Date: Tuesday, November 3, 2015 @ 08:35:37 Author: bisson Revision: 250045
fix FS#46955 Added: unzip/trunk/csiz-underflow.patch unzip/trunk/empty-input.patch unzip/trunk/nextbyte-overflow.patch Modified: unzip/trunk/PKGBUILD -------------------------+ PKGBUILD | 15 ++++++++++++--- csiz-underflow.patch | 32 ++++++++++++++++++++++++++++++++ empty-input.patch | 26 ++++++++++++++++++++++++++ nextbyte-overflow.patch | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 103 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-11-03 07:29:18 UTC (rev 250044) +++ PKGBUILD 2015-11-03 07:35:37 UTC (rev 250045) @@ -6,7 +6,7 @@ pkgname=unzip pkgver=6.0 _pkgver=${pkgver/./} -pkgrel=10 +pkgrel=11 pkgdesc='For extracting and viewing files in .zip archives' url='http://www.info-zip.org/UnZip.html' arch=('i686' 'x86_64') @@ -17,13 +17,19 @@ 'cve20149636.patch' 'test_compr_eb.patch' 'getZip64Data.patch' - 'crc32.patch') + 'crc32.patch' + 'empty-input.patch' + 'csiz-underflow.patch' + 'nextbyte-overflow.patch') sha1sums=('abf7de8a4018a983590ed6f5cbd990d4740f8a22' '2852ce1a9db8d646516f8828436a44d34785a0b3' 'e8c0bc17c63eeed97ad62b86845d75c849bcf4f8' '614c3e7fa7d6da7c60ea2aa79e36f4cbd17c3824' '691d0751bf0bc98cf9f9889dee39baccabefdc4d' - '82c9fe9172779a0ee92a187d544e74e8f512b013') + '82c9fe9172779a0ee92a187d544e74e8f512b013' + '4f77b01454fd2ffa69bfad985bfbdc579ee26010' + '9f86b1115c76e527ff7a2c3771d398f024533cf9' + 'b325fac556abf169264ed5ae364b9136016e43f3') prepare() { cd "${srcdir}/${pkgname}${_pkgver}" @@ -33,6 +39,9 @@ patch -i ../test_compr_eb.patch # FS#43391 patch -i ../getZip64Data.patch # FS#43300 patch -i ../crc32.patch # FS#43300 + patch -p1 -i ../empty-input.patch # FS#46955 + patch -p1 -i ../csiz-underflow.patch # FS#46955 + patch -p1 -i ../nextbyte-overflow.patch # FS#46955 } build() { Added: csiz-underflow.patch =================================================================== --- csiz-underflow.patch (rev 0) +++ csiz-underflow.patch 2015-11-03 07:35:37 UTC (rev 250045) @@ -0,0 +1,32 @@ +From: Kamil Dudka <kdu...@redhat.com> +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH] extract: prevent unsigned overflow on invalid input +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), Added: empty-input.patch =================================================================== --- empty-input.patch (rev 0) +++ empty-input.patch 2015-11-03 07:35:37 UTC (rev 250045) @@ -0,0 +1,26 @@ +From: Kamil Dudka <kdu...@redhat.com> +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2728,6 +2728,12 @@ + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; Added: nextbyte-overflow.patch =================================================================== --- nextbyte-overflow.patch (rev 0) +++ nextbyte-overflow.patch 2015-11-03 07:35:37 UTC (rev 250045) @@ -0,0 +1,33 @@ +From: Petr Stodulka <pstod...@redhat.com> +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + }