 
+         switch (ebID) {
+             case EF_OS2:
+-- 
+1.8.4.5
+

Fix-CVE-2014-8140-and-CVE-2014-8141.patch

@@ -0,0 +1,181 @@
+From 3e74a01aec1ab48c3848ac50fc2f8ed8b177b400 Mon Sep 17 00:00:00 2001
+From: Thorsten Behrens <tbehrens@suse.com>
+Date: Sat, 20 Dec 2014 01:56:42 +0100
+Subject: [PATCH] Fix CVE-2014-8140 and CVE-2014-8141
+
+CVE-2014-8140 unzip: write error (*_8349_*) shows a problem in
+extract.c:test_compr_eb()
+
+CVE-2014-8141 unzip: read errors (*_6430_*, *_3422_*) show problems in
+process.c:getZip64Data()
+---
+ extract.c | 13 +++++++++---
+ fileio.c  |  9 ++++++++-
+ process.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 69 insertions(+), 21 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 78f637e..5d27e4b 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2234,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+ 
++    /* Return no/bad-data error status if any problem is found:
++     *    1. eb_size is too small to hold the uncompressed size
++     *       (eb_ucsize).  (Else extract eb_ucsize.)
++     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
++     *    3. eb_ucsize is positive, but eb_size is too small to hold
++     *       the compressed data header.
++     */
+     if ((eb_size < (EB_UCSIZE_P + 4)) ||
+-        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+-         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+-        return IZ_EF_TRUNC;               /* no compressed data! */
++     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++        return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
+     if (
+ #ifdef INT_16BIT
+diff --git a/fileio.c b/fileio.c
+index a381855..de93728 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -181,6 +181,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
+ 
+ #ifdef WINDLL
+    static ZCONST char Far DiskFullQuery[] =
+@@ -2326,7 +2328,12 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+             if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+                 return PK_EOF;
+             /* Looks like here is where extra fields are read */
+-            getZip64Data(__G__ G.extra_field, length);
++            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++            {
++                Info(slide, 0x401, ((char *)slide,
++                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++                error = PK_WARN;
++            }
+ #ifdef UNICODE_SUPPORT
+             G.unipath_filename = NULL;
+             if (G.UzO.U_flag < 2) {
+diff --git a/process.c b/process.c
+index f1b7602..828c8aa 100644
+--- a/process.c
++++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
++  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
+     and a 4-byte version of disk start number.
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
++
++    2014-12-05 SMS.
++    Added checks to ensure that enough data are available before calling
++    makeint64() or makelong().  Replaced various sizeof() values with
++    simple ("4" or "8") constants.  (The Zip64 structures do not depend
++    on our variable sizes.)  Error handling is crude, but we should now
++    stay within the buffer.
+   ---------------------------------------------------------------------------*/
+ 
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+     if (ef_len == 0 || ef_buf == NULL)
+         return PK_COOL;
+ 
+     Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+       ef_len));
+ 
+-    while (ef_len >= EB_HEADSIZE) {
++    while (ef_len >= EB_HEADSIZE)
++    {
+         eb_id = makeword(EB_ID + ef_buf);
+         eb_len = makeword(EB_LEN + ef_buf);
+ 
+-        if (eb_len > (ef_len - EB_HEADSIZE)) {
+-            /* discovered some extra field inconsistency! */
++        if (eb_len > (ef_len - EB_HEADSIZE))
++        {
++            /* Extra block length exceeds remaining extra field length. */
+             Trace((stderr,
+               "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+               ef_len - EB_HEADSIZE));
+             break;
+         }
+-        if (eb_id == EF_PKSZ64) {
+-
++        if (eb_id == EF_PKSZ64)
++        {
+           int offset = EB_HEADSIZE;
+ 
+-          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+-            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.ucsize);
++          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++          {
++            if (offset+ 8 > ef_len)
++              return PK_ERR;
++
++            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++            offset += 8;
+           }
+-          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+-            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.csize);
++
++          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++          {
++            if (offset+ 8 > ef_len)
++              return PK_ERR;
++
++            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++            offset += 8;
+           }
+-          if (G.crec.relative_offset_local_header == 0xffffffff){
++
++          if (G.crec.relative_offset_local_header == Z64FLGL)
++          {
++            if (offset+ 8 > ef_len)
++              return PK_ERR;
++
+             G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.relative_offset_local_header);
++            offset += 8;
+           }
+-          if (G.crec.disk_number_start == 0xffff){
++
++          if (G.crec.disk_number_start == Z64FLGS)
++          {
++            if (offset+ 4 > ef_len)
++              return PK_ERR;
++
+             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+-            offset += sizeof(G.crec.disk_number_start);
++            offset += 4;
+           }
++#if 0
++          break;                /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+         }
+ 
+-        /* Skip this extra field block */
++        /* Skip this extra field block. */
+         ef_buf += (eb_len + EB_HEADSIZE);
+         ef_len -= (eb_len + EB_HEADSIZE);
+     }
+-- 
+1.8.4.5
+

unzip-rcc.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Jan 26 13:25:54 UTC 2015 - tbehrens@suse.com
+
+- Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in
+  the CRC32 verification (fixes bnc#909214)
+- Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error
+  (*_8349_*) shows a problem in extract.c:test_compr_eb(), and:
+  read errors (*_6430_*, *_3422_*) show problems in
+  process.c:getZip64Data() (fixes bnc#909214)
+
 -------------------------------------------------------------------
 Sun Dec 21 13:43:32 UTC 2014 - meissner@suse.com
 

unzip-rcc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package unzip-rcc
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,8 @@ Patch8:         unzip-open_missing_mode.patch
 Patch10:        unzip-5.52-use_librcc.patch
 Patch11:        unzip-no-build-date.patch
 Patch12:        unzip-dont_call_isprint.patch
+Patch13:        Fix-CVE-2014-8139-unzip.patch
+Patch14:        Fix-CVE-2014-8140-and-CVE-2014-8141.patch
 %if %{with rcc}
 BuildRequires:  librcc-devel
 Suggests:       librcc0
@@ -87,6 +89,8 @@ functionality. This version can also extract encrypted archives.
 %endif
 %patch11
 %patch12
+%patch13 -p1
+%patch14 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \

unzip.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Jan 26 13:25:54 UTC 2015 - tbehrens@suse.com
+
+- Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in
+  the CRC32 verification (fixes bnc#909214)
+- Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error
+  (*_8349_*) shows a problem in extract.c:test_compr_eb(), and:
+  read errors (*_6430_*, *_3422_*) show problems in
+  process.c:getZip64Data() (fixes bnc#909214)
+
 -------------------------------------------------------------------
 Sun Dec 21 13:43:32 UTC 2014 - meissner@suse.com
 

unzip.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package unzip
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,8 @@ Patch8:         unzip-open_missing_mode.patch
 Patch10:        unzip-5.52-use_librcc.patch
 Patch11:        unzip-no-build-date.patch
 Patch12:        unzip-dont_call_isprint.patch
+Patch13:        Fix-CVE-2014-8139-unzip.patch
+Patch14:        Fix-CVE-2014-8140-and-CVE-2014-8141.patch
 %if %{with rcc}
 BuildRequires:  librcc-devel
 Suggests:       librcc0
@@ -87,6 +89,8 @@ functionality. This version can also extract encrypted archives.
 %endif
 %patch11
 %patch12
+%patch13 -p1
+%patch14 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \