import-layers/yocto-poky/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch - openbmc/openbmc - Gitiles

 From: sms
 Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
 Bug-Debian: http://bugs.debian.org/773722

 The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz

 Upstream-Status: Backport
 CVE: CVE-2014-8141

 Signed-off-by: Roy Li <rongqing.li@windriver.com>


 --- a/fileio.c
 +++ b/fileio.c
 @@ -176,6 +176,8 @@
  #endif
  static ZCONST char Far ExtraFieldTooLong[] =
    "warning:  extra field too long (%d).  Ignoring...\n";
 +static ZCONST char Far ExtraFieldCorrupt[] =
 +  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";

  #ifdef WINDLL
     static ZCONST char Far DiskFullQuery[] =
 @@ -2295,7 +2297,12 @@
              if (readbuf(__G__ (char *)G.extra_field, length) == 0)
                  return PK_EOF;
              /* Looks like here is where extra fields are read */
 -            getZip64Data(__G__ G.extra_field, length);
 +            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
 +            {
 +                Info(slide, 0x401, ((char *)slide,
 +                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
 +                error = PK_WARN;
 +            }
  #ifdef UNICODE_SUPPORT
              G.unipath_filename = NULL;
              if (G.UzO.U_flag < 2) {
 --- a/process.c
 +++ b/process.c
 @@ -1,5 +1,5 @@
  /*
 -  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
 +  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.

    See the accompanying file LICENSE, version 2009-Jan-02 or later
    (the contents of which are also included in unzip.h) for terms of use.
 @@ -1901,48 +1901,82 @@
      and a 4-byte version of disk start number.
      Sets both local header and central header fields.  Not terribly clever,
      but it means that this procedure is only called in one place.
 +
 +    2014-12-05 SMS.
 +    Added checks to ensure that enough data are available before calling
 +    makeint64() or makelong().  Replaced various sizeof() values with
 +    simple ("4" or "8") constants.  (The Zip64 structures do not depend
 +    on our variable sizes.)  Error handling is crude, but we should now
 +    stay within the buffer.
    ---------------------------------------------------------------------------*/

 +#define Z64FLGS 0xffff
 +#define Z64FLGL 0xffffffff
 +
      if (ef_len == 0 || ef_buf == NULL)
          return PK_COOL;

      Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
        ef_len));

 -    while (ef_len >= EB_HEADSIZE) {
 +    while (ef_len >= EB_HEADSIZE)
 +    {
          eb_id = makeword(EB_ID + ef_buf);
          eb_len = makeword(EB_LEN + ef_buf);

 -        if (eb_len > (ef_len - EB_HEADSIZE)) {
 -            /* discovered some extra field inconsistency! */
 +        if (eb_len > (ef_len - EB_HEADSIZE))
 +        {
 +            /* Extra block length exceeds remaining extra field length. */
              Trace((stderr,
                "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
                ef_len - EB_HEADSIZE));
              break;
          }
 -        if (eb_id == EF_PKSZ64) {
 -
 +        if (eb_id == EF_PKSZ64)
 +        {
            int offset = EB_HEADSIZE;

 -          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
 -            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
 -            offset += sizeof(G.crec.ucsize);
 +          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
 +          {
 +            if (offset+ 8 > ef_len)
 +              return PK_ERR;
 +
 +            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
 +            offset += 8;
            }
 -          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
 -            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
 -            offset += sizeof(G.crec.csize);
 +
 +          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
 +          {
 +            if (offset+ 8 > ef_len)
 +              return PK_ERR;
 +
 +            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
 +            offset += 8;
            }
 -          if (G.crec.relative_offset_local_header == 0xffffffff){
 +
 +          if (G.crec.relative_offset_local_header == Z64FLGL)
 +          {
 +            if (offset+ 8 > ef_len)
 +              return PK_ERR;
 +
              G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
 -            offset += sizeof(G.crec.relative_offset_local_header);
 +            offset += 8;
            }
 -          if (G.crec.disk_number_start == 0xffff){
 +
 +          if (G.crec.disk_number_start == Z64FLGS)
 +          {
 +            if (offset+ 4 > ef_len)
 +              return PK_ERR;
 +
              G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
 -            offset += sizeof(G.crec.disk_number_start);
 +            offset += 4;
            }
 +#if 0
 +          break;                /* Expect only one EF_PKSZ64 block. */
 +#endif /* 0 */
          }

 -        /* Skip this extra field block */
 +        /* Skip this extra field block. */
          ef_buf += (eb_len + EB_HEADSIZE);
          ef_len -= (eb_len + EB_HEADSIZE);
      }
	From: sms
	Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
	Bug-Debian: http://bugs.debian.org/773722

	The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz

	Upstream-Status: Backport
	CVE: CVE-2014-8141

	Signed-off-by: Roy Li <rongqing.li@windriver.com>


	--- a/fileio.c
	+++ b/fileio.c
	@@ -176,6 +176,8 @@
	#endif
	static ZCONST char Far ExtraFieldTooLong[] =
	"warning: extra field too long (%d). Ignoring...\n";
	+static ZCONST char Far ExtraFieldCorrupt[] =
	+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";

	#ifdef WINDLL
	static ZCONST char Far DiskFullQuery[] =
	@@ -2295,7 +2297,12 @@
	if (readbuf(__G__ (char *)G.extra_field, length) == 0)
	return PK_EOF;
	/* Looks like here is where extra fields are read */
	- getZip64Data(__G__ G.extra_field, length);
	+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
	+ {
	+ Info(slide, 0x401, ((char *)slide,
	+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
	+ error = PK_WARN;
	+ }
	#ifdef UNICODE_SUPPORT
	G.unipath_filename = NULL;
	if (G.UzO.U_flag < 2) {
	--- a/process.c
	+++ b/process.c
	@@ -1,5 +1,5 @@
	/*
	- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
	+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.

	See the accompanying file LICENSE, version 2009-Jan-02 or later
	(the contents of which are also included in unzip.h) for terms of use.
	@@ -1901,48 +1901,82 @@
	and a 4-byte version of disk start number.
	Sets both local header and central header fields. Not terribly clever,
	but it means that this procedure is only called in one place.
	+
	+ 2014-12-05 SMS.
	+ Added checks to ensure that enough data are available before calling
	+ makeint64() or makelong(). Replaced various sizeof() values with
	+ simple ("4" or "8") constants. (The Zip64 structures do not depend
	+ on our variable sizes.) Error handling is crude, but we should now
	+ stay within the buffer.
	---------------------------------------------------------------------------*/

	+#define Z64FLGS 0xffff
	+#define Z64FLGL 0xffffffff
	+
	if (ef_len == 0 \|\| ef_buf == NULL)
	return PK_COOL;

	Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
	ef_len));

	- while (ef_len >= EB_HEADSIZE) {
	+ while (ef_len >= EB_HEADSIZE)
	+ {
	eb_id = makeword(EB_ID + ef_buf);
	eb_len = makeword(EB_LEN + ef_buf);

	- if (eb_len > (ef_len - EB_HEADSIZE)) {
	- /* discovered some extra field inconsistency! */
	+ if (eb_len > (ef_len - EB_HEADSIZE))
	+ {
	+ /* Extra block length exceeds remaining extra field length. */
	Trace((stderr,
	"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
	ef_len - EB_HEADSIZE));
	break;
	}
	- if (eb_id == EF_PKSZ64) {
	-
	+ if (eb_id == EF_PKSZ64)
	+ {
	int offset = EB_HEADSIZE;

	- if (G.crec.ucsize == 0xffffffff \|\| G.lrec.ucsize == 0xffffffff){
	- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
	- offset += sizeof(G.crec.ucsize);
	+ if ((G.crec.ucsize == Z64FLGL) \|\| (G.lrec.ucsize == Z64FLGL))
	+ {
	+ if (offset+ 8 > ef_len)
	+ return PK_ERR;
	+
	+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
	+ offset += 8;
	}
	- if (G.crec.csize == 0xffffffff \|\| G.lrec.csize == 0xffffffff){
	- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
	- offset += sizeof(G.crec.csize);
	+
	+ if ((G.crec.csize == Z64FLGL) \|\| (G.lrec.csize == Z64FLGL))
	+ {
	+ if (offset+ 8 > ef_len)
	+ return PK_ERR;
	+
	+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
	+ offset += 8;
	}
	- if (G.crec.relative_offset_local_header == 0xffffffff){
	+
	+ if (G.crec.relative_offset_local_header == Z64FLGL)
	+ {
	+ if (offset+ 8 > ef_len)
	+ return PK_ERR;
	+
	G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
	- offset += sizeof(G.crec.relative_offset_local_header);
	+ offset += 8;
	}
	- if (G.crec.disk_number_start == 0xffff){
	+
	+ if (G.crec.disk_number_start == Z64FLGS)
	+ {
	+ if (offset+ 4 > ef_len)
	+ return PK_ERR;
	+
	G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
	- offset += sizeof(G.crec.disk_number_start);
	+ offset += 4;
	}
	+#if 0
	+ break; /* Expect only one EF_PKSZ64 block. */
	+#endif /* 0 */
	}

	- /* Skip this extra field block */
	+ /* Skip this extra field block. */
	ef_buf += (eb_len + EB_HEADSIZE);
	ef_len -= (eb_len + EB_HEADSIZE);
	}