diff options
-rw-r--r-- | archivers/unzip/Makefile | 4 | ||||
-rw-r--r-- | archivers/unzip/distinfo | 4 | ||||
-rw-r--r-- | archivers/unzip/patches/patch-extract.c | 41 |
3 files changed, 25 insertions, 24 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index 6ab56cfcc83..8d6b6c21d1b 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.88 2015/01/06 14:12:45 wiz Exp $ +# $NetBSD: Makefile,v 1.89 2015/02/11 12:35:42 wiz Exp $ DISTNAME= unzip60 PKGNAME= unzip-6.0 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ EXTRACT_SUFX= .tgz diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo index 6d39c526dec..3e2133585d7 100644 --- a/archivers/unzip/distinfo +++ b/archivers/unzip/distinfo @@ -1,11 +1,11 @@ -$NetBSD: distinfo,v 1.26 2015/01/06 14:12:45 wiz Exp $ +$NetBSD: distinfo,v 1.27 2015/02/11 12:35:42 wiz Exp $ SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba Size (unzip60.tgz) = 1376845 bytes SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154 -SHA1 (patch-extract.c) = 8dda32c31226129464b9ef85c62051acded4642e +SHA1 (patch-extract.c) = bba436910084ec43ef8f8e76a1cd0392c566e4ac SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 diff --git a/archivers/unzip/patches/patch-extract.c b/archivers/unzip/patches/patch-extract.c index 09fa5053237..28f43e55a20 100644 --- a/archivers/unzip/patches/patch-extract.c +++ b/archivers/unzip/patches/patch-extract.c @@ -1,11 +1,22 @@ -$NetBSD: patch-extract.c,v 1.1 2014/12/25 16:48:33 wiz Exp $ +$NetBSD: patch-extract.c,v 1.2 2015/02/11 12:35:42 wiz Exp $ Fixes for * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140 * http://sf.net/projects/mancha/files/sec/unzip-6.0_overflow2.diff via http://seclists.org/oss-sec/2014/q4/1131 and - http://seclists.org/oss-sec/2014/q4/507 + http://seclists.org/oss-sec/2014/q4/507 and later version + http://sf.net/projects/mancha/files/sec/unzip-6.0_overflow3.diff via + http://www.openwall.com/lists/oss-security/2015/02/11/7 + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. --- extract.c.orig 2009-03-14 01:32:52.000000000 +0000 +++ extract.c @@ -52,7 +63,7 @@ Fixes for switch (ebID) { case EF_OS2: -@@ -2217,14 +2230,28 @@ static int test_compr_eb(__G__ eb, eb_si +@@ -2217,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si ulg eb_ucsize; uch *eb_ucptr; int r; @@ -60,27 +71,17 @@ Fixes for if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ +@@ -2226,6 +2240,13 @@ static int test_compr_eb(__G__ eb, eb_si + eb_size <= (compr_offset + EB_CMPRHEADLEN))) + return IZ_EF_TRUNC; /* no compressed data! */ -+ /* Return no/bad-data error status if any problem is found: -+ * 1. eb_size is too small to hold the uncompressed size -+ * (eb_ucsize). (Else extract eb_ucsize.) -+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. -+ * 3. eb_ucsize is positive, but eb_size is too small to hold -+ * the compressed data header. -+ */ - if ((eb_size < (EB_UCSIZE_P + 4)) || -- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && -- eb_size <= (compr_offset + EB_CMPRHEADLEN))) -- return IZ_EF_TRUNC; /* no compressed data! */ -+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || -+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) -+ return IZ_EF_TRUNC; /* no/bad compressed data! */ -+ + method = makeword(eb + (EB_HEADSIZE + compr_offset)); -+ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ if ((method == STORED) && ++ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) + return PK_ERR; /* compressed & uncompressed + * should match in STORED + * method */ - ++ if ( #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || |