[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: gnu: unzip: Add fixes for CVE-2014-{8139,8140,8141}.
|
From: |
Mark H. Weaver |
|
Subject: |
02/02: gnu: unzip: Add fixes for CVE-2014-{8139,8140,8141}. |
|
Date: |
Tue, 30 Dec 2014 19:47:42 +0000 |
mhw pushed a commit to branch master
in repository guix.
commit e5da2f38c3ca8d4626c1b87e045d00d28c1bf4d0
Author: Mark H Weaver <address@hidden>
Date: Tue Dec 30 14:46:21 2014 -0500
gnu: unzip: Add fixes for CVE-2014-{8139,8140,8141}.
* gnu/packages/patches/unzip-CVE-2014-8139.patch,
gnu/packages/patches/unzip-CVE-2014-8140.patch,
gnu/packages/patches/unzip-CVE-2014-8141.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (unzip): Add patches.
---
gnu-system.am | 3 +
gnu/packages/patches/unzip-CVE-2014-8139.patch | 49 +++++++++
gnu/packages/patches/unzip-CVE-2014-8140.patch | 27 +++++
gnu/packages/patches/unzip-CVE-2014-8141.patch | 137 ++++++++++++++++++++++++
gnu/packages/zip.scm | 5 +-
5 files changed, 220 insertions(+), 1 deletions(-)
diff --git a/gnu-system.am b/gnu-system.am
index a919150..3d145b1 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -461,6 +461,9 @@ dist_patch_DATA =
\
gnu/packages/patches/texi2html-document-encoding.patch \
gnu/packages/patches/texi2html-i18n.patch \
gnu/packages/patches/udev-gir-libtool.patch \
+ gnu/packages/patches/unzip-CVE-2014-8139.patch \
+ gnu/packages/patches/unzip-CVE-2014-8140.patch \
+ gnu/packages/patches/unzip-CVE-2014-8141.patch \
gnu/packages/patches/util-linux-perl.patch \
gnu/packages/patches/vpnc-script.patch \
gnu/packages/patches/vtk-mesa-10.patch \
diff --git a/gnu/packages/patches/unzip-CVE-2014-8139.patch
b/gnu/packages/patches/unzip-CVE-2014-8139.patch
new file mode 100644
index 0000000..433efd1
--- /dev/null
+++ b/gnu/packages/patches/unzip-CVE-2014-8139.patch
@@ -0,0 +1,49 @@
+From: sms
+Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
+Bug-Debian: http://bugs.debian.org/773722
+
+--- a/extract.c
++++ b/extract.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+ # if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@
+ ebID = makeword(ef);
+ ebLen = (unsigned)makeword(ef+EB_LEN);
+
+- if (ebLen > (ef_len - EB_HEADSIZE)) {
++ if (ebLen > (ef_len - EB_HEADSIZE))
++ {
+ /* Discovered some extra field inconsistency! */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2032,6 +2035,16 @@
+ ebLen, (ef_len - EB_HEADSIZE)));
+ return PK_ERR;
+ }
++ else if (ebLen < EB_HEADSIZE)
++ {
++ /* Extra block length smaller than header length. */
++ if (uO.qflag)
++ Info(slide, 1, ((char *)slide, "%-22s ",
++ FnFilter1(G.filename)));
++ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
++ ebLen, EB_HEADSIZE));
++ return PK_ERR;
++ }
+
+ switch (ebID) {
+ case EF_OS2:
diff --git a/gnu/packages/patches/unzip-CVE-2014-8140.patch
b/gnu/packages/patches/unzip-CVE-2014-8140.patch
new file mode 100644
index 0000000..595d8d5
--- /dev/null
+++ b/gnu/packages/patches/unzip-CVE-2014-8140.patch
@@ -0,0 +1,27 @@
+From: sms
+Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+Bug-Debian: http://bugs.debian.org/773722
+
+--- a/extract.c
++++ b/extract.c
+@@ -2234,10 +2234,17 @@
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+
++ /* Return no/bad-data error status if any problem is found:
++ * 1. eb_size is too small to hold the uncompressed size
++ * (eb_ucsize). (Else extract eb_ucsize.)
++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
++ * 3. eb_ucsize is positive, but eb_size is too small to hold
++ * the compressed data header.
++ */
+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+- return IZ_EF_TRUNC; /* no compressed data! */
++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+ if (
+ #ifdef INT_16BIT
diff --git a/gnu/packages/patches/unzip-CVE-2014-8141.patch
b/gnu/packages/patches/unzip-CVE-2014-8141.patch
new file mode 100644
index 0000000..283925f
--- /dev/null
+++ b/gnu/packages/patches/unzip-CVE-2014-8141.patch
@@ -0,0 +1,137 @@
+From: sms
+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+Bug-Debian: http://bugs.debian.org/773722
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -176,6 +176,8 @@
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
+
+ #ifdef WINDLL
+ static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@
+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+ return PK_EOF;
+ /* Looks like here is where extra fields are read */
+- getZip64Data(__G__ G.extra_field, length);
++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++ {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++ error = PK_WARN;
++ }
+ #ifdef UNICODE_SUPPORT
+ G.unipath_filename = NULL;
+ if (G.UzO.U_flag < 2) {
+--- a/process.c
++++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@
+ and a 4-byte version of disk start number.
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
++
++ 2014-12-05 SMS.
++ Added checks to ensure that enough data are available before calling
++ makeint64() or makelong(). Replaced various sizeof() values with
++ simple ("4" or "8") constants. (The Zip64 structures do not depend
++ on our variable sizes.) Error handling is crude, but we should now
++ stay within the buffer.
+
---------------------------------------------------------------------------*/
+
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+ ef_len));
+
+- while (ef_len >= EB_HEADSIZE) {
++ while (ef_len >= EB_HEADSIZE)
++ {
+ eb_id = makeword(EB_ID + ef_buf);
+ eb_len = makeword(EB_LEN + ef_buf);
+
+- if (eb_len > (ef_len - EB_HEADSIZE)) {
+- /* discovered some extra field inconsistency! */
++ if (eb_len > (ef_len - EB_HEADSIZE))
++ {
++ /* Extra block length exceeds remaining extra field length. */
+ Trace((stderr,
+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+ ef_len - EB_HEADSIZE));
+ break;
+ }
+- if (eb_id == EF_PKSZ64) {
+-
++ if (eb_id == EF_PKSZ64)
++ {
+ int offset = EB_HEADSIZE;
+
+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset +
ef_buf);
+- offset += sizeof(G.crec.csize);
++
++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset +
ef_buf);
++ offset += 8;
+ }
+- if (G.crec.relative_offset_local_header == 0xffffffff){
++
++ if (G.crec.relative_offset_local_header == Z64FLGL)
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.relative_offset_local_header);
++ offset += 8;
+ }
+- if (G.crec.disk_number_start == 0xffff){
++
++ if (G.crec.disk_number_start == Z64FLGS)
++ {
++ if (offset+ 4 > ef_len)
++ return PK_ERR;
++
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+- offset += sizeof(G.crec.disk_number_start);
++ offset += 4;
+ }
++#if 0
++ break; /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+ }
+
+- /* Skip this extra field block */
++ /* Skip this extra field block. */
+ ef_buf += (eb_len + EB_HEADSIZE);
+ ef_len -= (eb_len + EB_HEADSIZE);
+ }
diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm
index 29ab555..230907b 100644
--- a/gnu/packages/zip.scm
+++ b/gnu/packages/zip.scm
@@ -79,7 +79,10 @@ Compression ratios of 2:1 to 3:1 are common for text files.")
(uri (string-append
"mirror://sourceforge/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/unzip60.tar.gz"))
(sha256
(base32
- "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"))))
+ "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"))
+ (patches (list (search-patch "unzip-CVE-2014-8139.patch")
+ (search-patch "unzip-CVE-2014-8140.patch")
+ (search-patch "unzip-CVE-2014-8141.patch")))))
(build-system gnu-build-system)
;; no inputs; bzip2 is not supported, since not compiled with BZ_NO_STDIO
(arguments