Fix CVE-2018-1000035 - Heap-based buffer overflow in fileio.c

Resolves: #1537043
2018-02-26 10:42:05 +01:00 · 2018-02-26 10:42:05 +01:00 · 8d5c0ff1a9
commit 8d5c0ff1a9
parent a442c69cc7
2 changed files with 45 additions and 1 deletions
--- a/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+++ b/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
@ -0,0 +1,34 @@
+--- a/fileio.c	2014-12-05 05:06:05 -0600
+++ b/fileio.c	2017-11-14 01:06:28 -0600
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2017 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -1582,6 +1582,8 @@
+     int r = IZ_PW_ENTERED;
+     char *m;
+     char *prompt;
+    char *ep;
+    char *zp;
+ 
+ #ifndef REENTRANT
+     /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,9 +1592,12 @@
+ 
+     if (*rcnt == 0) {           /* First call for current entry */
+         *rcnt = 2;
+-        if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+-            sprintf(prompt, LoadFarString(PasswPrompt),
+-                    FnFilter1(zfn), FnFilter2(efn));
+        zp = FnFilter1( zfn);
+        ep = FnFilter2( efn);
+        prompt = (char *)malloc(        /* Slightly too long (2* "%s"). */
+         sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
+        if (prompt != (char *)NULL) {
+            sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+             m = prompt;
+         } else
+             m = (char *)LoadFarString(PasswPrompt2);
--- a/unzip.spec
+++ b/unzip.spec
@ -7,7 +7,7 @@
 Summary: A utility for unpacking zip files
 Name: unzip
 Version: 6.0
-Release: 37%{?dist}
+Release: 38%{?dist}
 License: BSD
 Group: Applications/Archiving
 Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
@ -57,6 +57,10 @@ Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch
 # restore unix timestamp accurately
 Patch22: unzip-6.0-timestamp.patch

+# fix possible heap based stack overflow in passwd protected files
+Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+
+
 URL: http://www.info-zip.org/UnZip.html
 BuildRequires:  bzip2-devel

@ -95,6 +99,7 @@ a zip archive.
 %patch20 -p1 -b .utf-print
 %patch21 -p1 -b .cve-2016-9844
 %patch22 -p1 -b .timestamp
+%patch23 -p1 -b .cve-2018-1000035

 %build
 # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
@ -115,6 +120,11 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{
 %{_mandir}/*/*

 %changelog
+* Tue Feb 13 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-38
+- Fix CVE-2018-1000035 - heap based buffer overflow when opening
+  password protected files.
+  Resolves: 1537043 
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-37
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild