Package: unzip
Version: 6.0-13
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu vivid ubuntu-patch
*** /tmp/tmp7DfOwv/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: heap overflow via mismatched block sizes
- debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
uncompressed block sizes match when using STORED method in extract.c.
- CVE-2014-9636
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers utopic-updates
APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500,
'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-30-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb
--- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 1969-12-31 19:00:00.000000000 -0500
+++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 2015-01-29 11:15:34.000000000 -0500
@@ -0,0 +1,43 @@
+From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+---
+ extract.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: unzip-6.0/extract.c
+===================================================================
+--- unzip-6.0.orig/extract.c 2015-01-29 11:15:31.118569464 -0500
++++ unzip-6.0/extract.c 2015-01-29 11:15:31.114569431 -0500
+@@ -2230,6 +2230,7 @@
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2246,6 +2247,12 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ method = makeword(eb + (EB_HEADSIZE + compr_offset));
++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR; /* compressed & uncompressed
++ * should match in STORED
++ * method */
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series 2014-12-25 07:37:44.000000000 -0500
+++ unzip-6.0/debian/patches/series 2015-01-29 11:25:49.000000000 -0500
@@ -9,4 +9,5 @@
09-cve-2014-8139-crc-overflow
10-cve-2014-8140-test-compr-eb
11-cve-2014-8141-getzip64data
+12-cve-2014-9636-test-compr-eb
20-unzip60-alt-iconv-utf8
