From 25c3b2b0ae11aa30e637832aaf8cc09248e03f6e Mon Sep 17 00:00:00 2001 From: Jakub Martisko Date: Thu, 8 Nov 2018 12:28:58 +0100 Subject: [PATCH] fix several possibly unterminated strings When copying to OEM_CP and ISO_CP strings, the string could end unterminated (stncpy does not append '\0'). These string are part of the -I and -O options. --- ...-6.0-COVSCAN-fix-unterminated-string.patch | 131 ++++++++++++++++++ unzip.spec | 11 +- 2 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 unzip-6.0-COVSCAN-fix-unterminated-string.patch diff --git a/unzip-6.0-COVSCAN-fix-unterminated-string.patch b/unzip-6.0-COVSCAN-fix-unterminated-string.patch new file mode 100644 index 0000000..7173771 --- /dev/null +++ b/unzip-6.0-COVSCAN-fix-unterminated-string.patch @@ -0,0 +1,131 @@ +From 06d1b08aef94984256cad3c5a54cedb10295681f Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Thu, 8 Nov 2018 09:31:18 +0100 +Subject: [PATCH] Possible unterminated string fix + +--- + unix/unix.c | 4 +++- + unix/unxcfg.h | 2 +- + unzip.c | 12 ++++++++---- + zipinfo.c | 12 ++++++++---- + 4 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/unix/unix.c b/unix/unix.c +index 59b622d..cd57f80 100644 +--- a/unix/unix.c ++++ b/unix/unix.c +@@ -1945,7 +1945,9 @@ void init_conversion_charsets() + for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) + if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) { + strncpy(OEM_CP, dos_charset_map[i].archive_charset, +- sizeof(OEM_CP)); ++ MAX_CP_NAME - 1); ++ ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + break; + } + } +diff --git a/unix/unxcfg.h b/unix/unxcfg.h +index 8729de2..9ee8cfe 100644 +--- a/unix/unxcfg.h ++++ b/unix/unxcfg.h +@@ -228,7 +228,7 @@ typedef struct stat z_stat; + /* and notfirstcall are used by do_wild(). */ + + +-#define MAX_CP_NAME 25 ++#define MAX_CP_NAME 25 + 1 + + #ifdef SETLOCALE + # undef SETLOCALE +diff --git a/unzip.c b/unzip.c +index 2d94a38..a485f2b 100644 +--- a/unzip.c ++++ b/unzip.c +@@ -1561,7 +1561,8 @@ int uz_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -1570,7 +1571,8 @@ int uz_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +@@ -1665,7 +1667,8 @@ int uz_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -1674,7 +1677,8 @@ int uz_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +diff --git a/zipinfo.c b/zipinfo.c +index accca2a..cb7e08d 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -519,7 +519,8 @@ int zi_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -528,7 +529,8 @@ int zi_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +@@ -568,7 +570,8 @@ int zi_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -577,7 +580,8 @@ int zi_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +-- +2.14.5 + diff --git a/unzip.spec b/unzip.spec index 6ee6220..36f8a42 100644 --- a/unzip.spec +++ b/unzip.spec @@ -7,7 +7,7 @@ Summary: A utility for unpacking zip files Name: unzip Version: 6.0 -Release: 41%{?dist} +Release: 42%{?dist} License: BSD Group: Applications/Archiving Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -59,8 +59,11 @@ Patch22: unzip-6.0-timestamp.patch # fix possible heap based stack overflow in passwd protected files Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch + Patch24: unzip-6.0-cve-2018-18384.patch +# covscan issues +Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch URL: http://www.info-zip.org/UnZip.html BuildRequires: bzip2-devel, gcc @@ -102,6 +105,7 @@ a zip archive. %patch22 -p1 -b .timestamp %patch23 -p1 -b .cve-2018-1000035 %patch24 -p1 -b .cve-2018-18384 +%patch25 -p1 -b .covscan-1 %build # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X @@ -121,6 +125,11 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{ %{_mandir}/*/* %changelog +* Thu Nov 08 2018 Jakub Martisko - 6.0-42 +- fix several possibly unterminated strings + When copying to OEM_CP and ISO_CP strings, the string could end unterminated + (stncpy does not append '\0'). + * Thu Nov 08 2018 Jakub Martisko - 6.0-41 - Fix CVE-2018-18384 Resolves: CVE-2018-18384