Hello community, here is the log from the commit of package unzip for openSUSE:Factory checked in at 2015-01-30 06:03:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/unzip (Old) and /work/SRC/openSUSE:Factory/.unzip.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unzip" Changes: -------- --- /work/SRC/openSUSE:Factory/unzip/unzip-rcc.changes 2014-12-23 11:48:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.unzip.new/unzip-rcc.changes 2015-01-30 06:03:17.000000000 +0100 @@ -1,0 +2,10 @@ +Mon Jan 26 13:25:54 UTC 2015 - tbehr...@suse.com + +- Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in + the CRC32 verification (fixes bnc#909214) +- Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error + (*_8349_*) shows a problem in extract.c:test_compr_eb(), and: + read errors (*_6430_*, *_3422_*) show problems in + process.c:getZip64Data() (fixes bnc#909214) + +------------------------------------------------------------------- unzip.changes: same change New: ---- Fix-CVE-2014-8139-unzip.patch Fix-CVE-2014-8140-and-CVE-2014-8141.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ unzip-rcc.spec ++++++ --- /var/tmp/diff_new_pack.wU5lp5/_old 2015-01-30 06:03:18.000000000 +0100 +++ /var/tmp/diff_new_pack.wU5lp5/_new 2015-01-30 06:03:18.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package unzip-rcc # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,6 +41,8 @@ Patch10: unzip-5.52-use_librcc.patch Patch11: unzip-no-build-date.patch Patch12: unzip-dont_call_isprint.patch +Patch13: Fix-CVE-2014-8139-unzip.patch +Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch %if %{with rcc} BuildRequires: librcc-devel Suggests: librcc0 @@ -87,6 +89,8 @@ %endif %patch11 %patch12 +%patch13 -p1 +%patch14 -p1 %build export RPM_OPT_FLAGS="%{optflags} \ ++++++ unzip.spec ++++++ --- /var/tmp/diff_new_pack.wU5lp5/_old 2015-01-30 06:03:18.000000000 +0100 +++ /var/tmp/diff_new_pack.wU5lp5/_new 2015-01-30 06:03:18.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package unzip # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,6 +41,8 @@ Patch10: unzip-5.52-use_librcc.patch Patch11: unzip-no-build-date.patch Patch12: unzip-dont_call_isprint.patch +Patch13: Fix-CVE-2014-8139-unzip.patch +Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch %if %{with rcc} BuildRequires: librcc-devel Suggests: librcc0 @@ -87,6 +89,8 @@ %endif %patch11 %patch12 +%patch13 -p1 +%patch14 -p1 %build export RPM_OPT_FLAGS="%{optflags} \ ++++++ Fix-CVE-2014-8139-unzip.patch ++++++ >From 916cf1e7907f9d660bd160eb9a84f6e1cab3af5a Mon Sep 17 00:00:00 2001 From: Thorsten Behrens <tbehr...@suse.com> Date: Sat, 20 Dec 2014 00:24:54 +0100 Subject: [PATCH 1/2] Fix CVE-2014-8139 unzip Fix heap overflow condition in the CRC32 verification. --- extract.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/extract.c b/extract.c index 9582da5..78f637e 100644 --- a/extract.c +++ b/extract.c @@ -1,5 +1,5 @@ /* - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. See the accompanying file LICENSE, version 2009-Jan-02 or later (the contents of which are also included in unzip.h) for terms of use. @@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] = #ifndef SFX static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; + static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) invalid (< %d)\n"; static ZCONST char Far InvalidComprDataEAs[] = " invalid compressed data for EAs\n"; # if (defined(WIN32) && defined(NTSD_EAS)) @@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len) ebID = makeword(ef); ebLen = (unsigned)makeword(ef+EB_LEN); - if (ebLen > (ef_len - EB_HEADSIZE)) { + if (ebLen > (ef_len - EB_HEADSIZE)) + { /* Discovered some extra field inconsistency! */ if (uO.qflag) Info(slide, 1, ((char *)slide, "%-22s ", @@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_len) ebLen, (ef_len - EB_HEADSIZE))); return PK_ERR; } + else if (ebLen < EB_HEADSIZE) + { + /* Extra block length smaller than header length. */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", + FnFilter1(G.filename))); + Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), + ebLen, EB_HEADSIZE)); + return PK_ERR; + } switch (ebID) { case EF_OS2: -- 1.8.4.5 ++++++ Fix-CVE-2014-8140-and-CVE-2014-8141.patch ++++++ >From 3e74a01aec1ab48c3848ac50fc2f8ed8b177b400 Mon Sep 17 00:00:00 2001 From: Thorsten Behrens <tbehr...@suse.com> Date: Sat, 20 Dec 2014 01:56:42 +0100 Subject: [PATCH] Fix CVE-2014-8140 and CVE-2014-8141 CVE-2014-8140 unzip: write error (*_8349_*) shows a problem in extract.c:test_compr_eb() CVE-2014-8141 unzip: read errors (*_6430_*, *_3422_*) show problems in process.c:getZip64Data() --- extract.c | 13 +++++++++--- fileio.c | 9 ++++++++- process.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++---------------- 3 files changed, 69 insertions(+), 21 deletions(-) diff --git a/extract.c b/extract.c index 78f637e..5d27e4b 100644 --- a/extract.c +++ b/extract.c @@ -2234,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ + /* Return no/bad-data error status if any problem is found: + * 1. eb_size is too small to hold the uncompressed size + * (eb_ucsize). (Else extract eb_ucsize.) + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. + * 3. eb_ucsize is positive, but eb_size is too small to hold + * the compressed data header. + */ if ((eb_size < (EB_UCSIZE_P + 4)) || - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && - eb_size <= (compr_offset + EB_CMPRHEADLEN))) - return IZ_EF_TRUNC; /* no compressed data! */ + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ if ( #ifdef INT_16BIT diff --git a/fileio.c b/fileio.c index a381855..de93728 100644 --- a/fileio.c +++ b/fileio.c @@ -181,6 +181,8 @@ static ZCONST char Far FilenameTooLongTrunc[] = #endif static ZCONST char Far ExtraFieldTooLong[] = "warning: extra field too long (%d). Ignoring...\n"; +static ZCONST char Far ExtraFieldCorrupt[] = + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; #ifdef WINDLL static ZCONST char Far DiskFullQuery[] = @@ -2326,7 +2328,12 @@ int do_string(__G__ length, option) /* return PK-type error code */ if (readbuf(__G__ (char *)G.extra_field, length) == 0) return PK_EOF; /* Looks like here is where extra fields are read */ - getZip64Data(__G__ G.extra_field, length); + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { + Info(slide, 0x401, ((char *)slide, + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); + error = PK_WARN; + } #ifdef UNICODE_SUPPORT G.unipath_filename = NULL; if (G.UzO.U_flag < 2) { diff --git a/process.c b/process.c index f1b7602..828c8aa 100644 --- a/process.c +++ b/process.c @@ -1,5 +1,5 @@ /* - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. See the accompanying file LICENSE, version 2009-Jan-02 or later (the contents of which are also included in unzip.h) for terms of use. @@ -1901,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len) and a 4-byte version of disk start number. Sets both local header and central header fields. Not terribly clever, but it means that this procedure is only called in one place. + + 2014-12-05 SMS. + Added checks to ensure that enough data are available before calling + makeint64() or makelong(). Replaced various sizeof() values with + simple ("4" or "8") constants. (The Zip64 structures do not depend + on our variable sizes.) Error handling is crude, but we should now + stay within the buffer. ---------------------------------------------------------------------------*/ +#define Z64FLGS 0xffff +#define Z64FLGL 0xffffffff + if (ef_len == 0 || ef_buf == NULL) return PK_COOL; Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", ef_len)); - while (ef_len >= EB_HEADSIZE) { + while (ef_len >= EB_HEADSIZE) + { eb_id = makeword(EB_ID + ef_buf); eb_len = makeword(EB_LEN + ef_buf); - if (eb_len > (ef_len - EB_HEADSIZE)) { - /* discovered some extra field inconsistency! */ + if (eb_len > (ef_len - EB_HEADSIZE)) + { + /* Extra block length exceeds remaining extra field length. */ Trace((stderr, "getZip64Data: block length %u > rest ef_size %u\n", eb_len, ef_len - EB_HEADSIZE)); break; } - if (eb_id == EF_PKSZ64) { - + if (eb_id == EF_PKSZ64) + { int offset = EB_HEADSIZE; - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); - offset += sizeof(G.crec.ucsize); + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) + { + if (offset+ 8 > ef_len) + return PK_ERR; + + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); + offset += 8; } - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); - offset += sizeof(G.crec.csize); + + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) + { + if (offset+ 8 > ef_len) + return PK_ERR; + + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); + offset += 8; } - if (G.crec.relative_offset_local_header == 0xffffffff){ + + if (G.crec.relative_offset_local_header == Z64FLGL) + { + if (offset+ 8 > ef_len) + return PK_ERR; + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); - offset += sizeof(G.crec.relative_offset_local_header); + offset += 8; } - if (G.crec.disk_number_start == 0xffff){ + + if (G.crec.disk_number_start == Z64FLGS) + { + if (offset+ 4 > ef_len) + return PK_ERR; + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); - offset += sizeof(G.crec.disk_number_start); + offset += 4; } +#if 0 + break; /* Expect only one EF_PKSZ64 block. */ +#endif /* 0 */ } - /* Skip this extra field block */ + /* Skip this extra field block. */ ef_buf += (eb_len + EB_HEADSIZE); ef_len -= (eb_len + EB_HEADSIZE); } -- 1.8.4.5 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org