Fix CVE-2016-9844 - buffer overflow in zipinfo

Resolves: #1404283
2016-12-14 16:59:00 +01:00 · 2016-12-14 16:59:00 +01:00 · ee4e72f3fc
commit ee4e72f3fc
parent 45bcfca8da
2 changed files with 46 additions and 2 deletions
--- a/0001-Fix-CVE-2016-9844-rhbz-1404283.patch
+++ b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch
@ -0,0 +1,39 @@
+From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 14 Dec 2016 16:30:36 +0100
+Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283)
+
+Fixes buffer overflow in zipinfo in similar way like fix for
+CVE-2014-9913 provided by upstream.
+---
+ zipinfo.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/zipinfo.c b/zipinfo.c
+index c03620e..accca2a 100644
+--- a/zipinfo.c
+++ b/zipinfo.c
+@@ -1984,7 +1984,19 @@ static int zi_short(__G)   /* return PK-type error code */
+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+         methbuf[3] = dtype[dnum];
+     } else if (methnum >= NUM_METHODS) {   /* unknown */
+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);
+        /* 2016-12-05 SMS.
+         * https://launchpad.net/bugs/1643750
+         * Unexpectedly large compression methods overflow
+         * &methbuf[].  Use the old, three-digit decimal format
+         * for values which fit.  Otherwise, sacrifice the "u",
+         * and use four-digit hexadecimal.
+         */
+        if (G.crec.compression_method <= 999) {
+              sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
+        } else {
+              sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
+        }
+
+     }
+ 
+     for (k = 0;  k < 15;  ++k)
+-- 
+2.5.5
+
--- a/unzip.spec
+++ b/unzip.spec
@ -7,7 +7,7 @@
 Summary: A utility for unpacking zip files
 Name: unzip
 Version: 6.0
-Release: 30%{?dist}
+Release: 31%{?dist}
 License: BSD
 Group: Applications/Archiving
 Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
@ -49,6 +49,7 @@ Patch18: unzip-6.0-heap-overflow-infloop.patch
 # support non-{latin,unicode} encoding
 Patch19: unzip-6.0-alt-iconv-utf8.patch
 Patch20: unzip-6.0-alt-iconv-utf8-print.patch
+Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch

 URL: http://www.info-zip.org/UnZip.html
 BuildRequires:  bzip2-devel
@ -86,7 +87,7 @@ a zip archive.
 %patch18 -p1 -b .heap-overflow-infloop
 %patch19 -p1 -b .utf
 %patch20 -p1 -b .utf-print
-
+%patch21 -p1 -b .cve-2016-9844

 %build
 # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
@ -106,6 +107,10 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{
 %{_mandir}/*/*

 %changelog
+* Wed Dec 14 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-31
+- Fix CVE-2016-9844 - buffer overflow in zipinfo
+  Resolves: #1404283
+
 * Thu Jul 14 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-30
 - rename patch unzip-6.0-nostrip.patch to unzip-6.0-configure.patch
  so linking is now configurable from the spec file