From 4c1dbaf4b6b2056cbf088d373078e87df85fc1e5 Mon Sep 17 00:00:00 2001 From: wiz Date: Thu, 25 Dec 2014 16:48:33 +0000 Subject: Add patches fixing four vulnerabilities. Bump PKGREVISION. Nudged by tez, thanks! --- archivers/unzip/Makefile | 4 +- archivers/unzip/distinfo | 5 +- archivers/unzip/patches/patch-extract.c | 86 ++++++++++++++++++++++++ archivers/unzip/patches/patch-fileio.c | 29 +++++++++ archivers/unzip/patches/patch-process.c | 112 ++++++++++++++++++++++++++++++++ 5 files changed, 233 insertions(+), 3 deletions(-) create mode 100644 archivers/unzip/patches/patch-extract.c create mode 100644 archivers/unzip/patches/patch-fileio.c create mode 100644 archivers/unzip/patches/patch-process.c (limited to 'archivers/unzip') diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index 20866c0bd9c..89e24d2a8a2 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.86 2014/10/09 14:05:54 wiz Exp $ +# $NetBSD: Makefile,v 1.87 2014/12/25 16:48:33 wiz Exp $ DISTNAME= unzip60 PKGNAME= unzip-6.0 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ EXTRACT_SUFX= .tgz diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo index 98ea6d7537e..a50683c2cbd 100644 --- a/archivers/unzip/distinfo +++ b/archivers/unzip/distinfo @@ -1,8 +1,11 @@ -$NetBSD: distinfo,v 1.24 2014/05/03 11:24:19 ryoon Exp $ +$NetBSD: distinfo,v 1.25 2014/12/25 16:48:33 wiz Exp $ SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba Size (unzip60.tgz) = 1376845 bytes SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154 +SHA1 (patch-extract.c) = 8dda32c31226129464b9ef85c62051acded4642e +SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 +SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613 diff --git a/archivers/unzip/patches/patch-extract.c b/archivers/unzip/patches/patch-extract.c new file mode 100644 index 00000000000..09fa5053237 --- /dev/null +++ b/archivers/unzip/patches/patch-extract.c @@ -0,0 +1,86 @@ +$NetBSD: patch-extract.c,v 1.1 2014/12/25 16:48:33 wiz Exp $ + +Fixes for +* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 +* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140 +* http://sf.net/projects/mancha/files/sec/unzip-6.0_overflow2.diff via + http://seclists.org/oss-sec/2014/q4/1131 and + http://seclists.org/oss-sec/2014/q4/507 + +--- extract.c.orig 2009-03-14 01:32:52.000000000 +0000 ++++ extract.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] = + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l + ebLen, (ef_len - EB_HEADSIZE))); + return PK_ERR; + } ++ else if (ebLen < EB_HEADSIZE) ++ { ++ /* Extra block length smaller than header length. */ ++ if (uO.qflag) ++ Info(slide, 1, ((char *)slide, "%-22s ", ++ FnFilter1(G.filename))); ++ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), ++ ebLen, EB_HEADSIZE)); ++ return PK_ERR; ++ } + + switch (ebID) { + case EF_OS2: +@@ -2217,14 +2230,28 @@ static int test_compr_eb(__G__ eb, eb_si + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ + ++ /* Return no/bad-data error status if any problem is found: ++ * 1. eb_size is too small to hold the uncompressed size ++ * (eb_ucsize). (Else extract eb_ucsize.) ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. ++ * 3. eb_ucsize is positive, but eb_size is too small to hold ++ * the compressed data header. ++ */ + if ((eb_size < (EB_UCSIZE_P + 4)) || +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && +- eb_size <= (compr_offset + EB_CMPRHEADLEN))) +- return IZ_EF_TRUNC; /* no compressed data! */ ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) ++ return IZ_EF_TRUNC; /* no/bad compressed data! */ ++ ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ + + if ( + #ifdef INT_16BIT diff --git a/archivers/unzip/patches/patch-fileio.c b/archivers/unzip/patches/patch-fileio.c new file mode 100644 index 00000000000..6fda404ab62 --- /dev/null +++ b/archivers/unzip/patches/patch-fileio.c @@ -0,0 +1,29 @@ +$NetBSD: patch-fileio.c,v 1.1 2014/12/25 16:48:33 wiz Exp $ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8141 + +--- fileio.c.orig 2009-04-20 00:03:44.000000000 +0000 ++++ fileio.c +@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; ++static ZCONST char Far ExtraFieldCorrupt[] = ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; + + #ifdef WINDLL + static ZCONST char Far DiskFullQuery[] = +@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* + if (readbuf(__G__ (char *)G.extra_field, length) == 0) + return PK_EOF; + /* Looks like here is where extra fields are read */ +- getZip64Data(__G__ G.extra_field, length); ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) ++ { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); ++ error = PK_WARN; ++ } + #ifdef UNICODE_SUPPORT + G.unipath_filename = NULL; + if (G.UzO.U_flag < 2) { diff --git a/archivers/unzip/patches/patch-process.c b/archivers/unzip/patches/patch-process.c new file mode 100644 index 00000000000..cf396a971e2 --- /dev/null +++ b/archivers/unzip/patches/patch-process.c @@ -0,0 +1,112 @@ +$NetBSD: patch-process.c,v 1.1 2014/12/25 16:48:33 wiz Exp $ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8141 + +--- process.c.orig 2009-03-06 01:25:10.000000000 +0000 ++++ process.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len) + and a 4-byte version of disk start number. + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. ++ ++ 2014-12-05 SMS. ++ Added checks to ensure that enough data are available before calling ++ makeint64() or makelong(). Replaced various sizeof() values with ++ simple ("4" or "8") constants. (The Zip64 structures do not depend ++ on our variable sizes.) Error handling is crude, but we should now ++ stay within the buffer. + ---------------------------------------------------------------------------*/ + ++#define Z64FLGS 0xffff ++#define Z64FLGL 0xffffffff ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", + ef_len)); + +- while (ef_len >= EB_HEADSIZE) { ++ while (ef_len >= EB_HEADSIZE) ++ { + eb_id = makeword(EB_ID + ef_buf); + eb_len = makeword(EB_LEN + ef_buf); + +- if (eb_len > (ef_len - EB_HEADSIZE)) { +- /* discovered some extra field inconsistency! */ ++ if (eb_len > (ef_len - EB_HEADSIZE)) ++ { ++ /* Extra block length exceeds remaining extra field length. */ + Trace((stderr, + "getZip64Data: block length %u > rest ef_size %u\n", eb_len, + ef_len - EB_HEADSIZE)); + break; + } +- if (eb_id == EF_PKSZ64) { +- ++ if (eb_id == EF_PKSZ64) ++ { + int offset = EB_HEADSIZE; + +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.ucsize); ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.csize); ++ ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.relative_offset_local_header == 0xffffffff){ ++ ++ if (G.crec.relative_offset_local_header == Z64FLGL) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.relative_offset_local_header); ++ offset += 8; + } +- if (G.crec.disk_number_start == 0xffff){ ++ ++ if (G.crec.disk_number_start == Z64FLGS) ++ { ++ if (offset+ 4 > ef_len) ++ return PK_ERR; ++ + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); +- offset += sizeof(G.crec.disk_number_start); ++ offset += 4; + } ++#if 0 ++ break; /* Expect only one EF_PKSZ64 block. */ ++#endif /* 0 */ + } + +- /* Skip this extra field block */ ++ /* Skip this extra field block. */ + ef_buf += (eb_len + EB_HEADSIZE); + ef_len -= (eb_len + EB_HEADSIZE); + } -- cgit v1.2.3