fixed few security bugs and overflow for long file sizes
This commit is contained in:
		
							parent
							
								
									e6cccc653b
								
							
						
					
					
						commit
						1e71db15e9
					
				
							
								
								
									
										79
									
								
								unzip-6.0-cve-2014-8139.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										79
									
								
								unzip-6.0-cve-2014-8139.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,79 @@ | |||||||
|  | diff --git a/extract.c b/extract.c
 | ||||||
|  | index 9ef80b3..c741b5f 100644
 | ||||||
|  | --- a/extract.c
 | ||||||
|  | +++ b/extract.c
 | ||||||
|  | @@ -1,5 +1,5 @@
 | ||||||
|  |  /* | ||||||
|  | -  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
 | ||||||
|  | +  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
 | ||||||
|  |   | ||||||
|  |    See the accompanying file LICENSE, version 2009-Jan-02 or later | ||||||
|  |    (the contents of which are also included in unzip.h) for terms of use. | ||||||
|  | @@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
 | ||||||
|  |  #ifndef SFX | ||||||
|  |     static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ | ||||||
|  |       EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; | ||||||
|  | +   static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
 | ||||||
|  | +     EF block length (%u bytes) invalid (< %d)\n";
 | ||||||
|  |     static ZCONST char Far InvalidComprDataEAs[] = | ||||||
|  |       " invalid compressed data for EAs\n"; | ||||||
|  |  #  if (defined(WIN32) && defined(NTSD_EAS)) | ||||||
|  | @@ -2020,7 +2022,8 @@ static int TestExtraField(__G__ ef, ef_len)
 | ||||||
|  |          ebID = makeword(ef); | ||||||
|  |          ebLen = (unsigned)makeword(ef+EB_LEN); | ||||||
|  |   | ||||||
|  | -        if (ebLen > (ef_len - EB_HEADSIZE)) {
 | ||||||
|  | +        if (ebLen > (ef_len - EB_HEADSIZE))
 | ||||||
|  | +        {
 | ||||||
|  |             /* Discovered some extra field inconsistency! */ | ||||||
|  |              if (uO.qflag) | ||||||
|  |                  Info(slide, 1, ((char *)slide, "%-22s ", | ||||||
|  | @@ -2155,11 +2158,29 @@ static int TestExtraField(__G__ ef, ef_len)
 | ||||||
|  |                  } | ||||||
|  |                  break; | ||||||
|  |              case EF_PKVMS: | ||||||
|  | -                if (makelong(ef+EB_HEADSIZE) !=
 | ||||||
|  | -                    crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
 | ||||||
|  | -                          (extent)(ebLen-4)))
 | ||||||
|  | -                    Info(slide, 1, ((char *)slide,
 | ||||||
|  | -                      LoadFarString(BadCRC_EAs)));
 | ||||||
|  | +                /* 2015-01-30 SMS.  Added sufficient-bytes test/message
 | ||||||
|  | +                 * here.  (Removed defective ebLen test above.)
 | ||||||
|  | +                 *
 | ||||||
|  | +                 * If sufficient bytes (EB_PKVMS_MINLEN) are available,
 | ||||||
|  | +                 * then compare the stored CRC value with the calculated
 | ||||||
|  | +                 * CRC for the remainder of the data (and complain about
 | ||||||
|  | +                 * a mismatch).
 | ||||||
|  | +                 */
 | ||||||
|  | +                if (ebLen < EB_PKVMS_MINLEN)
 | ||||||
|  | +                {
 | ||||||
|  | +                    /* Insufficient bytes available. */
 | ||||||
|  | +                    Info( slide, 1,
 | ||||||
|  | +                     ((char *)slide, LoadFarString( TooSmallEBlength),
 | ||||||
|  | +                     ebLen, EB_PKVMS_MINLEN));
 | ||||||
|  | +                }
 | ||||||
|  | +                else if (makelong(ef+ EB_HEADSIZE) !=
 | ||||||
|  | +                 crc32(CRCVAL_INITIAL,
 | ||||||
|  | +                 (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN),
 | ||||||
|  | +                 (extent)(ebLen- EB_PKVMS_MINLEN)))
 | ||||||
|  | +                {
 | ||||||
|  | +                     Info(slide, 1, ((char *)slide,
 | ||||||
|  | +                       LoadFarString(BadCRC_EAs)));
 | ||||||
|  | +                }
 | ||||||
|  |                  break; | ||||||
|  |              case EF_PKW32: | ||||||
|  |              case EF_PKUNIX: | ||||||
|  | diff --git a/unzpriv.h b/unzpriv.h
 | ||||||
|  | index 005cee0..5c83a6e 100644
 | ||||||
|  | --- a/unzpriv.h
 | ||||||
|  | +++ b/unzpriv.h
 | ||||||
|  | @@ -1806,6 +1806,8 @@
 | ||||||
|  |  #define EB_NTSD_VERSION   4    /* offset of NTSD version byte */ | ||||||
|  |  #define EB_NTSD_MAX_VER   (0)  /* maximum version # we know how to handle */ | ||||||
|  |   | ||||||
|  | +#define EB_PKVMS_MINLEN   4    /* minimum data length of PKVMS extra block */
 | ||||||
|  | +
 | ||||||
|  |  #define EB_ASI_CRC32      0    /* offset of ASI Unix field's crc32 checksum */ | ||||||
|  |  #define EB_ASI_MODE       4    /* offset of ASI Unix permission mode field */ | ||||||
|  |   | ||||||
|  | 
 | ||||||
							
								
								
									
										25
									
								
								unzip-6.0-cve-2014-8140.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								unzip-6.0-cve-2014-8140.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,25 @@ | |||||||
|  | diff --git a/extract.c b/extract.c
 | ||||||
|  | index c741b5f..e4a4c7b 100644
 | ||||||
|  | --- a/extract.c
 | ||||||
|  | +++ b/extract.c
 | ||||||
|  | @@ -2240,10 +2240,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
 | ||||||
|  |      if (compr_offset < 4)                /* field is not compressed: */ | ||||||
|  |          return PK_OK;                    /* do nothing and signal OK */ | ||||||
|  |   | ||||||
|  | +    /* Return no/bad-data error status if any problem is found:
 | ||||||
|  | +     *    1. eb_size is too small to hold the uncompressed size
 | ||||||
|  | +     *       (eb_ucsize).  (Else extract eb_ucsize.)
 | ||||||
|  | +     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
 | ||||||
|  | +     *    3. eb_ucsize is positive, but eb_size is too small to hold
 | ||||||
|  | +     *       the compressed data header.
 | ||||||
|  | +     */
 | ||||||
|  |      if ((eb_size < (EB_UCSIZE_P + 4)) || | ||||||
|  | -        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
 | ||||||
|  | -         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
 | ||||||
|  | -        return IZ_EF_TRUNC;               /* no compressed data! */
 | ||||||
|  | +     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
 | ||||||
|  | +     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
 | ||||||
|  | +        return IZ_EF_TRUNC;             /* no/bad compressed data! */
 | ||||||
|  |   | ||||||
|  |      method = makeword(eb + (EB_HEADSIZE + compr_offset)); | ||||||
|  |      if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) | ||||||
							
								
								
									
										138
									
								
								unzip-6.0-cve-2014-8141.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										138
									
								
								unzip-6.0-cve-2014-8141.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,138 @@ | |||||||
|  | diff --git a/fileio.c b/fileio.c
 | ||||||
|  | index 03fc4be..2a61a30 100644
 | ||||||
|  | --- a/fileio.c
 | ||||||
|  | +++ b/fileio.c
 | ||||||
|  | @@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
 | ||||||
|  |  #endif | ||||||
|  |  static ZCONST char Far ExtraFieldTooLong[] = | ||||||
|  |    "warning:  extra field too long (%d).  Ignoring...\n"; | ||||||
|  | +static ZCONST char Far ExtraFieldCorrupt[] =
 | ||||||
|  | +  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
 | ||||||
|  |   | ||||||
|  |  #ifdef WINDLL | ||||||
|  |     static ZCONST char Far DiskFullQuery[] = | ||||||
|  | @@ -2300,7 +2302,13 @@ int do_string(__G__ length, option)   /* return PK-type error code */
 | ||||||
|  |                length = length2; | ||||||
|  |              } | ||||||
|  |              /* Looks like here is where extra fields are read */ | ||||||
|  | -            getZip64Data(__G__ G.extra_field, length);
 | ||||||
|  | +            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
 | ||||||
|  | +            {
 | ||||||
|  | +                Info(slide, 0x401, ((char *)slide,
 | ||||||
|  | +                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
 | ||||||
|  | +                error = PK_WARN;
 | ||||||
|  | +            }
 | ||||||
|  | +
 | ||||||
|  |  #ifdef UNICODE_SUPPORT | ||||||
|  |              G.unipath_filename = NULL; | ||||||
|  |              if (G.UzO.U_flag < 2) { | ||||||
|  | diff --git a/process.c b/process.c
 | ||||||
|  | index be6e006..0d57ab4 100644
 | ||||||
|  | --- a/process.c
 | ||||||
|  | +++ b/process.c
 | ||||||
|  | @@ -1,5 +1,5 @@
 | ||||||
|  |  /* | ||||||
|  | -  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
 | ||||||
|  | +  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
 | ||||||
|  |   | ||||||
|  |    See the accompanying file LICENSE, version 2009-Jan-02 or later | ||||||
|  |    (the contents of which are also included in unzip.h) for terms of use. | ||||||
|  | @@ -1894,48 +1894,83 @@ int getZip64Data(__G__ ef_buf, ef_len)
 | ||||||
|  |      and a 4-byte version of disk start number. | ||||||
|  |      Sets both local header and central header fields.  Not terribly clever, | ||||||
|  |      but it means that this procedure is only called in one place. | ||||||
|  | +
 | ||||||
|  | +    2014-12-05 SMS.
 | ||||||
|  | +    Added checks to ensure that enough data are available before calling
 | ||||||
|  | +    makeint64() or makelong().  Replaced various sizeof() values with
 | ||||||
|  | +    simple ("4" or "8") constants.  (The Zip64 structures do not depend
 | ||||||
|  | +    on our variable sizes.)  Error handling is crude, but we should now
 | ||||||
|  | +    stay within the buffer.
 | ||||||
|  |    ---------------------------------------------------------------------------*/ | ||||||
|  |   | ||||||
|  | +#define Z64FLGS 0xffff
 | ||||||
|  | +#define Z64FLGL 0xffffffff
 | ||||||
|  | +
 | ||||||
|  |      if (ef_len == 0 || ef_buf == NULL) | ||||||
|  |          return PK_COOL; | ||||||
|  |   | ||||||
|  |      Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", | ||||||
|  |        ef_len)); | ||||||
|  |   | ||||||
|  | -    while (ef_len >= EB_HEADSIZE) {
 | ||||||
|  | +    while (ef_len >= EB_HEADSIZE)
 | ||||||
|  | +    {
 | ||||||
|  |          eb_id = makeword(EB_ID + ef_buf); | ||||||
|  |          eb_len = makeword(EB_LEN + ef_buf); | ||||||
|  |   | ||||||
|  | -        if (eb_len > (ef_len - EB_HEADSIZE)) {
 | ||||||
|  | -            /* discovered some extra field inconsistency! */
 | ||||||
|  | +        if (eb_len > (ef_len - EB_HEADSIZE))
 | ||||||
|  | +        {
 | ||||||
|  | +            /* Extra block length exceeds remaining extra field length. */
 | ||||||
|  |              Trace((stderr, | ||||||
|  |                "getZip64Data: block length %u > rest ef_size %u\n", eb_len, | ||||||
|  |                ef_len - EB_HEADSIZE)); | ||||||
|  |              break; | ||||||
|  |          } | ||||||
|  | -        if (eb_id == EF_PKSZ64) {
 | ||||||
|  |   | ||||||
|  | +        if (eb_id == EF_PKSZ64)
 | ||||||
|  | +        {
 | ||||||
|  |            int offset = EB_HEADSIZE; | ||||||
|  |   | ||||||
|  | -          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
 | ||||||
|  | -            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
 | ||||||
|  | -            offset += sizeof(G.crec.ucsize);
 | ||||||
|  | +          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
 | ||||||
|  | +          {
 | ||||||
|  | +            if (offset+ 8 > ef_len)
 | ||||||
|  | +              return PK_ERR;
 | ||||||
|  | +
 | ||||||
|  | +            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
 | ||||||
|  | +            offset += 8;
 | ||||||
|  |            } | ||||||
|  | -          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
 | ||||||
|  | -            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
 | ||||||
|  | -            offset += sizeof(G.crec.csize);
 | ||||||
|  | +
 | ||||||
|  | +          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
 | ||||||
|  | +          {
 | ||||||
|  | +            if (offset+ 8 > ef_len)
 | ||||||
|  | +              return PK_ERR;
 | ||||||
|  | +
 | ||||||
|  | +            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
 | ||||||
|  | +            offset += 8;
 | ||||||
|  |            } | ||||||
|  | -          if (G.crec.relative_offset_local_header == 0xffffffff){
 | ||||||
|  | +
 | ||||||
|  | +          if (G.crec.relative_offset_local_header == Z64FLGL)
 | ||||||
|  | +          {
 | ||||||
|  | +            if (offset+ 8 > ef_len)
 | ||||||
|  | +              return PK_ERR;
 | ||||||
|  | +
 | ||||||
|  |              G.crec.relative_offset_local_header = makeint64(offset + ef_buf); | ||||||
|  | -            offset += sizeof(G.crec.relative_offset_local_header);
 | ||||||
|  | +            offset += 8;
 | ||||||
|  |            } | ||||||
|  | -          if (G.crec.disk_number_start == 0xffff){
 | ||||||
|  | +
 | ||||||
|  | +          if (G.crec.disk_number_start == Z64FLGS)
 | ||||||
|  | +          {
 | ||||||
|  | +            if (offset+ 4 > ef_len)
 | ||||||
|  | +              return PK_ERR;
 | ||||||
|  | +
 | ||||||
|  |              G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); | ||||||
|  | -            offset += sizeof(G.crec.disk_number_start);
 | ||||||
|  | +            offset += 4;
 | ||||||
|  |            } | ||||||
|  | +#if 0
 | ||||||
|  | +          break;                /* Expect only one EF_PKSZ64 block. */
 | ||||||
|  | +#endif /* 0 */
 | ||||||
|  |          } | ||||||
|  |   | ||||||
|  | -        /* Skip this extra field block */
 | ||||||
|  | +        /* Skip this extra field block. */
 | ||||||
|  |          ef_buf += (eb_len + EB_HEADSIZE); | ||||||
|  |          ef_len -= (eb_len + EB_HEADSIZE); | ||||||
|  |      } | ||||||
							
								
								
									
										34
									
								
								unzip-6.0-overflow-long-fsize.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								unzip-6.0-overflow-long-fsize.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,34 @@ | |||||||
|  | diff --git a/list.c b/list.c
 | ||||||
|  | index f7359c3..4c3d703 100644
 | ||||||
|  | --- a/list.c
 | ||||||
|  | +++ b/list.c
 | ||||||
|  | @@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type error code */
 | ||||||
|  |  { | ||||||
|  |      int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; | ||||||
|  |  #ifndef WINDLL | ||||||
|  | -    char sgn, cfactorstr[10];
 | ||||||
|  | +    char sgn, cfactorstr[13];
 | ||||||
|  |      int longhdr=(uO.vflag>1); | ||||||
|  |  #endif | ||||||
|  |      int date_format; | ||||||
|  | @@ -339,7 +339,19 @@ int list_files(__G)    /* return PK-type error code */
 | ||||||
|  |                  G.crec.compression_method == ENHDEFLATED) { | ||||||
|  |                  methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; | ||||||
|  |              } else if (methnum >= NUM_METHODS) { | ||||||
|  | -                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
 | ||||||
|  | +                /* 2013-02-26 SMS.
 | ||||||
|  | +                 * http://sourceforge.net/tracker/?func=detail
 | ||||||
|  | +                 *  &aid=2861648&group_id=118012&atid=679786
 | ||||||
|  | +                 * Unexpectedly large compression methods overflow
 | ||||||
|  | +                 * &methbuf[].  Use the old, three-digit decimal format
 | ||||||
|  | +                 * for values which fit.  Otherwise, sacrifice the
 | ||||||
|  | +                 * colon, and use four-digit hexadecimal.
 | ||||||
|  | +                 */
 | ||||||
|  | +                if (G.crec.compression_method <= 999) {
 | ||||||
|  | +                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
 | ||||||
|  | +                } else {
 | ||||||
|  | +                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
 | ||||||
|  | +                }
 | ||||||
|  |              } | ||||||
|  |   | ||||||
|  |  #if 0       /* GRR/Euro:  add this? */ | ||||||
							
								
								
									
										20
									
								
								unzip.spec
									
									
									
									
									
								
							
							
						
						
									
										20
									
								
								unzip.spec
									
									
									
									
									
								
							| @ -1,7 +1,7 @@ | |||||||
| Summary: A utility for unpacking zip files | Summary: A utility for unpacking zip files | ||||||
| Name: unzip | Name: unzip | ||||||
| Version: 6.0 | Version: 6.0 | ||||||
| Release: 18%{?dist} | Release: 19%{?dist} | ||||||
| License: BSD | License: BSD | ||||||
| Group: Applications/Archiving | Group: Applications/Archiving | ||||||
| Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz | Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz | ||||||
| @ -32,6 +32,10 @@ Patch10: unzip-6.0-format-secure.patch | |||||||
| Patch11: unzip-6.0-valgrind.patch | Patch11: unzip-6.0-valgrind.patch | ||||||
| Patch12: unzip-6.0-x-option.patch | Patch12: unzip-6.0-x-option.patch | ||||||
| Patch13: unzip-6.0-overflow.patch | Patch13: unzip-6.0-overflow.patch | ||||||
|  | Patch14: unzip-6.0-cve-2014-8139.patch | ||||||
|  | Patch15: unzip-6.0-cve-2014-8140.patch | ||||||
|  | Patch16: unzip-6.0-cve-2014-8141.patch | ||||||
|  | Patch17: unzip-6.0-overflow-long-fsize.patch | ||||||
| URL: http://www.info-zip.org/UnZip.html | URL: http://www.info-zip.org/UnZip.html | ||||||
| BuildRequires:  bzip2-devel | BuildRequires:  bzip2-devel | ||||||
| 
 | 
 | ||||||
| @ -61,6 +65,10 @@ a zip archive. | |||||||
| %patch11 -p1 -b .valgrind | %patch11 -p1 -b .valgrind | ||||||
| %patch12 -p1 -b .x-option | %patch12 -p1 -b .x-option | ||||||
| %patch13 -p1 -b .overflow | %patch13 -p1 -b .overflow | ||||||
|  | %patch14 -p1 -b .cve-2014-8139 | ||||||
|  | %patch15 -p1 -b .cve-2014-8140 | ||||||
|  | %patch16 -p1 -b .cve-2014-8141 | ||||||
|  | %patch17 -p1 -b .overflow-long-fsize | ||||||
| 
 | 
 | ||||||
| %build | %build | ||||||
| # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X | # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X | ||||||
| @ -79,6 +87,16 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{ | |||||||
| %{_mandir}/*/* | %{_mandir}/*/* | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Feb 10 2015 Petr Stodulka <pstodulk@redhat.com> - 6.0-19 | ||||||
|  | - Fix CVE-2014-8139 - CRC32 verification heap-based buffer overread | ||||||
|  |   (#1174844) | ||||||
|  | - Fix CVE-2014-8140 - out-of-bounds write issue in test_compr_eb() | ||||||
|  |   (#1174851) | ||||||
|  | - Fix CVE-2014-8141 - getZip64Data() out-of-bounds read issues | ||||||
|  |   (#1174856) | ||||||
|  | - Fix buffer overflow on long file sizes | ||||||
|  |   (#1191136) | ||||||
|  | 
 | ||||||
| * Mon Jan 26 2015 Petr Stodulka <pstodulk@redhat.com> - 6.0-18 | * Mon Jan 26 2015 Petr Stodulka <pstodulk@redhat.com> - 6.0-18 | ||||||
| - Fix security bug - CVE-2014-9636 | - Fix security bug - CVE-2014-9636 | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user