fix several possibly unterminated strings
When copying to OEM_CP and ISO_CP strings, the string could end unterminated (stncpy does not append '\0'). These string are part of the -I and -O options.
This commit is contained in:
Jakub Martisko
parent
84dde35223
commit
25c3b2b0ae
131
unzip-6.0-COVSCAN-fix-unterminated-string.patch
Normal file
131
unzip-6.0-COVSCAN-fix-unterminated-string.patch
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
From 06d1b08aef94984256cad3c5a54cedb10295681f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Martisko <jamartis@redhat.com>
|
||||||
|
Date: Thu, 8 Nov 2018 09:31:18 +0100
|
||||||
|
Subject: [PATCH] Possible unterminated string fix
|
||||||
|
|
||||||
|
---
|
||||||
|
unix/unix.c | 4 +++-
|
||||||
|
unix/unxcfg.h | 2 +-
|
||||||
|
unzip.c | 12 ++++++++----
|
||||||
|
zipinfo.c | 12 ++++++++----
|
||||||
|
4 files changed, 20 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/unix/unix.c b/unix/unix.c
|
||||||
|
index 59b622d..cd57f80 100644
|
||||||
|
--- a/unix/unix.c
|
||||||
|
+++ b/unix/unix.c
|
||||||
|
@@ -1945,7 +1945,9 @@ void init_conversion_charsets()
|
||||||
|
for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
|
||||||
|
if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
|
||||||
|
strncpy(OEM_CP, dos_charset_map[i].archive_charset,
|
||||||
|
- sizeof(OEM_CP));
|
||||||
|
+ MAX_CP_NAME - 1);
|
||||||
|
+
|
||||||
|
+ OEM_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/unix/unxcfg.h b/unix/unxcfg.h
|
||||||
|
index 8729de2..9ee8cfe 100644
|
||||||
|
--- a/unix/unxcfg.h
|
||||||
|
+++ b/unix/unxcfg.h
|
||||||
|
@@ -228,7 +228,7 @@ typedef struct stat z_stat;
|
||||||
|
/* and notfirstcall are used by do_wild(). */
|
||||||
|
|
||||||
|
|
||||||
|
-#define MAX_CP_NAME 25
|
||||||
|
+#define MAX_CP_NAME 25 + 1
|
||||||
|
|
||||||
|
#ifdef SETLOCALE
|
||||||
|
# undef SETLOCALE
|
||||||
|
diff --git a/unzip.c b/unzip.c
|
||||||
|
index 2d94a38..a485f2b 100644
|
||||||
|
--- a/unzip.c
|
||||||
|
+++ b/unzip.c
|
||||||
|
@@ -1561,7 +1561,8 @@ int uz_opts(__G__ pargc, pargv)
|
||||||
|
"error: a valid character encoding should follow the -I argument"));
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
- strncpy(ISO_CP, s, sizeof(ISO_CP));
|
||||||
|
+ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ ISO_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
} else { /* -I charset */
|
||||||
|
++argv;
|
||||||
|
if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
|
||||||
|
@@ -1570,7 +1571,8 @@ int uz_opts(__G__ pargc, pargv)
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
s = *argv;
|
||||||
|
- strncpy(ISO_CP, s, sizeof(ISO_CP));
|
||||||
|
+ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ ISO_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
}
|
||||||
|
while(*(++s)); /* No params straight after charset name */
|
||||||
|
}
|
||||||
|
@@ -1665,7 +1667,8 @@ int uz_opts(__G__ pargc, pargv)
|
||||||
|
"error: a valid character encoding should follow the -I argument"));
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
- strncpy(OEM_CP, s, sizeof(OEM_CP));
|
||||||
|
+ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ OEM_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
} else { /* -O charset */
|
||||||
|
++argv;
|
||||||
|
if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
|
||||||
|
@@ -1674,7 +1677,8 @@ int uz_opts(__G__ pargc, pargv)
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
s = *argv;
|
||||||
|
- strncpy(OEM_CP, s, sizeof(OEM_CP));
|
||||||
|
+ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ OEM_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
}
|
||||||
|
while(*(++s)); /* No params straight after charset name */
|
||||||
|
}
|
||||||
|
diff --git a/zipinfo.c b/zipinfo.c
|
||||||
|
index accca2a..cb7e08d 100644
|
||||||
|
--- a/zipinfo.c
|
||||||
|
+++ b/zipinfo.c
|
||||||
|
@@ -519,7 +519,8 @@ int zi_opts(__G__ pargc, pargv)
|
||||||
|
"error: a valid character encoding should follow the -I argument"));
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
- strncpy(ISO_CP, s, sizeof(ISO_CP));
|
||||||
|
+ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ ISO_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
} else { /* -I charset */
|
||||||
|
++argv;
|
||||||
|
if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
|
||||||
|
@@ -528,7 +529,8 @@ int zi_opts(__G__ pargc, pargv)
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
s = *argv;
|
||||||
|
- strncpy(ISO_CP, s, sizeof(ISO_CP));
|
||||||
|
+ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ ISO_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
}
|
||||||
|
while(*(++s)); /* No params straight after charset name */
|
||||||
|
}
|
||||||
|
@@ -568,7 +570,8 @@ int zi_opts(__G__ pargc, pargv)
|
||||||
|
"error: a valid character encoding should follow the -I argument"));
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
- strncpy(OEM_CP, s, sizeof(OEM_CP));
|
||||||
|
+ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ OEM_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
} else { /* -O charset */
|
||||||
|
++argv;
|
||||||
|
if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
|
||||||
|
@@ -577,7 +580,8 @@ int zi_opts(__G__ pargc, pargv)
|
||||||
|
return(PK_PARAM);
|
||||||
|
}
|
||||||
|
s = *argv;
|
||||||
|
- strncpy(OEM_CP, s, sizeof(OEM_CP));
|
||||||
|
+ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
|
||||||
|
+ OEM_CP[MAX_CP_NAME - 1] = '\0';
|
||||||
|
}
|
||||||
|
while(*(++s)); /* No params straight after charset name */
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.14.5
|
||||||
|
|
||||||
11
unzip.spec
11
unzip.spec
@ -7,7 +7,7 @@
|
|||||||
Summary: A utility for unpacking zip files
|
Summary: A utility for unpacking zip files
|
||||||
Name: unzip
|
Name: unzip
|
||||||
Version: 6.0
|
Version: 6.0
|
||||||
Release: 41%{?dist}
|
Release: 42%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Archiving
|
Group: Applications/Archiving
|
||||||
Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
|
Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
|
||||||
@ -59,8 +59,11 @@ Patch22: unzip-6.0-timestamp.patch
|
|||||||
|
|
||||||
# fix possible heap based stack overflow in passwd protected files
|
# fix possible heap based stack overflow in passwd protected files
|
||||||
Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
|
Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
|
||||||
|
|
||||||
Patch24: unzip-6.0-cve-2018-18384.patch
|
Patch24: unzip-6.0-cve-2018-18384.patch
|
||||||
|
|
||||||
|
# covscan issues
|
||||||
|
Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch
|
||||||
|
|
||||||
URL: http://www.info-zip.org/UnZip.html
|
URL: http://www.info-zip.org/UnZip.html
|
||||||
BuildRequires: bzip2-devel, gcc
|
BuildRequires: bzip2-devel, gcc
|
||||||
@ -102,6 +105,7 @@ a zip archive.
|
|||||||
%patch22 -p1 -b .timestamp
|
%patch22 -p1 -b .timestamp
|
||||||
%patch23 -p1 -b .cve-2018-1000035
|
%patch23 -p1 -b .cve-2018-1000035
|
||||||
%patch24 -p1 -b .cve-2018-18384
|
%patch24 -p1 -b .cve-2018-18384
|
||||||
|
%patch25 -p1 -b .covscan-1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
|
# IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
|
||||||
@ -121,6 +125,11 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{
|
|||||||
%{_mandir}/*/*
|
%{_mandir}/*/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 08 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-42
|
||||||
|
- fix several possibly unterminated strings
|
||||||
|
When copying to OEM_CP and ISO_CP strings, the string could end unterminated
|
||||||
|
(stncpy does not append '\0').
|
||||||
|
|
||||||
* Thu Nov 08 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-41
|
* Thu Nov 08 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-41
|
||||||
- Fix CVE-2018-18384
|
- Fix CVE-2018-18384
|
||||||
Resolves: CVE-2018-18384
|
Resolves: CVE-2018-18384
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user