From: voidlinux-github@inbox.vuxu.org
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] unzip: fix CVE-2018-18384.
Date: Thu, 26 Dec 2019 15:13:17 +0100 [thread overview]
Message-ID: <20191226141317.AyT4SuLV2VaBleOB6_5EzRkx5Sagwl5yuOXeumhU0YQ@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-17796@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 357 bytes --]
There is an updated pull request by travankor against master on the void-packages repository
https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796
unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.
A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 4324 bytes --]
From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH] unzip: fix CVE-2018-18384.
---
srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
srcpkgs/unzip/patches/patch-list.c.diff | 40 ++++++++++++++++++++++-
2 files changed, 39 insertions(+), 29 deletions(-)
delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch
diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
- G.crec.compression_method == ENHDEFLATED) {
- methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
- } else if (methnum >= NUM_METHODS) {
-- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+ /* 2013-02-26 SMS.
-+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
-+ * Unexpectedly large compression methods overflow
-+ * &methbuf[]. Use the old, three-digit decimal format
-+ * for values which fit. Otherwise, sacrifice the
-+ * colon, and use four-digit hexadecimal.
-+ */
-+ if (G.crec.compression_method <= 999) {
-+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+ } else {
-+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+ }
- }
-
- #if 0 /* GRR/Euro: add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
Big-hammer fix for
http://seclists.org/oss-sec/2014/q4/497
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
--- list.c.orig 2009-02-08 17:11:34.000000000 +0000
+++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[10];
++ char sgn, cfactorstr[12];
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
@@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type
ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
#endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
static ZCONST char dtype[]="NXFS"; /* see zi_short() */
static ZCONST char Far method[NUM_METHODS+1][8] =
{"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++ * Use the old decimal format only for values which fit.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
next prev parent reply other threads:[~2019-12-26 14:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-26 13:57 [PR PATCH] " voidlinux-github
2019-12-26 14:13 ` voidlinux-github [this message]
2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191226141317.AyT4SuLV2VaBleOB6_5EzRkx5Sagwl5yuOXeumhU0YQ@z \
--to=voidlinux-github@inbox.vuxu.org \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).