Fix: CVE-2020-18770

The previous patch introduces a segfault
Resolves: RHEL-14967
This commit is contained in:
Jakub Martisko 2024-02-27 17:00:57 +01:00
parent db9808753d
commit bd96609e07
2 changed files with 17 additions and 19 deletions

View File

@ -1,30 +1,23 @@
From 18c6c043bd7d8f139f30e9c7749013115d5fc5b7 Mon Sep 17 00:00:00 2001 From 803f49aaae16b7f2899e4769afdfc673a21fa9e8 Mon Sep 17 00:00:00 2001
From: Valentin Lefebvre <valentin.lefebvre@suse.com> From: Guido Draheim <guidod@gmx.de>
Date: Wed, 20 Sep 2023 12:04:56 +0200 Date: Mon, 26 Feb 2024 23:17:12 +0100
Subject: [PATCH] mmappend.c: Avoid invalid access for header entry Subject: [PATCH] #69 assert full zzip_file_header
* zzip_disk_entry_to_file_header checking the pointer by substraction
instead of addition where it could lead to an invalid access memory.
* CVE-2020-18770
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
--- ---
zzip/mmapped.c | 5 +++-- zzip/mmapped.c | 3 ++-
1 file changed, 3 insertions(+), 2 deletions(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/zzip/mmapped.c b/zzip/mmapped.c diff --git a/zzip/mmapped.c b/zzip/mmapped.c
index 2071882..beb094d 100644 index 2071882..306ba51 100644
--- a/zzip/mmapped.c --- a/zzip/mmapped.c
+++ b/zzip/mmapped.c +++ b/zzip/mmapped.c
@@ -275,8 +275,9 @@ zzip_disk_entry_to_data(ZZIP_DISK * disk, struct zzip_disk_entry * entry) @@ -276,7 +276,8 @@ struct zzip_file_header *
struct zzip_file_header *
zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry) zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry)
{ {
- zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry); zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry);
- if (disk->buffer > ptr || ptr >= disk->endbuf) - if (disk->buffer > ptr || ptr >= disk->endbuf)
+ zzip_off_t off = zzip_disk_entry_fileoffset(entry); + zzip_byte_t *const end = ptr + sizeof(struct zzip_file_header);
+ zzip_byte_t *const ptr = disk->buffer + off; + if (disk->buffer > ptr || end >= disk->endbuf || end <= NULL)
+ if (disk->buffer > ptr || disk->buffer >= disk->endbuf - off)
{ {
errno = EBADMSG; errno = EBADMSG;
return 0; return 0;

View File

@ -1,7 +1,7 @@
Summary: Lightweight library to easily extract data from zip files Summary: Lightweight library to easily extract data from zip files
Name: zziplib Name: zziplib
Version: 0.13.71 Version: 0.13.71
Release: 10%{?dist} Release: 11%{?dist}
License: LGPLv2+ or MPLv1.1 License: LGPLv2+ or MPLv1.1
URL: http://zziplib.sourceforge.net/ URL: http://zziplib.sourceforge.net/
#Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz #Source: https://github.com/gdraheim/zziplib/archive/v%{version}.tar.gz
@ -124,6 +124,11 @@ popd
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Wed Feb 28 2024 Jakub Martisko <jamartis@redhat.com> - 0.13.71-11
- Fix CVE-2020-18770
Previous patch was causing segfault
Resolves: RHEL-14967
* Wed Jan 24 2024 Jakub Martisko <jamartis@redhat.com> - 0.13.71-10 * Wed Jan 24 2024 Jakub Martisko <jamartis@redhat.com> - 0.13.71-10
- Fix CVE-2020-18770 - Fix CVE-2020-18770
Resolves: RHEL-14967 Resolves: RHEL-14967