- fix crash (double free) on malformed zip archive CVE-2008-0888 (#431438)
This commit is contained in:
parent
0cb543d779
commit
df1d2d8a93
42
unzip-5.52-cve-2008-0888.patch
Normal file
42
unzip-5.52-cve-2008-0888.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff -up unzip-5.52/inflate.c.pom unzip-5.52/inflate.c
|
||||
--- unzip-5.52/inflate.c.pom 2005-02-27 07:08:46.000000000 +0100
|
||||
+++ unzip-5.52/inflate.c 2008-03-19 14:47:58.000000000 +0100
|
||||
@@ -983,6 +983,7 @@ static int inflate_dynamic(__G)
|
||||
unsigned l; /* last length */
|
||||
unsigned m; /* mask for bit lengths table */
|
||||
unsigned n; /* number of lengths to get */
|
||||
+ struct huft *tlp;
|
||||
struct huft *tl; /* literal/length code table */
|
||||
struct huft *td; /* distance code table */
|
||||
unsigned bl; /* lookup bits for tl */
|
||||
@@ -995,6 +996,7 @@ static int inflate_dynamic(__G)
|
||||
register unsigned k; /* number of bits in bit buffer */
|
||||
int retval = 0; /* error code returned: initialized to "no error" */
|
||||
|
||||
+ td = tlp = tl = (struct huft *)NULL;
|
||||
|
||||
/* make local bit buffer */
|
||||
Trace((stderr, "\ndynamic block"));
|
||||
@@ -1047,9 +1049,9 @@ static int inflate_dynamic(__G)
|
||||
while (i < n)
|
||||
{
|
||||
NEEDBITS(bl)
|
||||
- j = (td = tl + ((unsigned)b & m))->b;
|
||||
+ j = (tlp = tl + ((unsigned)b & m))->b;
|
||||
DUMPBITS(j)
|
||||
- j = td->v.n;
|
||||
+ j = tlp->v.n;
|
||||
if (j < 16) /* length of code in bits (0..15) */
|
||||
ll[i++] = l = j; /* save last length in l */
|
||||
else if (j == 16) /* repeat last length 3 to 6 times */
|
||||
@@ -1149,8 +1151,8 @@ static int inflate_dynamic(__G)
|
||||
|
||||
cleanup_and_exit:
|
||||
/* free the decoding tables, return */
|
||||
- huft_free(tl);
|
||||
- huft_free(td);
|
||||
+ if (tl) huft_free(tl);
|
||||
+ if (td) huft_free(td);
|
||||
return retval;
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for unpacking zip files
|
||||
Name: unzip
|
||||
Version: 5.52
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: BSD
|
||||
Group: Applications/Archiving
|
||||
Source: ftp://ftp.info-zip.org/pub/infozip/src/unzip552.tar.gz
|
||||
@ -17,6 +17,7 @@ Patch11: unzip-5.52-open.patch
|
||||
Patch12: unzip-5.52-4GB3.patch
|
||||
Patch13: unzip-5.52-4GB_types.patch
|
||||
Patch14: unzip-5.52-249057.patch
|
||||
Patch15: unzip-5.52-cve-2008-0888.patch
|
||||
URL: http://www.info-zip.org/pub/infozip/UnZip.html
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
@ -45,6 +46,7 @@ a zip archive.
|
||||
%patch12 -p1 -b .4GB3
|
||||
%patch13 -p1 -b .4BG4
|
||||
%patch14 -p1 -b .err
|
||||
%patch15 -p1 -b .cve-2008-0888
|
||||
ln -s unix/Makefile Makefile
|
||||
|
||||
%build
|
||||
@ -65,6 +67,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Wed Mar 19 2008 Ivana Varekova <varekova@redhat.com> - 5.52-9
|
||||
- fix crash (double free) on malformed zip archive
|
||||
CVE-2008-0888 (#431438)
|
||||
|
||||
* Fri Feb 8 2008 Ivana Varekova <varekova@redhat.com> - 5.52-8
|
||||
- fix output when out of space error appears
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user