| | |
| | | From: sms |
| | | Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow |
| | | Bug-Debian: http://bugs.debian.org/773722 |
| | | This patch is verbatim copy of unzip-6.0-cve-2014-8139.patch from unzip-6.0-57.fc36.src.rpm |
| | | |
| | | diff --git a/extract.c b/extract.c |
| | | index 9ef80b3..c741b5f 100644 |
| | | --- a/extract.c |
| | | +++ b/extract.c |
| | | @@ -1,5 +1,5 @@ |
| | |
| | | |
| | | See the accompanying file LICENSE, version 2009-Jan-02 or later |
| | | (the contents of which are also included in unzip.h) for terms of use. |
| | | @@ -298,6 +298,8 @@ |
| | | @@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] = |
| | | #ifndef SFX |
| | | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ |
| | | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; |
| | | + static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ |
| | | + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ |
| | | + EF block length (%u bytes) invalid (< %d)\n"; |
| | | static ZCONST char Far InvalidComprDataEAs[] = |
| | | " invalid compressed data for EAs\n"; |
| | | # if (defined(WIN32) && defined(NTSD_EAS)) |
| | | @@ -2023,7 +2025,8 @@ |
| | | @@ -2020,7 +2022,8 @@ static int TestExtraField(__G__ ef, ef_len) |
| | | ebID = makeword(ef); |
| | | ebLen = (unsigned)makeword(ef+EB_LEN); |
| | | |
| | |
| | | /* Discovered some extra field inconsistency! */ |
| | | if (uO.qflag) |
| | | Info(slide, 1, ((char *)slide, "%-22s ", |
| | | @@ -2032,6 +2035,16 @@ |
| | | ebLen, (ef_len - EB_HEADSIZE))); |
| | | return PK_ERR; |
| | | } |
| | | + else if (ebLen < EB_HEADSIZE) |
| | | + { |
| | | + /* Extra block length smaller than header length. */ |
| | | + if (uO.qflag) |
| | | + Info(slide, 1, ((char *)slide, "%-22s ", |
| | | + FnFilter1(G.filename))); |
| | | + Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), |
| | | + ebLen, EB_HEADSIZE)); |
| | | + return PK_ERR; |
| | | + } |
| | | @@ -2155,11 +2158,29 @@ static int TestExtraField(__G__ ef, ef_len) |
| | | } |
| | | break; |
| | | case EF_PKVMS: |
| | | - if (makelong(ef+EB_HEADSIZE) != |
| | | - crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), |
| | | - (extent)(ebLen-4))) |
| | | - Info(slide, 1, ((char *)slide, |
| | | - LoadFarString(BadCRC_EAs))); |
| | | + /* 2015-01-30 SMS. Added sufficient-bytes test/message |
| | | + * here. (Removed defective ebLen test above.) |
| | | + * |
| | | + * If sufficient bytes (EB_PKVMS_MINLEN) are available, |
| | | + * then compare the stored CRC value with the calculated |
| | | + * CRC for the remainder of the data (and complain about |
| | | + * a mismatch). |
| | | + */ |
| | | + if (ebLen < EB_PKVMS_MINLEN) |
| | | + { |
| | | + /* Insufficient bytes available. */ |
| | | + Info( slide, 1, |
| | | + ((char *)slide, LoadFarString( TooSmallEBlength), |
| | | + ebLen, EB_PKVMS_MINLEN)); |
| | | + } |
| | | + else if (makelong(ef+ EB_HEADSIZE) != |
| | | + crc32(CRCVAL_INITIAL, |
| | | + (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN), |
| | | + (extent)(ebLen- EB_PKVMS_MINLEN))) |
| | | + { |
| | | + Info(slide, 1, ((char *)slide, |
| | | + LoadFarString(BadCRC_EAs))); |
| | | + } |
| | | break; |
| | | case EF_PKW32: |
| | | case EF_PKUNIX: |
| | | diff --git a/unzpriv.h b/unzpriv.h |
| | | index 005cee0..5c83a6e 100644 |
| | | --- a/unzpriv.h |
| | | +++ b/unzpriv.h |
| | | @@ -1806,6 +1806,8 @@ |
| | | #define EB_NTSD_VERSION 4 /* offset of NTSD version byte */ |
| | | #define EB_NTSD_MAX_VER (0) /* maximum version # we know how to handle */ |
| | | |
| | | switch (ebID) { |
| | | case EF_OS2: |
| | | +#define EB_PKVMS_MINLEN 4 /* minimum data length of PKVMS extra block */ |
| | | + |
| | | #define EB_ASI_CRC32 0 /* offset of ASI Unix field's crc32 checksum */ |
| | | #define EB_ASI_MODE 4 /* offset of ASI Unix permission mode field */ |
| | | |
| | | |