Bug#776589: unzip: CVE-2014-9636 heap overflow via mismatched block sizes

[Marc Deslauriers]

Package: unzip
Version: 6.0-13
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmp7DfOwv/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: heap overflow via mismatched block sizes
    - debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
      uncompressed block sizes match when using STORED method in extract.c.
    - CVE-2014-9636


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 
'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-30-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb
--- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb	1969-12-31 19:00:00.000000000 -0500
+++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb	2015-01-29 11:15:34.000000000 -0500
@@ -0,0 +1,43 @@
+From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+---
+ extract.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: unzip-6.0/extract.c
+===================================================================
+--- unzip-6.0.orig/extract.c	2015-01-29 11:15:31.118569464 -0500
++++ unzip-6.0/extract.c	2015-01-29 11:15:31.114569431 -0500
+@@ -2230,6 +2230,7 @@
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
++    ush method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2246,6 +2247,12 @@
+      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+         return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
++    method = makeword(eb + (EB_HEADSIZE + compr_offset));
++    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
++	return PK_ERR;			  /* compressed & uncompressed
++					   * should match in STORED
++					   * method */
++
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series	2014-12-25 07:37:44.000000000 -0500
+++ unzip-6.0/debian/patches/series	2015-01-29 11:25:49.000000000 -0500
@@ -9,4 +9,5 @@
 09-cve-2014-8139-crc-overflow
 10-cve-2014-8140-test-compr-eb
 11-cve-2014-8141-getzip64data
+12-cve-2014-9636-test-compr-eb
 20-unzip60-alt-iconv-utf8