Hello community,
here is the log from the commit of package unzip for openSUSE:Factory checked
in at 2015-01-30 06:03:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/unzip (Old)
and /work/SRC/openSUSE:Factory/.unzip.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unzip"
Changes:
--------
--- /work/SRC/openSUSE:Factory/unzip/unzip-rcc.changes 2014-12-23
11:48:37.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.unzip.new/unzip-rcc.changes 2015-01-30
06:03:17.000000000 +0100
@@ -1,0 +2,10 @@
+Mon Jan 26 13:25:54 UTC 2015 - tbehr...@suse.com
+
+- Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in
+ the CRC32 verification (fixes bnc#909214)
+- Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error
+ (*_8349_*) shows a problem in extract.c:test_compr_eb(), and:
+ read errors (*_6430_*, *_3422_*) show problems in
+ process.c:getZip64Data() (fixes bnc#909214)
+
+-------------------------------------------------------------------
unzip.changes: same change
New:
----
Fix-CVE-2014-8139-unzip.patch
Fix-CVE-2014-8140-and-CVE-2014-8141.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ unzip-rcc.spec ++++++
--- /var/tmp/diff_new_pack.wU5lp5/_old 2015-01-30 06:03:18.000000000 +0100
+++ /var/tmp/diff_new_pack.wU5lp5/_new 2015-01-30 06:03:18.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package unzip-rcc
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,8 @@
Patch10: unzip-5.52-use_librcc.patch
Patch11: unzip-no-build-date.patch
Patch12: unzip-dont_call_isprint.patch
+Patch13: Fix-CVE-2014-8139-unzip.patch
+Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch
%if %{with rcc}
BuildRequires: librcc-devel
Suggests: librcc0
@@ -87,6 +89,8 @@
%endif
%patch11
%patch12
+%patch13 -p1
+%patch14 -p1
%build
export RPM_OPT_FLAGS="%{optflags} \
++++++ unzip.spec ++++++
--- /var/tmp/diff_new_pack.wU5lp5/_old 2015-01-30 06:03:18.000000000 +0100
+++ /var/tmp/diff_new_pack.wU5lp5/_new 2015-01-30 06:03:18.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package unzip
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,8 @@
Patch10: unzip-5.52-use_librcc.patch
Patch11: unzip-no-build-date.patch
Patch12: unzip-dont_call_isprint.patch
+Patch13: Fix-CVE-2014-8139-unzip.patch
+Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch
%if %{with rcc}
BuildRequires: librcc-devel
Suggests: librcc0
@@ -87,6 +89,8 @@
%endif
%patch11
%patch12
+%patch13 -p1
+%patch14 -p1
%build
export RPM_OPT_FLAGS="%{optflags} \
++++++ Fix-CVE-2014-8139-unzip.patch ++++++
>From 916cf1e7907f9d660bd160eb9a84f6e1cab3af5a Mon Sep 17 00:00:00 2001
From: Thorsten Behrens <tbehr...@suse.com>
Date: Sat, 20 Dec 2014 00:24:54 +0100
Subject: [PATCH 1/2] Fix CVE-2014-8139 unzip
Fix heap overflow condition in the CRC32 verification.
---
extract.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/extract.c b/extract.c
index 9582da5..78f637e 100644
--- a/extract.c
+++ b/extract.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
See the accompanying file LICENSE, version 2009-Jan-02 or later
(the contents of which are also included in unzip.h) for terms of use.
@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
#ifndef SFX
static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) invalid (< %d)\n";
static ZCONST char Far InvalidComprDataEAs[] =
" invalid compressed data for EAs\n";
# if (defined(WIN32) && defined(NTSD_EAS))
@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len)
ebID = makeword(ef);
ebLen = (unsigned)makeword(ef+EB_LEN);
- if (ebLen > (ef_len - EB_HEADSIZE)) {
+ if (ebLen > (ef_len - EB_HEADSIZE))
+ {
/* Discovered some extra field inconsistency! */
if (uO.qflag)
Info(slide, 1, ((char *)slide, "%-22s ",
@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_len)
ebLen, (ef_len - EB_HEADSIZE)));
return PK_ERR;
}
+ else if (ebLen < EB_HEADSIZE)
+ {
+ /* Extra block length smaller than header length. */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+ FnFilter1(G.filename)));
+ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
+ ebLen, EB_HEADSIZE));
+ return PK_ERR;
+ }
switch (ebID) {
case EF_OS2:
--
1.8.4.5
++++++ Fix-CVE-2014-8140-and-CVE-2014-8141.patch ++++++
>From 3e74a01aec1ab48c3848ac50fc2f8ed8b177b400 Mon Sep 17 00:00:00 2001
From: Thorsten Behrens <tbehr...@suse.com>
Date: Sat, 20 Dec 2014 01:56:42 +0100
Subject: [PATCH] Fix CVE-2014-8140 and CVE-2014-8141
CVE-2014-8140 unzip: write error (*_8349_*) shows a problem in
extract.c:test_compr_eb()
CVE-2014-8141 unzip: read errors (*_6430_*, *_3422_*) show problems in
process.c:getZip64Data()
---
extract.c | 13 +++++++++---
fileio.c | 9 ++++++++-
process.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++----------------
3 files changed, 69 insertions(+), 21 deletions(-)
diff --git a/extract.c b/extract.c
index 78f637e..5d27e4b 100644
--- a/extract.c
+++ b/extract.c
@@ -2234,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_size,
compr_offset, test_uc_ebdata)
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
+ /* Return no/bad-data error status if any problem is found:
+ * 1. eb_size is too small to hold the uncompressed size
+ * (eb_ucsize). (Else extract eb_ucsize.)
+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
+ * 3. eb_ucsize is positive, but eb_size is too small to hold
+ * the compressed data header.
+ */
if ((eb_size < (EB_UCSIZE_P + 4)) ||
- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
- return IZ_EF_TRUNC; /* no compressed data! */
+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
if (
#ifdef INT_16BIT
diff --git a/fileio.c b/fileio.c
index a381855..de93728 100644
--- a/fileio.c
+++ b/fileio.c
@@ -181,6 +181,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
#endif
static ZCONST char Far ExtraFieldTooLong[] =
"warning: extra field too long (%d). Ignoring...\n";
+static ZCONST char Far ExtraFieldCorrupt[] =
+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
#ifdef WINDLL
static ZCONST char Far DiskFullQuery[] =
@@ -2326,7 +2328,12 @@ int do_string(__G__ length, option) /* return PK-type
error code */
if (readbuf(__G__ (char *)G.extra_field, length) == 0)
return PK_EOF;
/* Looks like here is where extra fields are read */
- getZip64Data(__G__ G.extra_field, length);
+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+ {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+ error = PK_WARN;
+ }
#ifdef UNICODE_SUPPORT
G.unipath_filename = NULL;
if (G.UzO.U_flag < 2) {
diff --git a/process.c b/process.c
index f1b7602..828c8aa 100644
--- a/process.c
+++ b/process.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
See the accompanying file LICENSE, version 2009-Jan-02 or later
(the contents of which are also included in unzip.h) for terms of use.
@@ -1901,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
and a 4-byte version of disk start number.
Sets both local header and central header fields. Not terribly clever,
but it means that this procedure is only called in one place.
+
+ 2014-12-05 SMS.
+ Added checks to ensure that enough data are available before calling
+ makeint64() or makelong(). Replaced various sizeof() values with
+ simple ("4" or "8") constants. (The Zip64 structures do not depend
+ on our variable sizes.) Error handling is crude, but we should now
+ stay within the buffer.
---------------------------------------------------------------------------*/
+#define Z64FLGS 0xffff
+#define Z64FLGL 0xffffffff
+
if (ef_len == 0 || ef_buf == NULL)
return PK_COOL;
Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
ef_len));
- while (ef_len >= EB_HEADSIZE) {
+ while (ef_len >= EB_HEADSIZE)
+ {
eb_id = makeword(EB_ID + ef_buf);
eb_len = makeword(EB_LEN + ef_buf);
- if (eb_len > (ef_len - EB_HEADSIZE)) {
- /* discovered some extra field inconsistency! */
+ if (eb_len > (ef_len - EB_HEADSIZE))
+ {
+ /* Extra block length exceeds remaining extra field length. */
Trace((stderr,
"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
ef_len - EB_HEADSIZE));
break;
}
- if (eb_id == EF_PKSZ64) {
-
+ if (eb_id == EF_PKSZ64)
+ {
int offset = EB_HEADSIZE;
- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
- offset += sizeof(G.crec.ucsize);
+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+ {
+ if (offset+ 8 > ef_len)
+ return PK_ERR;
+
+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
+ offset += 8;
}
- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
- offset += sizeof(G.crec.csize);
+
+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
+ {
+ if (offset+ 8 > ef_len)
+ return PK_ERR;
+
+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
+ offset += 8;
}
- if (G.crec.relative_offset_local_header == 0xffffffff){
+
+ if (G.crec.relative_offset_local_header == Z64FLGL)
+ {
+ if (offset+ 8 > ef_len)
+ return PK_ERR;
+
G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
- offset += sizeof(G.crec.relative_offset_local_header);
+ offset += 8;
}
- if (G.crec.disk_number_start == 0xffff){
+
+ if (G.crec.disk_number_start == Z64FLGS)
+ {
+ if (offset+ 4 > ef_len)
+ return PK_ERR;
+
G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
- offset += sizeof(G.crec.disk_number_start);
+ offset += 4;
}
+#if 0
+ break; /* Expect only one EF_PKSZ64 block. */
+#endif /* 0 */
}
- /* Skip this extra field block */
+ /* Skip this extra field block. */
ef_buf += (eb_len + EB_HEADSIZE);
ef_len -= (eb_len + EB_HEADSIZE);
}
--
1.8.4.5
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
