From ee4e72f3fc47f04af21d4860cc2604cf69d37dac Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Dec 14 2016 15:59:00 +0000 Subject: Fix CVE-2016-9844 - buffer overflow in zipinfo Resolves: #1404283 --- diff --git a/0001-Fix-CVE-2016-9844-rhbz-1404283.patch b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch new file mode 100644 index 0000000..0e4a173 --- /dev/null +++ b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch @@ -0,0 +1,39 @@ +From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 14 Dec 2016 16:30:36 +0100 +Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283) + +Fixes buffer overflow in zipinfo in similar way like fix for +CVE-2014-9913 provided by upstream. +--- + zipinfo.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/zipinfo.c b/zipinfo.c +index c03620e..accca2a 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -1984,7 +1984,19 @@ static int zi_short(__G) /* return PK-type error code */ + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); + methbuf[3] = dtype[dnum]; + } else if (methnum >= NUM_METHODS) { /* unknown */ +- sprintf(&methbuf[1], "%03u", G.crec.compression_method); ++ /* 2016-12-05 SMS. ++ * https://launchpad.net/bugs/1643750 ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the "u", ++ * and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); ++ } ++ + } + + for (k = 0; k < 15; ++k) +-- +2.5.5 + diff --git a/unzip.spec b/unzip.spec index 42c94ff..743dd57 100644 --- a/unzip.spec +++ b/unzip.spec @@ -7,7 +7,7 @@ Summary: A utility for unpacking zip files Name: unzip Version: 6.0 -Release: 30%{?dist} +Release: 31%{?dist} License: BSD Group: Applications/Archiving Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -49,6 +49,7 @@ Patch18: unzip-6.0-heap-overflow-infloop.patch # support non-{latin,unicode} encoding Patch19: unzip-6.0-alt-iconv-utf8.patch Patch20: unzip-6.0-alt-iconv-utf8-print.patch +Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch URL: http://www.info-zip.org/UnZip.html BuildRequires: bzip2-devel @@ -86,7 +87,7 @@ a zip archive. %patch18 -p1 -b .heap-overflow-infloop %patch19 -p1 -b .utf %patch20 -p1 -b .utf-print - +%patch21 -p1 -b .cve-2016-9844 %build # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X @@ -106,6 +107,10 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{ %{_mandir}/*/* %changelog +* Wed Dec 14 2016 Petr Stodulka - 6.0-31 +- Fix CVE-2016-9844 - buffer overflow in zipinfo + Resolves: #1404283 + * Thu Jul 14 2016 Petr Stodulka - 6.0-30 - rename patch unzip-6.0-nostrip.patch to unzip-6.0-configure.patch so linking is now configurable from the spec file