diff options
author | wiz <wiz@pkgsrc.org> | 2015-11-11 12:47:26 +0000 |
---|---|---|
committer | wiz <wiz@pkgsrc.org> | 2015-11-11 12:47:26 +0000 |
commit | 1e5bdb4b30640b1b8729015a0eea310801f9a6c1 (patch) | |
tree | 46f6ee227c33ee60e11dcd75551dd31f8c087afe /archivers | |
parent | 38d8d315cddf5cc1da52bb6490630b5b9811ac97 (diff) | |
download | pkgsrc-1e5bdb4b30640b1b8729015a0eea310801f9a6c1.tar.gz |
Add patches to fix CVE-2015-7696, CVE-2015-7697, and an integer underflow.
From Debian.
Bump PKGREVISION.
Diffstat (limited to 'archivers')
-rw-r--r-- | archivers/unzip/Makefile | 4 | ||||
-rw-r--r-- | archivers/unzip/distinfo | 5 | ||||
-rw-r--r-- | archivers/unzip/patches/patch-crypt.c | 26 | ||||
-rw-r--r-- | archivers/unzip/patches/patch-extract.c | 46 |
4 files changed, 72 insertions, 9 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index 9764f92867e..249709b74f3 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.90 2015/06/05 12:22:28 sevan Exp $ +# $NetBSD: Makefile,v 1.91 2015/11/11 12:47:26 wiz Exp $ DISTNAME= unzip60 PKGNAME= unzip-6.0 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ EXTRACT_SUFX= .tgz diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo index a1c1aedadfb..678c7d4a259 100644 --- a/archivers/unzip/distinfo +++ b/archivers/unzip/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2015/11/03 00:56:26 agc Exp $ +$NetBSD: distinfo,v 1.29 2015/11/11 12:47:26 wiz Exp $ SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba @@ -6,7 +6,8 @@ SHA512 (unzip60.tgz) = 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b Size (unzip60.tgz) = 1376845 bytes SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154 -SHA1 (patch-extract.c) = bba436910084ec43ef8f8e76a1cd0392c566e4ac +SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4 +SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 diff --git a/archivers/unzip/patches/patch-crypt.c b/archivers/unzip/patches/patch-crypt.c new file mode 100644 index 00000000000..a4cfedd8f50 --- /dev/null +++ b/archivers/unzip/patches/patch-crypt.c @@ -0,0 +1,26 @@ +$NetBSD: patch-crypt.c,v 1.1 2015/11/11 12:47:27 wiz Exp $ + +Bug fix for heap overflow, from Debian. +CVE-2015-7696 + +--- crypt.c.orig 2007-01-05 15:47:36.000000000 +0000 ++++ crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/archivers/unzip/patches/patch-extract.c b/archivers/unzip/patches/patch-extract.c index 28f43e55a20..ce15a9ba964 100644 --- a/archivers/unzip/patches/patch-extract.c +++ b/archivers/unzip/patches/patch-extract.c @@ -1,4 +1,4 @@ -$NetBSD: patch-extract.c,v 1.2 2015/02/11 12:35:42 wiz Exp $ +$NetBSD: patch-extract.c,v 1.3 2015/11/11 12:47:27 wiz Exp $ Fixes for * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 @@ -17,6 +17,10 @@ possibly have other unspecified impact. This patch ensures that when extra fields use STORED mode, the "compressed" and uncompressed block sizes match. +* CVE-2015-7697 (from Debian) + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160 +* integer underflow + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160 --- extract.c.orig 2009-03-14 01:32:52.000000000 +0000 +++ extract.c @@ -36,7 +40,26 @@ This patch ensures that when extra fields use STORED mode, the static ZCONST char Far InvalidComprDataEAs[] = " invalid compressed data for EAs\n"; # if (defined(WIN32) && defined(NTSD_EAS)) -@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l +@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_l ebID = makeword(ef); ebLen = (unsigned)makeword(ef+EB_LEN); @@ -46,7 +69,7 @@ This patch ensures that when extra fields use STORED mode, the /* Discovered some extra field inconsistency! */ if (uO.qflag) Info(slide, 1, ((char *)slide, "%-22s ", -@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l +@@ -2032,6 +2044,16 @@ static int TestExtraField(__G__ ef, ef_l ebLen, (ef_len - EB_HEADSIZE))); return PK_ERR; } @@ -63,7 +86,7 @@ This patch ensures that when extra fields use STORED mode, the switch (ebID) { case EF_OS2: -@@ -2217,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si +@@ -2217,6 +2239,7 @@ static int test_compr_eb(__G__ eb, eb_si ulg eb_ucsize; uch *eb_ucptr; int r; @@ -71,7 +94,7 @@ This patch ensures that when extra fields use STORED mode, the if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ -@@ -2226,6 +2240,13 @@ static int test_compr_eb(__G__ eb, eb_si +@@ -2226,6 +2249,13 @@ static int test_compr_eb(__G__ eb, eb_si eb_size <= (compr_offset + EB_CMPRHEADLEN))) return IZ_EF_TRUNC; /* no compressed data! */ @@ -85,3 +108,16 @@ This patch ensures that when extra fields use STORED mode, the if ( #ifdef INT_16BIT (((ulg)(extent)eb_ucsize) != eb_ucsize) || +@@ -2701,6 +2731,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; |