unzip: patch CVE-2015-7696, CVE-2015-7697 and integer underflow
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This commit is contained in:
parent
f8a70fc188
commit
8a70ddefc7
|
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
|
|||
PKG_NAME:=unzip
|
||||
PKG_REV:=60
|
||||
PKG_VERSION:=6.0
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)$(PKG_REV).tar.gz
|
||||
PKG_SOURCE_URL:=@SF/infozip
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
--- a/crypt.c
|
||||
+++ b/crypt.c
|
||||
@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
|
||||
GLOBAL(pInfo->encrypted) = FALSE;
|
||||
defer_leftover_input(__G);
|
||||
for (n = 0; n < RAND_HEAD_LEN; n++) {
|
||||
- b = NEXTBYTE;
|
||||
+ /* 2012-11-23 SMS. (OUSPG report.)
|
||||
+ * Quit early if compressed size < HEAD_LEN. The resulting
|
||||
+ * error message ("unable to get password") could be improved,
|
||||
+ * but it's better than trying to read nonexistent data, and
|
||||
+ * then continuing with a negative G.csize. (See
|
||||
+ * fileio.c:readbyte()).
|
||||
+ */
|
||||
+ if ((b = NEXTBYTE) == (ush)EOF)
|
||||
+ {
|
||||
+ return PK_ERR;
|
||||
+ }
|
||||
h[n] = (uch)b;
|
||||
Trace((stdout, " (%02x)", h[n]));
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -2728,6 +2728,12 @@ __GDEF
|
||||
int repeated_buf_err;
|
||||
bz_stream bstrm;
|
||||
|
||||
+ if (G.incnt <= 0 && G.csize <= 0L) {
|
||||
+ /* avoid an infinite loop */
|
||||
+ Trace((stderr, "UZbunzip2() got empty input\n"));
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
#if (defined(DLL) && !defined(NO_SLIDE_REDIR))
|
||||
if (G.redirect_slide)
|
||||
wsize = G.redirect_size, redirSlide = G.redirect_buffer;
|
|
@ -0,0 +1,21 @@
|
|||
--- a/extract.c
|
||||
+++ b/extract.c
|
||||
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G
|
||||
if (G.lrec.compression_method == STORED) {
|
||||
zusz_t csiz_decrypted = G.lrec.csize;
|
||||
|
||||
- if (G.pInfo->encrypted)
|
||||
+ if (G.pInfo->encrypted) {
|
||||
+ if (csiz_decrypted <= 12) {
|
||||
+ /* handle the error now to prevent unsigned overflow */
|
||||
+ Info(slide, 0x401, ((char *)slide,
|
||||
+ LoadFarStringSmall(ErrUnzipNoFile),
|
||||
+ LoadFarString(InvalidComprData),
|
||||
+ LoadFarStringSmall2(Inflate)));
|
||||
+ return PK_ERR;
|
||||
+ }
|
||||
csiz_decrypted -= 12;
|
||||
+ }
|
||||
if (G.lrec.ucsize != csiz_decrypted) {
|
||||
Info(slide, 0x401, ((char *)slide,
|
||||
LoadFarStringSmall2(WrnStorUCSizCSizDiff),
|
Loading…
Reference in New Issue