| From: sms |
| Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow |
| Bug-Debian: http://bugs.debian.org/773722 |
| |
| The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz |
| |
| Upstream-Status: Backport |
| CVE: CVE-2014-8139 |
| |
| Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| |
| --- a/extract.c |
| +++ b/extract.c |
| @@ -298,6 +298,8 @@ |
| #ifndef SFX |
| static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ |
| EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; |
| + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ |
| + EF block length (%u bytes) invalid (< %d)\n"; |
| static ZCONST char Far InvalidComprDataEAs[] = |
| " invalid compressed data for EAs\n"; |
| # if (defined(WIN32) && defined(NTSD_EAS)) |
| @@ -2023,7 +2025,8 @@ |
| ebID = makeword(ef); |
| ebLen = (unsigned)makeword(ef+EB_LEN); |
| |
| - if (ebLen > (ef_len - EB_HEADSIZE)) { |
| + if (ebLen > (ef_len - EB_HEADSIZE)) |
| + { |
| /* Discovered some extra field inconsistency! */ |
| if (uO.qflag) |
| Info(slide, 1, ((char *)slide, "%-22s ", |
| @@ -2158,11 +2161,19 @@ |
| } |
| break; |
| case EF_PKVMS: |
| - if (makelong(ef+EB_HEADSIZE) != |
| + if (ebLen < 4) |
| + { |
| + Info(slide, 1, |
| + ((char *)slide, LoadFarString(TooSmallEBlength), |
| + ebLen, 4)); |
| + } |
| + else if (makelong(ef+EB_HEADSIZE) != |
| crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), |
| (extent)(ebLen-4))) |
| + { |
| Info(slide, 1, ((char *)slide, |
| LoadFarString(BadCRC_EAs))); |
| + } |
| break; |
| case EF_PKW32: |
| case EF_PKUNIX: |