From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001 From: travankor Date: Thu, 26 Dec 2019 06:50:22 -0700 Subject: [PATCH] unzip: fix CVE-2018-18384. --- srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ---------------- srcpkgs/unzip/patches/patch-list.c.diff | 40 ++++++++++++++++++++++- 2 files changed, 39 insertions(+), 29 deletions(-) delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch deleted file mode 100644 index 0124b0d62fc..00000000000 --- a/srcpkgs/unzip/patches/CVE-2014-9913.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: "Steven M. Schweda" -Subject: Fix CVE-2014-9913, buffer overflow in unzip -Bug: https://sourceforge.net/p/infozip/bugs/27/ -Bug-Debian: https://bugs.debian.org/847485 -Bug-Ubuntu: https://launchpad.net/bugs/387350 - ---- list.c -+++ list.c -@@ -339,7 +339,18 @@ - G.crec.compression_method == ENHDEFLATED) { - methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; - } else if (methnum >= NUM_METHODS) { -- sprintf(&methbuf[4], "%03u", G.crec.compression_method); -+ /* 2013-02-26 SMS. -+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913. -+ * Unexpectedly large compression methods overflow -+ * &methbuf[]. Use the old, three-digit decimal format -+ * for values which fit. Otherwise, sacrifice the -+ * colon, and use four-digit hexadecimal. -+ */ -+ if (G.crec.compression_method <= 999) { -+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); -+ } else { -+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); -+ } - } - - #if 0 /* GRR/Euro: add this? */ diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff index 43396fe0684..e0961ec9f13 100644 --- a/srcpkgs/unzip/patches/patch-list.c.diff +++ b/srcpkgs/unzip/patches/patch-list.c.diff @@ -1,10 +1,32 @@ -$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $ +$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $ +chunk 1: +CVE-2018-18384 fix from +https://sourceforge.net/p/infozip/bugs/53/ +and +https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/ + +chunk 2: Big-hammer fix for http://seclists.org/oss-sec/2014/q4/497 +chunk 3: +CVE-2014-9913 fix from +https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt +via +http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529 + --- list.c.orig 2009-02-08 17:11:34.000000000 +0000 +++ list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[10]; ++ char sgn, cfactorstr[12]; + int longhdr=(uO.vflag>1); + #endif + int date_format; @@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L; #endif @@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497 static ZCONST char dtype[]="NXFS"; /* see zi_short() */ static ZCONST char Far method[NUM_METHODS+1][8] = {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4", +@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type + G.crec.compression_method == ENHDEFLATED) { + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; + } else if (methnum >= NUM_METHODS) { +- sprintf(&methbuf[4], "%03u", G.crec.compression_method); ++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844. ++ * Use the old decimal format only for values which fit. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); ++ } + } + + #if 0 /* GRR/Euro: add this? */