diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2015-11-20 21:05:34 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2015-11-20 21:05:34 +0000 |
commit | 23c5ba03da4c6d19f49c9d2cf4b8d0bfe38f5a39 (patch) | |
tree | 463615eaefd537991f7fb44fb4e51dda67dce85f | |
parent | 8bdddccdeec28823d8d07aee7c7f102080900cb5 (diff) | |
download | pkgsrc-23c5ba03da4c6d19f49c9d2cf4b8d0bfe38f5a39.tar.gz |
Pullup ticket #4855 - requested by he
archivers/unzip: security fix
Revisions pulled up:
- archivers/unzip/Makefile 1.91
- archivers/unzip/distinfo 1.29
- archivers/unzip/patches/patch-crypt.c 1.1
- archivers/unzip/patches/patch-extract.c 1.3
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Nov 11 12:47:27 UTC 2015
Modified Files:
pkgsrc/archivers/unzip: Makefile distinfo
pkgsrc/archivers/unzip/patches: patch-extract.c
Added Files:
pkgsrc/archivers/unzip/patches: patch-crypt.c
Log Message:
Add patches to fix CVE-2015-7696, CVE-2015-7697, and an integer underflow.
From Debian.
Bump PKGREVISION.
-rw-r--r-- | archivers/unzip/Makefile | 4 | ||||
-rw-r--r-- | archivers/unzip/distinfo | 5 | ||||
-rw-r--r-- | archivers/unzip/patches/patch-crypt.c | 26 | ||||
-rw-r--r-- | archivers/unzip/patches/patch-extract.c | 46 |
4 files changed, 72 insertions, 9 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index 9764f92867e..be6b91991a4 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.90 2015/06/05 12:22:28 sevan Exp $ +# $NetBSD: Makefile,v 1.90.4.1 2015/11/20 21:05:34 bsiegert Exp $ DISTNAME= unzip60 PKGNAME= unzip-6.0 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ EXTRACT_SUFX= .tgz diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo index 3e2133585d7..a184e361df3 100644 --- a/archivers/unzip/distinfo +++ b/archivers/unzip/distinfo @@ -1,11 +1,12 @@ -$NetBSD: distinfo,v 1.27 2015/02/11 12:35:42 wiz Exp $ +$NetBSD: distinfo,v 1.27.6.1 2015/11/20 21:05:34 bsiegert Exp $ SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba Size (unzip60.tgz) = 1376845 bytes SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154 -SHA1 (patch-extract.c) = bba436910084ec43ef8f8e76a1cd0392c566e4ac +SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4 +SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 diff --git a/archivers/unzip/patches/patch-crypt.c b/archivers/unzip/patches/patch-crypt.c new file mode 100644 index 00000000000..e7e6d53e174 --- /dev/null +++ b/archivers/unzip/patches/patch-crypt.c @@ -0,0 +1,26 @@ +$NetBSD: patch-crypt.c,v 1.1.2.2 2015/11/20 21:05:34 bsiegert Exp $ + +Bug fix for heap overflow, from Debian. +CVE-2015-7696 + +--- crypt.c.orig 2007-01-05 15:47:36.000000000 +0000 ++++ crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/archivers/unzip/patches/patch-extract.c b/archivers/unzip/patches/patch-extract.c index 28f43e55a20..7f6c62ff82a 100644 --- a/archivers/unzip/patches/patch-extract.c +++ b/archivers/unzip/patches/patch-extract.c @@ -1,4 +1,4 @@ -$NetBSD: patch-extract.c,v 1.2 2015/02/11 12:35:42 wiz Exp $ +$NetBSD: patch-extract.c,v 1.2.6.1 2015/11/20 21:05:34 bsiegert Exp $ Fixes for * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 @@ -17,6 +17,10 @@ possibly have other unspecified impact. This patch ensures that when extra fields use STORED mode, the "compressed" and uncompressed block sizes match. +* CVE-2015-7697 (from Debian) + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160 +* integer underflow + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160 --- extract.c.orig 2009-03-14 01:32:52.000000000 +0000 +++ extract.c @@ -36,7 +40,26 @@ This patch ensures that when extra fields use STORED mode, the static ZCONST char Far InvalidComprDataEAs[] = " invalid compressed data for EAs\n"; # if (defined(WIN32) && defined(NTSD_EAS)) -@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l +@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_l ebID = makeword(ef); ebLen = (unsigned)makeword(ef+EB_LEN); @@ -46,7 +69,7 @@ This patch ensures that when extra fields use STORED mode, the /* Discovered some extra field inconsistency! */ if (uO.qflag) Info(slide, 1, ((char *)slide, "%-22s ", -@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l +@@ -2032,6 +2044,16 @@ static int TestExtraField(__G__ ef, ef_l ebLen, (ef_len - EB_HEADSIZE))); return PK_ERR; } @@ -63,7 +86,7 @@ This patch ensures that when extra fields use STORED mode, the switch (ebID) { case EF_OS2: -@@ -2217,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si +@@ -2217,6 +2239,7 @@ static int test_compr_eb(__G__ eb, eb_si ulg eb_ucsize; uch *eb_ucptr; int r; @@ -71,7 +94,7 @@ This patch ensures that when extra fields use STORED mode, the if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ -@@ -2226,6 +2240,13 @@ static int test_compr_eb(__G__ eb, eb_si +@@ -2226,6 +2249,13 @@ static int test_compr_eb(__G__ eb, eb_si eb_size <= (compr_offset + EB_CMPRHEADLEN))) return IZ_EF_TRUNC; /* no compressed data! */ @@ -85,3 +108,16 @@ This patch ensures that when extra fields use STORED mode, the if ( #ifdef INT_16BIT (((ulg)(extent)eb_ucsize) != eb_ucsize) || +@@ -2701,6 +2731,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; |