From e143bf83e626231284b6872226b7a83111d6fe36 Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Wed, 4 Nov 2015 00:07:04 -0300 Subject: unzip-6.0-11.parabola1: fix FS#46955 -> https://bugs.archlinux.org/task/46955 --- libre/unzip/PKGBUILD | 10 +++++++--- libre/unzip/csiz-underflow.patch | 32 ++++++++++++++++++++++++++++++++ libre/unzip/empty-input.patch | 26 ++++++++++++++++++++++++++ libre/unzip/nextbyte-overflow.patch | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 98 insertions(+), 3 deletions(-) create mode 100644 libre/unzip/csiz-underflow.patch create mode 100644 libre/unzip/empty-input.patch create mode 100644 libre/unzip/nextbyte-overflow.patch (limited to 'libre') diff --git a/libre/unzip/PKGBUILD b/libre/unzip/PKGBUILD index 79c081b2e..596b033aa 100644 --- a/libre/unzip/PKGBUILD +++ b/libre/unzip/PKGBUILD @@ -1,16 +1,17 @@ -# $Id: PKGBUILD 233850 2015-03-15 04:53:48Z bisson $ +# $Id: PKGBUILD 250045 2015-11-03 07:35:37Z bisson $ # Maintainer (Arch): Gaetan Bisson # Contributor (Arch): Douglas Soares de Andrade # Contributor (Arch): Robson Peixoto +# Maintainer: André Silva _pkgname=unzip-libre pkgname=unzip pkgver=6.0 _pkgver=${pkgver/./} -pkgrel=10.parabola1 +pkgrel=11.parabola1 pkgdesc='For extracting and viewing files in .zip archives' url='http://www.info-zip.org/UnZip.html' -arch=('i686' 'x86_64' 'mips64el') +arch=('i686' 'x86_64' 'armv7h') license=('custom') depends=('bzip2' 'bash') conflicts=("${_pkgname}") @@ -47,6 +48,9 @@ prepare() { patch -i ../test_compr_eb.patch # FS#43391 patch -i ../getZip64Data.patch # FS#43300 patch -i ../crc32.patch # FS#43300 + patch -p1 -i ../empty-input.patch # FS#46955 + patch -p1 -i ../csiz-underflow.patch # FS#46955 + patch -p1 -i ../nextbyte-overflow.patch # FS#46955 } build() { diff --git a/libre/unzip/csiz-underflow.patch b/libre/unzip/csiz-underflow.patch new file mode 100644 index 000000000..52321c208 --- /dev/null +++ b/libre/unzip/csiz-underflow.patch @@ -0,0 +1,32 @@ +From: Kamil Dudka +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH] extract: prevent unsigned overflow on invalid input +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), diff --git a/libre/unzip/empty-input.patch b/libre/unzip/empty-input.patch new file mode 100644 index 000000000..45cbe9278 --- /dev/null +++ b/libre/unzip/empty-input.patch @@ -0,0 +1,26 @@ +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2728,6 +2728,12 @@ + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; diff --git a/libre/unzip/nextbyte-overflow.patch b/libre/unzip/nextbyte-overflow.patch new file mode 100644 index 000000000..91482dae0 --- /dev/null +++ b/libre/unzip/nextbyte-overflow.patch @@ -0,0 +1,33 @@ +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } -- cgit v1.2.3-54-g00ecf