Hello community, here is the log from the commit of package unzip for openSUSE:Factory checked in at 2017-02-19 00:59:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/unzip (Old) and /work/SRC/openSUSE:Factory/.unzip.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unzip" Changes: -------- --- /work/SRC/openSUSE:Factory/unzip/unzip-rcc.changes 2016-10-14 09:27:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.unzip.new/unzip-rcc.changes 2017-02-19 00:59:27.420854455 +0100 @@ -2 +2,11 @@ -Wed Oct 12 07:24:12 UTC 2016 - josef.moell...@suse.com +Wed Feb 15 08:31:05 UTC 2017 - josef.moell...@suse.com + +- Fixed two potential buffer overflows. + The patches were extracted from + http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and + http://antinode.info/ftp/info-zip/unzip60/list.c + (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913, + CVE-2016-9844.patch, CVE-2014-9913.patch) + +------------------------------------------------------------------- +Wed Oct 12 07:23:03 UTC 2016 - josef.moell...@suse.com --- /work/SRC/openSUSE:Factory/unzip/unzip.changes 2016-10-14 09:27:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.unzip.new/unzip.changes 2017-02-19 00:59:27.468847715 +0100 @@ -1,0 +2,10 @@ +Wed Feb 15 08:31:05 UTC 2017 - josef.moell...@suse.com + +- Fixed two potential buffer overflows. + The patches were extracted from + http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and + http://antinode.info/ftp/info-zip/unzip60/list.c + (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913, + CVE-2016-9844.patch, CVE-2014-9913.patch) + +------------------------------------------------------------------- New: ---- CVE-2014-9913.patch CVE-2016-9844.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ unzip-rcc.spec ++++++ --- /var/tmp/diff_new_pack.3v8qxG/_old 2017-02-19 00:59:28.116756729 +0100 +++ /var/tmp/diff_new_pack.3v8qxG/_new 2017-02-19 00:59:28.120756168 +0100 @@ -1,7 +1,7 @@ # # spec file for package unzip-rcc # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -53,6 +53,8 @@ Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch Patch15: CVE-2015-7696.patch Patch16: CVE-2015-7697.patch +Patch17: CVE-2016-9844.patch +Patch18: CVE-2014-9913.patch Requires(post): update-alternatives Requires(preun): update-alternatives Recommends: %{_name}-doc @@ -93,6 +95,8 @@ %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 %build export RPM_OPT_FLAGS="%{optflags} \ unzip.spec: same change ++++++ CVE-2014-9913.patch ++++++ Index: unzip60/list.c =================================================================== --- unzip60.orig/list.c +++ unzip60/list.c @@ -339,7 +339,18 @@ int list_files(__G) /* return PK-type G.crec.compression_method == ENHDEFLATED) { methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; } else if (methnum >= NUM_METHODS) { - sprintf(&methbuf[4], "%03u", G.crec.compression_method); + /* 2013-02-26 SMS. + * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913. + * Unexpectedly large compression methods overflow + * &methbuf[]. Use the old, three-digit decimal format + * for values which fit. Otherwise, sacrifice the + * colon, and use four-digit hexadecimal. + */ + if (G.crec.compression_method <= 999) { + sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); + } else { + sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); + } } #if 0 /* GRR/Euro: add this? */ ++++++ CVE-2015-7697.patch ++++++ --- /var/tmp/diff_new_pack.3v8qxG/_old 2017-02-19 00:59:28.184747181 +0100 +++ /var/tmp/diff_new_pack.3v8qxG/_new 2017-02-19 00:59:28.188746619 +0100 @@ -26,3 +26,16 @@ #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) if (G.redirect_slide) wsize = G.redirect_size, redirSlide = G.redirect_buffer; +Index: unzip60/zipinfo.c +=================================================================== +--- unzip60.orig/zipinfo.c ++++ unzip60/zipinfo.c +@@ -1888,7 +1888,7 @@ static int zi_short(__G) /* return PK- + int k, error, error_in_archive=PK_COOL; + unsigned hostnum, hostver, methid, methnum, xattr; + char *p, workspace[12], attribs[16]; +- char methbuf[5]; ++ char methbuf[1+5+1]; /* large enough to hold 1 character + an unsigned short + NUL */ + static ZCONST char dtype[5]="NXFS"; /* normal, maximum, fast, superfast */ + static ZCONST char Far os[NUM_HOSTS+1][4] = { + "fat", "ami", "vms", "unx", "cms", "atr", "hpf", "mac", "zzz", ++++++ CVE-2016-9844.patch ++++++ Index: unzip60/zipinfo.c =================================================================== --- unzip60.orig/zipinfo.c +++ unzip60/zipinfo.c @@ -1927,7 +1927,18 @@ static int zi_short(__G) /* return PK- ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); methbuf[3] = dtype[dnum]; } else if (methnum >= NUM_METHODS) { /* unknown */ - sprintf(&methbuf[1], "%03u", G.crec.compression_method); + /* 2016-12-05 SMS. + * https://launchpad.net/bugs/1643750 CVE-2016-9844. + * Unexpectedly large compression methods overflow + * &methbuf[]. Use the old, three-digit decimal format + * for values which fit. Otherwise, sacrifice the "u", + * and use four-digit hexadecimal. + */ + if (G.crec.compression_method <= 999) { + sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); + } else { + sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); + } } for (k = 0; k < 15; ++k)
