unzip: patch CVE-2015-7696, CVE-2015-7697 and integer underflow

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2015-11-01 16:19:56 +01:00 · 2015-11-01 16:19:56 +01:00 · 8a70ddefc7
parent f8a70fc188
commit 8a70ddefc7
4 changed files with 58 additions and 1 deletions
--- a/utils/unzip/Makefile
+++ b/utils/unzip/Makefile
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=unzip
 PKG_REV:=60
 PKG_VERSION:=6.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_SOURCE:=$(PKG_NAME)$(PKG_REV).tar.gz
 PKG_SOURCE_URL:=@SF/infozip
--- a/utils/unzip/patches/005-CVE-2015-7696-heap-overflow.patch
+++ b/utils/unzip/patches/005-CVE-2015-7696-heap-overflow.patch
@ -0,0 +1,21 @@
+--- a/crypt.c
+++ b/crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+     GLOBAL(pInfo->encrypted) = FALSE;
+     defer_leftover_input(__G);
+     for (n = 0; n < RAND_HEAD_LEN; n++) {
+-        b = NEXTBYTE;
+        /* 2012-11-23 SMS.  (OUSPG report.)
+         * Quit early if compressed size < HEAD_LEN.  The resulting
+         * error message ("unable to get password") could be improved,
+         * but it's better than trying to read nonexistent data, and
+         * then continuing with a negative G.csize.  (See
+         * fileio.c:readbyte()).
+         */
+        if ((b = NEXTBYTE) == (ush)EOF)
+        {
+            return PK_ERR;
+        }
+         h[n] = (uch)b;
+         Trace((stdout, " (%02x)", h[n]));
+     }
--- a/utils/unzip/patches/006-CVE-2015-7697-infinite-loop.patch
+++ b/utils/unzip/patches/006-CVE-2015-7697-infinite-loop.patch
@ -0,0 +1,15 @@
+--- a/extract.c
+++ b/extract.c
+@@ -2728,6 +2728,12 @@ __GDEF
+     int repeated_buf_err;
+     bz_stream bstrm;
+ 
+    if (G.incnt <= 0 && G.csize <= 0L) {
+        /* avoid an infinite loop */
+        Trace((stderr, "UZbunzip2() got empty input\n"));
+        return 2;
+    }
+
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+     if (G.redirect_slide)
+         wsize = G.redirect_size, redirSlide = G.redirect_buffer;
--- a/utils/unzip/patches/007-integer-underflow-csiz_decrypted.patch
+++ b/utils/unzip/patches/007-integer-underflow-csiz_decrypted.patch
@ -0,0 +1,21 @@
+--- a/extract.c
+++ b/extract.c
+@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G
+         if (G.lrec.compression_method == STORED) {
+             zusz_t csiz_decrypted = G.lrec.csize;
+ 
+-            if (G.pInfo->encrypted)
+            if (G.pInfo->encrypted) {
+                if (csiz_decrypted <= 12) {
+                    /* handle the error now to prevent unsigned overflow */
+                    Info(slide, 0x401, ((char *)slide,
+                      LoadFarStringSmall(ErrUnzipNoFile),
+                      LoadFarString(InvalidComprData),
+                      LoadFarStringSmall2(Inflate)));
+                    return PK_ERR;
+                }
+                 csiz_decrypted -= 12;
+            }
+             if (G.lrec.ucsize != csiz_decrypted) {
+                 Info(slide, 0x401, ((char *)slide,
+                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),