Fix integer overflow in zipOpenNewFileInZip4_6

Resolves: CVE-2023-45853
This commit is contained in:
Lukas Javorsky 2023-10-17 10:13:09 +00:00
parent eb01ebe050
commit 1edfcf16da
2 changed files with 47 additions and 1 deletions

View File

@ -0,0 +1,39 @@
From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
From: Hans Wennborg <hans@chromium.org>
Date: Fri, 18 Aug 2023 11:05:33 +0200
Subject: [PATCH] Reject overflows of zip header fields in minizip.
This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.
---
contrib/minizip/zip.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
index 3d3d4ca..0446109 100644
--- a/contrib/minizip/zip.c
+++ b/contrib/minizip/zip.c
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
return ZIP_PARAMERROR;
#endif
+ // The filename and comment length must fit in 16 bits.
+ if ((filename!=NULL) && (strlen(filename)>0xffff))
+ return ZIP_PARAMERROR;
+ if ((comment!=NULL) && (strlen(comment)>0xffff))
+ return ZIP_PARAMERROR;
+ // The extra field length must fit in 16 bits. If the member also requires
+ // a Zip64 extra block, that will also need to fit within that 16-bit
+ // length, but that will be checked for later.
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+ return ZIP_PARAMERROR;
+
zi = (zip64_internal*)file;
if (zi->in_opened_file_inzip == 1)
--
2.41.0

View File

@ -2,7 +2,7 @@
Name: zlib Name: zlib
Version: 1.2.13 Version: 1.2.13
Release: 4%{?dist} Release: 5%{?dist}
Summary: Compression and decompression library Summary: Compression and decompression library
# /contrib/dotzlib/ have Boost license # /contrib/dotzlib/ have Boost license
License: Zlib AND BSL-1.0 License: Zlib AND BSL-1.0
@ -30,6 +30,8 @@ Patch22: zlib-1.2.11-covscan-issues.patch
# fixed issues found by covscan for rhel-9 # fixed issues found by covscan for rhel-9
# ref: https://github.com/madler/zlib/pull/554 # ref: https://github.com/madler/zlib/pull/554
Patch23: zlib-1.2.11-covscan-issues-rhel9.patch Patch23: zlib-1.2.11-covscan-issues-rhel9.patch
# Upstream patch: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
Patch24: zlib-1.2.13-Reject-overflows-of-zip-header-fields-in-minizip.patch
BuildRequires: make BuildRequires: make
BuildRequires: automake, autoconf, libtool BuildRequires: automake, autoconf, libtool
@ -91,6 +93,7 @@ developing applications which use minizip.
%patch -P20 -p1 %patch -P20 -p1
%patch -P22 -p1 %patch -P22 -p1
%patch -P23 -p1 %patch -P23 -p1
%patch -P24 -p1
# Patch19 conflicts with Patch1, so the Patch1 has to be applied after, # Patch19 conflicts with Patch1, so the Patch1 has to be applied after,
# because it is arch specific # because it is arch specific
%ifarch s390 s390x %ifarch s390 s390x
@ -173,6 +176,10 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
%changelog %changelog
* Tue Oct 17 2023 Lukas Javorsky <ljavorsk@redhat.com> - 1.2.13-5
- Applied upstream commit 73331a6a0481067628f065ffe87bb1d8f787d10c
- Resolves: CVE-2023-45853
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.13-4 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.13-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild