summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbsiegert <bsiegert>2015-11-20 21:05:34 +0000
committerbsiegert <bsiegert>2015-11-20 21:05:34 +0000
commit246c13d35742e663c29b3b20f53e998c06259911 (patch)
tree463615eaefd537991f7fb44fb4e51dda67dce85f
parent8568cee22d9c0909ed737b3010b96e2ad9fbfd77 (diff)
downloadpkgsrc-246c13d35742e663c29b3b20f53e998c06259911.tar.gz
Pullup ticket #4855 - requested by he
archivers/unzip: security fix Revisions pulled up: - archivers/unzip/Makefile 1.91 - archivers/unzip/distinfo 1.29 - archivers/unzip/patches/patch-crypt.c 1.1 - archivers/unzip/patches/patch-extract.c 1.3 --- Module Name: pkgsrc Committed By: wiz Date: Wed Nov 11 12:47:27 UTC 2015 Modified Files: pkgsrc/archivers/unzip: Makefile distinfo pkgsrc/archivers/unzip/patches: patch-extract.c Added Files: pkgsrc/archivers/unzip/patches: patch-crypt.c Log Message: Add patches to fix CVE-2015-7696, CVE-2015-7697, and an integer underflow. From Debian. Bump PKGREVISION.
-rw-r--r--archivers/unzip/Makefile4
-rw-r--r--archivers/unzip/distinfo5
-rw-r--r--archivers/unzip/patches/patch-crypt.c26
-rw-r--r--archivers/unzip/patches/patch-extract.c46
4 files changed, 72 insertions, 9 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile
index 9764f92867e..be6b91991a4 100644
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.90 2015/06/05 12:22:28 sevan Exp $
+# $NetBSD: Makefile,v 1.90.4.1 2015/11/20 21:05:34 bsiegert Exp $
DISTNAME= unzip60
PKGNAME= unzip-6.0
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= archivers
MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/
EXTRACT_SUFX= .tgz
diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo
index 3e2133585d7..a184e361df3 100644
--- a/archivers/unzip/distinfo
+++ b/archivers/unzip/distinfo
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.27 2015/02/11 12:35:42 wiz Exp $
+$NetBSD: distinfo,v 1.27.6.1 2015/11/20 21:05:34 bsiegert Exp $
SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
Size (unzip60.tgz) = 1376845 bytes
SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69
SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154
-SHA1 (patch-extract.c) = bba436910084ec43ef8f8e76a1cd0392c566e4ac
+SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
+SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635
SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
diff --git a/archivers/unzip/patches/patch-crypt.c b/archivers/unzip/patches/patch-crypt.c
new file mode 100644
index 00000000000..e7e6d53e174
--- /dev/null
+++ b/archivers/unzip/patches/patch-crypt.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-crypt.c,v 1.1.2.2 2015/11/20 21:05:34 bsiegert Exp $
+
+Bug fix for heap overflow, from Debian.
+CVE-2015-7696
+
+--- crypt.c.orig 2007-01-05 15:47:36.000000000 +0000
++++ crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+ GLOBAL(pInfo->encrypted) = FALSE;
+ defer_leftover_input(__G);
+ for (n = 0; n < RAND_HEAD_LEN; n++) {
+- b = NEXTBYTE;
++ /* 2012-11-23 SMS. (OUSPG report.)
++ * Quit early if compressed size < HEAD_LEN. The resulting
++ * error message ("unable to get password") could be improved,
++ * but it's better than trying to read nonexistent data, and
++ * then continuing with a negative G.csize. (See
++ * fileio.c:readbyte()).
++ */
++ if ((b = NEXTBYTE) == (ush)EOF)
++ {
++ return PK_ERR;
++ }
+ h[n] = (uch)b;
+ Trace((stdout, " (%02x)", h[n]));
+ }
diff --git a/archivers/unzip/patches/patch-extract.c b/archivers/unzip/patches/patch-extract.c
index 28f43e55a20..7f6c62ff82a 100644
--- a/archivers/unzip/patches/patch-extract.c
+++ b/archivers/unzip/patches/patch-extract.c
@@ -1,4 +1,4 @@
-$NetBSD: patch-extract.c,v 1.2 2015/02/11 12:35:42 wiz Exp $
+$NetBSD: patch-extract.c,v 1.2.6.1 2015/11/20 21:05:34 bsiegert Exp $
Fixes for
* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139
@@ -17,6 +17,10 @@ possibly have other unspecified impact.
This patch ensures that when extra fields use STORED mode, the
"compressed" and uncompressed block sizes match.
+* CVE-2015-7697 (from Debian)
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
+* integer underflow
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
--- extract.c.orig 2009-03-14 01:32:52.000000000 +0000
+++ extract.c
@@ -36,7 +40,26 @@ This patch ensures that when extra fields use STORED mode, the
static ZCONST char Far InvalidComprDataEAs[] =
" invalid compressed data for EAs\n";
# if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G
+ if (G.lrec.compression_method == STORED) {
+ zusz_t csiz_decrypted = G.lrec.csize;
+
+- if (G.pInfo->encrypted)
++ if (G.pInfo->encrypted) {
++ if (csiz_decrypted <= 12) {
++ /* handle the error now to prevent unsigned overflow */
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarStringSmall(ErrUnzipNoFile),
++ LoadFarString(InvalidComprData),
++ LoadFarStringSmall2(Inflate)));
++ return PK_ERR;
++ }
+ csiz_decrypted -= 12;
++ }
+ if (G.lrec.ucsize != csiz_decrypted) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarStringSmall2(WrnStorUCSizCSizDiff),
+@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_l
ebID = makeword(ef);
ebLen = (unsigned)makeword(ef+EB_LEN);
@@ -46,7 +69,7 @@ This patch ensures that when extra fields use STORED mode, the
/* Discovered some extra field inconsistency! */
if (uO.qflag)
Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -2032,6 +2044,16 @@ static int TestExtraField(__G__ ef, ef_l
ebLen, (ef_len - EB_HEADSIZE)));
return PK_ERR;
}
@@ -63,7 +86,7 @@ This patch ensures that when extra fields use STORED mode, the
switch (ebID) {
case EF_OS2:
-@@ -2217,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2217,6 +2239,7 @@ static int test_compr_eb(__G__ eb, eb_si
ulg eb_ucsize;
uch *eb_ucptr;
int r;
@@ -71,7 +94,7 @@ This patch ensures that when extra fields use STORED mode, the
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
-@@ -2226,6 +2240,13 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2226,6 +2249,13 @@ static int test_compr_eb(__G__ eb, eb_si
eb_size <= (compr_offset + EB_CMPRHEADLEN)))
return IZ_EF_TRUNC; /* no compressed data! */
@@ -85,3 +108,16 @@ This patch ensures that when extra fields use STORED mode, the
if (
#ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||
+@@ -2701,6 +2731,12 @@ __GDEF
+ int repeated_buf_err;
+ bz_stream bstrm;
+
++ if (G.incnt <= 0 && G.csize <= 0L) {
++ /* avoid an infinite loop */
++ Trace((stderr, "UZbunzip2() got empty input\n"));
++ return 2;
++ }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+ if (G.redirect_slide)
+ wsize = G.redirect_size, redirSlide = G.redirect_buffer;