r1941 - trunk/unzip

Mon, 14 Apr 2008 21:27:39 -0700 

Author: bdubbs
Date: 2008-04-14 22:08:53 -0600 (Mon, 14 Apr 2008)
New Revision: 1941

Added:
   trunk/unzip/unzip-5.52-security_fix-2.patch
Log:
Add CVE-2008-0888 unzip security patch

Added: trunk/unzip/unzip-5.52-security_fix-2.patch
===================================================================
--- trunk/unzip/unzip-5.52-security_fix-2.patch                         (rev 0)
+++ trunk/unzip/unzip-5.52-security_fix-2.patch 2008-04-15 04:08:53 UTC (rev 
1941)
@@ -0,0 +1,47 @@
+Submitted By: Bruce Dubbs <[EMAIL PROTECTED]>
+Date: 2008-04-14
+Initial Package Version: 5.52
+Origin: https://bugzilla.altlinux.org/attachment.cgi?id=532
+Description: The inflate_dynamic() routine (~978, inflate.c) uses a macro
+NEEDBITS() that jumps execution to a cleanup routine on error, this
+routine attempts to free() two buffers allocated during the inflate
+process. At certain locations, the NEEDBITS() macro is used while the
+pointers are not pointing to valid buffers, they are either
+uninitialised or pointing inside a block that has already been free()d
+(ie, not pointing at the block, but at a location inside it).
+
+$LastChangedBy: $
+$Date:  $
+
+--- unzip-5.52/inflate.c
++++ unzip-5.52/inflate.c
+@@ -983,6 +983,7 @@
+   unsigned l;           /* last length */
+   unsigned m;           /* mask for bit lengths table */
+   unsigned n;           /* number of lengths to get */
++  struct huft *tlp;     
+   struct huft *tl;      /* literal/length code table */
+   struct huft *td;      /* distance code table */
+   unsigned bl;          /* lookup bits for tl */
+@@ -996,6 +997,8 @@
+   int retval = 0;       /* error code returned: initialized to "no error" */
+ 
+ 
++  td = tlp = tl = (struct huft *)NULL;
++
+   /* make local bit buffer */
+   Trace((stderr, "\ndynamic block"));
+   b = G.bb;
+@@ -1047,9 +1050,9 @@
+   while (i < n)
+   {
+     NEEDBITS(bl)
+-    j = (td = tl + ((unsigned)b & m))->b;
++    j = (tlp = tl + ((unsigned)b & m))->b;
+     DUMPBITS(j)
+-    j = td->v.n;
++    j = tlp->v.n;
+     if (j < 16)                 /* length of code in bits (0..15) */
+       ll[i++] = l = j;          /* save last length in l */
+     else if (j == 16)           /* repeat last length 3 to 6 times */
+

-- 
http://linuxfromscratch.org/mailman/listinfo/patches
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Reply via email to