Package: unzip Version: 6.0-13 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu vivid ubuntu-patch
*** /tmp/tmp7DfOwv/bug_body In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: heap overflow via mismatched block sizes - debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and uncompressed block sizes match when using STORED method in extract.c. - CVE-2014-9636 Thanks for considering the patch. -- System Information: Debian Release: jessie/sid APT prefers utopic-updates APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-30-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb --- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 1969-12-31 19:00:00.000000000 -0500 +++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 2015-01-29 11:15:34.000000000 -0500 @@ -0,0 +1,43 @@ +From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Mon, 3 Nov 2014 +Subject: Info-ZIP UnZip buffer overflow + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. + +--- + extract.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: unzip-6.0/extract.c +=================================================================== +--- unzip-6.0.orig/extract.c 2015-01-29 11:15:31.118569464 -0500 ++++ unzip-6.0/extract.c 2015-01-29 11:15:31.114569431 -0500 +@@ -2230,6 +2230,7 @@ + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2246,6 +2247,12 @@ + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ + ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series --- unzip-6.0/debian/patches/series 2014-12-25 07:37:44.000000000 -0500 +++ unzip-6.0/debian/patches/series 2015-01-29 11:25:49.000000000 -0500 @@ -9,4 +9,5 @@ 09-cve-2014-8139-crc-overflow 10-cve-2014-8140-test-compr-eb 11-cve-2014-8141-getzip64data +12-cve-2014-9636-test-compr-eb 20-unzip60-alt-iconv-utf8