rpms/unzip
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2018-1000035 - Heap-based buffer overflow in fileio.c

Browse Source 
Resolves: #1537043
This commit is contained in:
Jakub Martisko 2018-02-26 10:42:05 +01:00
parent a442c69cc7
commit 8d5c0ff1a9
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
unzip-6.0-cve-2018-1000035-heap-based-overflow.patch Normal file
View File

@ -0,0 +1,34 @@
--- a/fileio.c 2014-12-05 05:06:05 -0600
+++ b/fileio.c 2017-11-14 01:06:28 -0600
@@ -1,5 +1,5 @@
/*
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
+ Copyright (c) 1990-2017 Info-ZIP. All rights reserved.
See the accompanying file LICENSE, version 2009-Jan-02 or later
(the contents of which are also included in unzip.h) for terms of use.
@@ -1582,6 +1582,8 @@
int r = IZ_PW_ENTERED;
char *m;
char *prompt;
+ char *ep;
+ char *zp;
#ifndef REENTRANT
/* tell picky compilers to shut up about "unused variable" warnings */
@@ -1590,9 +1592,12 @@
if (*rcnt == 0) { /* First call for current entry */
*rcnt = 2;
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
- sprintf(prompt, LoadFarString(PasswPrompt),
- FnFilter1(zfn), FnFilter2(efn));
+ zp = FnFilter1( zfn);
+ ep = FnFilter2( efn);
+ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */
+ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
+ if (prompt != (char *)NULL) {
+ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
m = prompt;
} else
m = (char *)LoadFarString(PasswPrompt2);

12
unzip.spec
View File

@ -7,7 +7,7 @@
Summary: A utility for unpacking zip files Summary: A utility for unpacking zip files
Name: unzip Name: unzip
Version: 6.0 Version: 6.0
Release: 37%{?dist} Release: 38%{?dist}
License: BSD License: BSD
Group: Applications/Archiving Group: Applications/Archiving
Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
@ -57,6 +57,10 @@ Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch
# restore unix timestamp accurately # restore unix timestamp accurately
Patch22: unzip-6.0-timestamp.patch Patch22: unzip-6.0-timestamp.patch
# fix possible heap based stack overflow in passwd protected files
Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
URL: http://www.info-zip.org/UnZip.html URL: http://www.info-zip.org/UnZip.html
BuildRequires: bzip2-devel BuildRequires: bzip2-devel
@ -95,6 +99,7 @@ a zip archive.
%patch20 -p1 -b .utf-print %patch20 -p1 -b .utf-print
%patch21 -p1 -b .cve-2016-9844 %patch21 -p1 -b .cve-2016-9844
%patch22 -p1 -b .timestamp %patch22 -p1 -b .timestamp
%patch23 -p1 -b .cve-2018-1000035
%build %build
# IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
@ -115,6 +120,11 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Tue Feb 13 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-38
- Fix CVE-2018-1000035 - heap based buffer overflow when opening
password protected files.
Resolves: 1537043
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-37 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-37
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild