rpms / unzip

Clone
Source Code
GIT

Blame unzip-6.0-heap-overflow-infloop.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main private-pstodulk-beta pstodulk_segment rawhide
  1.   9334f086e1dbca44d492209ab077d0c31eadc6d1
  2.   unzip-6.0-heap-overflow-infloop.patch
Blob History Raw
dbce0b0 
From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001
dbce0b0 
From: Petr Stodulka <pstodulk@redhat.com>
dbce0b0 
Date: Mon, 14 Sep 2015 18:23:17 +0200
d18f821 
Subject: [PATCH 1/3] upstream fix for heap overflow
dbce0b0
dbce0b0 
https://bugzilla.redhat.com/attachment.cgi?id=1073002
dbce0b0 
---
dbce0b0 
 crypt.c | 12 +++++++++++-
dbce0b0 
 1 file changed, 11 insertions(+), 1 deletion(-)
dbce0b0
dbce0b0 
diff --git a/crypt.c b/crypt.c
dbce0b0 
index 784e411..a8975f2 100644
dbce0b0 
--- a/crypt.c
dbce0b0 
+++ b/crypt.c
dbce0b0 
@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
dbce0b0 
     GLOBAL(pInfo->encrypted) = FALSE;
dbce0b0 
     defer_leftover_input(__G);
dbce0b0 
     for (n = 0; n < RAND_HEAD_LEN; n++) {
dbce0b0 
-        b = NEXTBYTE;
dbce0b0 
+        /* 2012-11-23 SMS.  (OUSPG report.)
dbce0b0 
+         * Quit early if compressed size < HEAD_LEN.  The resulting
dbce0b0 
+         * error message ("unable to get password") could be improved,
dbce0b0 
+         * but it's better than trying to read nonexistent data, and
dbce0b0 
+         * then continuing with a negative G.csize.  (See
dbce0b0 
+         * fileio.c:readbyte()).
dbce0b0 
+         */
dbce0b0 
+        if ((b = NEXTBYTE) == (ush)EOF)
dbce0b0 
+        {
dbce0b0 
+            return PK_ERR;
dbce0b0 
+        }
dbce0b0 
         h[n] = (uch)b;
dbce0b0 
         Trace((stdout, " (%02x)", h[n]));
dbce0b0 
     }
dbce0b0 
--
dbce0b0 
2.4.6
dbce0b0
dbce0b0
dbce0b0 
From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001
dbce0b0 
From: Kamil Dudka <kdudka@redhat.com>
dbce0b0 
Date: Mon, 14 Sep 2015 18:24:56 +0200
d18f821 
Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data
dbce0b0
dbce0b0 
Bug: https://sourceforge.net/p/infozip/patches/23/
dbce0b0 
---
dbce0b0 
 extract.c | 6 ++++++
dbce0b0 
 1 file changed, 6 insertions(+)
dbce0b0
dbce0b0 
diff --git a/extract.c b/extract.c
dbce0b0 
index 7134bfe..29db027 100644
dbce0b0 
--- a/extract.c
dbce0b0 
+++ b/extract.c
dbce0b0 
@@ -2733,6 +2733,12 @@ __GDEF
dbce0b0 
     int repeated_buf_err;
dbce0b0 
     bz_stream bstrm;
dbce0b0
dbce0b0 
+    if (G.incnt <= 0 && G.csize <= 0L) {
dbce0b0 
+        /* avoid an infinite loop */
dbce0b0 
+        Trace((stderr, "UZbunzip2() got empty input\n"));
dbce0b0 
+        return 2;
dbce0b0 
+    }
dbce0b0 
+
dbce0b0 
 #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
dbce0b0 
     if (G.redirect_slide)
dbce0b0 
         wsize = G.redirect_size, redirSlide = G.redirect_buffer;
dbce0b0 
--
dbce0b0 
2.4.6
dbce0b0
d18f821
d18f821 
From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
d18f821 
From: Kamil Dudka <kdudka@redhat.com>
d18f821 
Date: Tue, 22 Sep 2015 18:52:23 +0200
d18f821 
Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input
d18f821
d18f821 
Suggested-by: Stefan Cornelius
d18f821 
---
d18f821 
 extract.c | 11 ++++++++++-
d18f821 
 1 file changed, 10 insertions(+), 1 deletion(-)
d18f821
d18f821 
diff --git a/extract.c b/extract.c
d18f821 
index 29db027..b9ae667 100644
d18f821 
--- a/extract.c
d18f821 
+++ b/extract.c
d18f821 
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
d18f821 
         if (G.lrec.compression_method == STORED) {
d18f821 
             zusz_t csiz_decrypted = G.lrec.csize;
d18f821
d18f821 
-            if (G.pInfo->encrypted)
d18f821 
+            if (G.pInfo->encrypted) {
36af2c8 
+                if (csiz_decrypted < 12) {
d18f821 
+                    /* handle the error now to prevent unsigned overflow */
d18f821 
+                    Info(slide, 0x401, ((char *)slide,
d18f821 
+                      LoadFarStringSmall(ErrUnzipNoFile),
d18f821 
+                      LoadFarString(InvalidComprData),
d18f821 
+                      LoadFarStringSmall2(Inflate)));
d18f821 
+                    return PK_ERR;
d18f821 
+                }
d18f821 
                 csiz_decrypted -= 12;
d18f821 
+            }
d18f821 
             if (G.lrec.ucsize != csiz_decrypted) {
d18f821 
                 Info(slide, 0x401, ((char *)slide,
d18f821 
                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),
d18f821 
--
d18f821 
2.5.2
d18f821
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.