poky/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch - openbmc/openbmc - Gitiles

 From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
 From: Nils Bars <nils.bars@t-online.de>
 Date: Mon, 17 Jan 2022 16:53:16 +0000
 Subject: [PATCH] Fix null pointer dereference and use of uninitialized data

 This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
 to read as many bytes as indicated by the extra field length attribute.
 Furthermore, this fixes a null pointer dereference if an archive contains an
 `EF_UNIPATH` extra field but does not have a filename set.
 ---
  fileio.c  | 5 ++++-
  process.c | 6 +++++-
  2 files changed, 9 insertions(+), 2 deletions(-)
 ---

 Patch from:
 https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
 https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
 Regenerated to apply without offsets.

 CVE: CVE-2021-4217

 Upstream-Status: Inactive-Upstream [infozip upstream inactive]

 Signed-off-by: Joe Slater <joe.slater@windriver.com>


 diff --git a/fileio.c b/fileio.c
 index 14460f3..1dc319e 100644
 --- a/fileio.c
 +++ b/fileio.c
 @@ -2301,8 +2301,11 @@ int do_string(__G__ length, option)   /* return PK-type error code */
              seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
                        (G.inptr-G.inbuf) + length);
          } else {
 -            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
 +            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
 +            if (bytes_read == 0)
                  return PK_EOF;
 +            if (bytes_read != length)
 +                return PK_ERR;
              /* Looks like here is where extra fields are read */
              if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
              {
 diff --git a/process.c b/process.c
 index 5f8f6c6..de843a5 100644
 --- a/process.c
 +++ b/process.c
 @@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
            G.unipath_checksum = makelong(offset + ef_buf);
            offset += 4;

 +          if (!G.filename_full) {
 +            /* Check if we have a unicode extra section but no filename set */
 +            return PK_ERR;
 +          }
 +
            /*
             * Compute 32-bit crc
             */
 -
            chksum = crc32(chksum, (uch *)(G.filename_full),
                           strlen(G.filename_full));

 --
 2.32.0
	From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
	From: Nils Bars <nils.bars@t-online.de>
	Date: Mon, 17 Jan 2022 16:53:16 +0000
	Subject: [PATCH] Fix null pointer dereference and use of uninitialized data

	This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
	to read as many bytes as indicated by the extra field length attribute.
	Furthermore, this fixes a null pointer dereference if an archive contains an
	`EF_UNIPATH` extra field but does not have a filename set.
	---
	fileio.c \| 5 ++++-
	process.c \| 6 +++++-
	2 files changed, 9 insertions(+), 2 deletions(-)
	---

	Patch from:
	https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
	https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
	Regenerated to apply without offsets.

	CVE: CVE-2021-4217

	Upstream-Status: Inactive-Upstream [infozip upstream inactive]

	Signed-off-by: Joe Slater <joe.slater@windriver.com>


	diff --git a/fileio.c b/fileio.c
	index 14460f3..1dc319e 100644
	--- a/fileio.c
	+++ b/fileio.c
	@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */
	seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
	(G.inptr-G.inbuf) + length);
	} else {
	- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
	+ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
	+ if (bytes_read == 0)
	return PK_EOF;
	+ if (bytes_read != length)
	+ return PK_ERR;
	/* Looks like here is where extra fields are read */
	if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
	{
	diff --git a/process.c b/process.c
	index 5f8f6c6..de843a5 100644
	--- a/process.c
	+++ b/process.c
	@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
	G.unipath_checksum = makelong(offset + ef_buf);
	offset += 4;

	+ if (!G.filename_full) {
	+ /* Check if we have a unicode extra section but no filename set */
	+ return PK_ERR;
	+ }
	+
	/*
	* Compute 32-bit crc
	*/
	-
	chksum = crc32(chksum, (uch *)(G.filename_full),
	strlen(G.filename_full));

	--
	2.32.0