Your message dated Wed, 04 Feb 2015 21:07:19 +0100
with message-id <[email protected]>
and subject line Re: Bug#777076: unblock: unzip/6.0-16
has caused the Debian Bug report #777076,
regarding unblock: unzip/6.0-16
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
777076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777076
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi Release Team!
unzip/6.0-15 had already an unblock so far, but unfortunately the
original patch for CVE-2014-8139 was defective, and caused
regressions, see #775640. The update to unstable 6.0-16 fixed that
patch and refreshed the other two patches due to the changes.
Could you please unblock also this version? Here are the changes from
the version in testing:
unzip (6.0-16) unstable; urgency=medium
* Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
the right way (patch by the author). Closes: #775640.
* Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
* Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
file from the author.
-- Santiago Vila <[email protected]> Fri, 30 Jan 2015 22:16:08 +0100
unzip (6.0-15) unstable; urgency=medium
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
-- Santiago Vila <[email protected]> Thu, 29 Jan 2015 18:39:52 +0100
and attached is the debdiff.
unblock unzip/6.0-16
Thanks for considering this unblock!
Regards,
Salvatore
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
--- unzip-6.0/debian/changelog 2014-12-30 22:17:20.000000000 +0100
+++ unzip-6.0/debian/changelog 2015-01-30 22:16:15.000000000 +0100
@@ -1,3 +1,22 @@
+unzip (6.0-16) unstable; urgency=medium
+
+ * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
+ the right way (patch by the author). Closes: #775640.
+ * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
+ * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
+ file from the author.
+
+ -- Santiago Vila <[email protected]> Fri, 30 Jan 2015 22:16:08 +0100
+
+unzip (6.0-15) unstable; urgency=medium
+
+ * Fix heap overflow. Ensure that compressed and uncompressed
+ block sizes match when using STORED method in extract.c.
+ Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
+ For reference, this is CVE-2014-9636.
+
+ -- Santiago Vila <[email protected]> Thu, 29 Jan 2015 18:39:52 +0100
+
unzip (6.0-14) unstable; urgency=medium
* Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
diff -Nru unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow
--- unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow 2014-12-22 18:57:45.000000000 +0100
+++ unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow 2015-01-30 22:11:35.000000000 +0100
@@ -15,7 +15,7 @@
#ifndef SFX
static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
-+ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) invalid (< %d)\n";
static ZCONST char Far InvalidComprDataEAs[] =
" invalid compressed data for EAs\n";
@@ -30,20 +30,24 @@
/* Discovered some extra field inconsistency! */
if (uO.qflag)
Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@
- ebLen, (ef_len - EB_HEADSIZE)));
- return PK_ERR;
- }
-+ else if (ebLen < EB_HEADSIZE)
-+ {
-+ /* Extra block length smaller than header length. */
-+ if (uO.qflag)
-+ Info(slide, 1, ((char *)slide, "%-22s ",
-+ FnFilter1(G.filename)));
-+ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
-+ ebLen, EB_HEADSIZE));
-+ return PK_ERR;
-+ }
-
- switch (ebID) {
- case EF_OS2:
+@@ -2158,11 +2161,19 @@
+ }
+ break;
+ case EF_PKVMS:
+- if (makelong(ef+EB_HEADSIZE) !=
++ if (ebLen < 4)
++ {
++ Info(slide, 1,
++ ((char *)slide, LoadFarString(TooSmallEBlength),
++ ebLen, 4));
++ }
++ else if (makelong(ef+EB_HEADSIZE) !=
+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+ (extent)(ebLen-4)))
++ {
+ Info(slide, 1, ((char *)slide,
+ LoadFarString(BadCRC_EAs)));
++ }
+ break;
+ case EF_PKW32:
+ case EF_PKUNIX:
diff -Nru unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb
--- unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb 2014-12-22 18:57:52.000000000 +0100
+++ unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb 2015-01-30 22:11:36.000000000 +0100
@@ -4,7 +4,7 @@
--- a/extract.c
+++ b/extract.c
-@@ -2234,10 +2234,17 @@
+@@ -2232,10 +2232,17 @@
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb
--- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 2015-01-30 22:11:37.000000000 +0100
@@ -0,0 +1,39 @@
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: http://bugs.debian.org/776589
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+--- a/extract.c
++++ b/extract.c
+@@ -2228,6 +2228,7 @@
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush eb_compr_method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ /* 2014-11-03 Michal Zalewski, SMS.
++ * For STORE method, compressed and uncompressed sizes must agree.
++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++ */
++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR;
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series 2014-12-22 19:14:31.000000000 +0100
+++ unzip-6.0/debian/patches/series 2015-01-30 22:11:36.000000000 +0100
@@ -9,3 +9,4 @@
09-cve-2014-8139-crc-overflow
10-cve-2014-8140-test-compr-eb
11-cve-2014-8141-getzip64data
+12-cve-2014-9636-test-compr-eb
--- End Message ---
--- Begin Message ---
On 2015-02-04 20:59, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi Release Team!
>
> unzip/6.0-15 had already an unblock so far, but unfortunately the
> original patch for CVE-2014-8139 was defective, and caused
> regressions, see #775640. The update to unstable 6.0-16 fixed that
> patch and refreshed the other two patches due to the changes.
>
> Could you please unblock also this version? Here are the changes from
> the version in testing:
>
> [...]
>
> and attached is the debdiff.
>
> unblock unzip/6.0-16
>
> Thanks for considering this unblock!
>
> Regards,
> Salvatore
>
Unblocked, thanks.
~Niels
--- End Message ---
