Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 60f9d69e016b11c468c98ea75ba0a60c44afbbc4 / . / import-layers / yocto-poky / meta / recipes-extended / unzip / unzip / 09-cve-2014-8139-crc-overflow.patch
blob: 0e497cc65fb3f181de5e1b14d094f55dcfc44a6c [file] [log] [blame]
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]1From: sms
2Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
3Bug-Debian: http://bugs.debian.org/773722
4
5The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
6
7Upstream-Status: Backport
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]8CVE: CVE-2014-8139
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]9
10Signed-off-by: Roy Li <rongqing.li@windriver.com>
11
12--- a/extract.c
13+++ b/extract.c
14@@ -298,6 +298,8 @@
15 #ifndef SFX
16 static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
17 EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
18+ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
19+ EF block length (%u bytes) invalid (< %d)\n";
20 static ZCONST char Far InvalidComprDataEAs[] =
21 " invalid compressed data for EAs\n";
22 # if (defined(WIN32) && defined(NTSD_EAS))
23@@ -2023,7 +2025,8 @@
24 ebID = makeword(ef);
25 ebLen = (unsigned)makeword(ef+EB_LEN);
26
27- if (ebLen > (ef_len - EB_HEADSIZE)) {
28+ if (ebLen > (ef_len - EB_HEADSIZE))
29+ {
30 /* Discovered some extra field inconsistency! */
31 if (uO.qflag)
32 Info(slide, 1, ((char *)slide, "%-22s ",
33@@ -2158,11 +2161,19 @@
34 }
35 break;
36 case EF_PKVMS:
37- if (makelong(ef+EB_HEADSIZE) !=
38+ if (ebLen < 4)
39+ {
40+ Info(slide, 1,
41+ ((char *)slide, LoadFarString(TooSmallEBlength),
42+ ebLen, 4));
43+ }
44+ else if (makelong(ef+EB_HEADSIZE) !=
45 crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
46 (extent)(ebLen-4)))
47+ {
48 Info(slide, 1, ((char *)slide,
49 LoadFarString(BadCRC_EAs)));
50+ }
51 break;
52 case EF_PKW32:
53 case EF_PKUNIX: