Alexander Bluhm <alexander.bl...@gmx.net> writes:
> Hi,
>
> There are a bunch of CVE and other fixes for unzip in debian and
> redhat bug tracker. I added the links to the patch files. The fix
> for CVE-2014-9636 got an update, so we have a diff onto of a diff.
>
> Unfortunately unzip did its last release in 2009 and they do not
> offer patches on their web site.
>
> ok?
Does this:
"Fix: restore uid and gid information when requested"
mean that the pledge calls should also list "chown"?
Maybe this should be put in a bulk build, for extra safety?
> bluhm
>
> Index: archivers/unzip/Makefile
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/ports/archivers/unzip/Makefile,v
> retrieving revision 1.59
> diff -u -p -r1.59 Makefile
> --- archivers/unzip/Makefile 13 Sep 2016 11:44:06 -0000 1.59
> +++ archivers/unzip/Makefile 21 Mar 2017 15:24:39 -0000
> @@ -7,7 +7,7 @@ COMMENT = extract, list & test files in
> VERSION = 6.0
> DISTNAME = unzip${VERSION:S/.//}
> PKGNAME = unzip-${VERSION}
> -REVISION = 9
> +REVISION = 10
> CATEGORIES = archivers
> MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=infozip/} \
> ftp://ftp.info-zip.org/pub/infozip/src/
> Index: archivers/unzip/patches/patch-crypt_c
> ===================================================================
> RCS file: archivers/unzip/patches/patch-crypt_c
> diff -N archivers/unzip/patches/patch-crypt_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ archivers/unzip/patches/patch-crypt_c 21 Mar 2017 16:24:58 -0000
> @@ -0,0 +1,28 @@
> +$OpenBSD$
> +
> +Fix CVE-2015-7696: upstream fix for heap overflow
> + https://bugs.debian.org/802162
> + https://bugzilla.redhat.com/show_bug.cgi?id=1260944
> + https://bugzilla.redhat.com/attachment.cgi?id=1073002
> +
> +--- crypt.c.orig Fri Jan 5 16:47:36 2007
> ++++ crypt.c Tue Mar 21 16:10:27 2017
> +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
> + GLOBAL(pInfo->encrypted) = FALSE;
> + defer_leftover_input(__G);
> + for (n = 0; n < RAND_HEAD_LEN; n++) {
> +- b = NEXTBYTE;
> ++ /* 2012-11-23 SMS. (OUSPG report.)
> ++ * Quit early if compressed size < HEAD_LEN. The resulting
> ++ * error message ("unable to get password") could be improved,
> ++ * but it's better than trying to read nonexistent data, and
> ++ * then continuing with a negative G.csize. (See
> ++ * fileio.c:readbyte()).
> ++ */
> ++ if ((b = NEXTBYTE) == (ush)EOF)
> ++ {
> ++ return PK_ERR;
> ++ }
> + h[n] = (uch)b;
> + Trace((stdout, " (%02x)", h[n]));
> + }
> Index: archivers/unzip/patches/patch-extract_c
> ===================================================================
> RCS file:
> /data/mirror/openbsd/cvs/ports/archivers/unzip/patches/patch-extract_c,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-extract_c
> --- archivers/unzip/patches/patch-extract_c 6 Feb 2015 21:37:04 -0000
> 1.1
> +++ archivers/unzip/patches/patch-extract_c 21 Mar 2017 16:24:58 -0000
> @@ -1,11 +1,20 @@
> $OpenBSD: patch-extract_c,v 1.1 2015/02/06 21:37:04 naddy Exp $
>
> +Fix CVE-2015-7696: prevent unsigned overflow on invalid input
> + https://bugzilla.redhat.com/attachment.cgi?id=1075942
> + https://bugzilla.redhat.com/show_bug.cgi?id=1260944
> Fix CVE-2014-8139: CRC32 verification heap-based overflow
> + https://bugzilla.redhat.com/show_bug.cgi?id=1174844
> + https://bugzilla.redhat.com/attachment.cgi?id=989833
> Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
> Fix CVE-2014-9636: out-of-bounds read/write in test_compr_eb()
> +Fix CVE-2015-7697: infinite loop when extracting empty bzip2 data
> + https://bugs.debian.org/802160
> + https://bugzilla.redhat.com/show_bug.cgi?id=1260944
> + https://bugzilla.redhat.com/attachment.cgi?id=1073339
>
> --- extract.c.orig Sat Mar 14 02:32:52 2009
> -+++ extract.c Thu Feb 5 18:58:23 2015
> ++++ extract.c Tue Mar 21 16:10:27 2017
> @@ -1,5 +1,5 @@
> /*
> - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
> @@ -22,7 +31,26 @@ Fix CVE-2014-9636: out-of-bounds read/wr
> static ZCONST char Far InvalidComprDataEAs[] =
> " invalid compressed data for EAs\n";
> # if (defined(WIN32) && defined(NTSD_EAS))
> -@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len)
> +@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
> + if (G.lrec.compression_method == STORED) {
> + zusz_t csiz_decrypted = G.lrec.csize;
> +
> +- if (G.pInfo->encrypted)
> ++ if (G.pInfo->encrypted) {
> ++ if (csiz_decrypted < 12) {
> ++ /* handle the error now to prevent unsigned overflow */
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarStringSmall(ErrUnzipNoFile),
> ++ LoadFarString(InvalidComprData),
> ++ LoadFarStringSmall2(Inflate)));
> ++ return PK_ERR;
> ++ }
> + csiz_decrypted -= 12;
> ++ }
> + if (G.lrec.ucsize != csiz_decrypted) {
> + Info(slide, 0x401, ((char *)slide,
> + LoadFarStringSmall2(WrnStorUCSizCSizDiff),
> +@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_len)
> ebID = makeword(ef);
> ebLen = (unsigned)makeword(ef+EB_LEN);
>
> @@ -32,7 +60,7 @@ Fix CVE-2014-9636: out-of-bounds read/wr
> /* Discovered some extra field inconsistency! */
> if (uO.qflag)
> Info(slide, 1, ((char *)slide, "%-22s ",
> -@@ -2158,11 +2161,19 @@ static int TestExtraField(__G__ ef, ef_len)
> +@@ -2158,11 +2170,19 @@ static int TestExtraField(__G__ ef, ef_len)
> }
> break;
> case EF_PKVMS:
> @@ -53,7 +81,7 @@ Fix CVE-2014-9636: out-of-bounds read/wr
> break;
> case EF_PKW32:
> case EF_PKUNIX:
> -@@ -2217,14 +2228,30 @@ static int test_compr_eb(__G__ eb, eb_size,
> compr_offs
> +@@ -2217,15 +2237,32 @@ static int test_compr_eb(__G__ eb, eb_size,
> compr_offs
> ulg eb_ucsize;
> uch *eb_ucptr;
> int r;
> @@ -76,14 +104,29 @@ Fix CVE-2014-9636: out-of-bounds read/wr
> + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
> + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
> + return IZ_EF_TRUNC; /* no/bad compressed data! */
> -+
> -+ /* 2014-11-03 Michal Zalewski, SMS.
> +
> ++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
> + * For STORE method, compressed and uncompressed sizes must agree.
> + * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
> + */
> + eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
> -+ if ((eb_compr_method == STORED) && (eb_size - compr_offset !=
> eb_ucsize))
> ++ if ((eb_compr_method == STORED) &&
> ++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
> + return PK_ERR;
> -
> ++
> if (
> #ifdef INT_16BIT
> + (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
> +@@ -2700,6 +2737,12 @@ __GDEF
> + int err=BZ_OK;
> + int repeated_buf_err;
> + bz_stream bstrm;
> ++
> ++ if (G.incnt <= 0 && G.csize <= 0L) {
> ++ /* avoid an infinite loop */
> ++ Trace((stderr, "UZbunzip2() got empty input\n"));
> ++ return 2;
> ++ }
> +
> + #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
> + if (G.redirect_slide)
> Index: archivers/unzip/patches/patch-list_c
> ===================================================================
> RCS file: archivers/unzip/patches/patch-list_c
> diff -N archivers/unzip/patches/patch-list_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ archivers/unzip/patches/patch-list_c 21 Mar 2017 16:24:58 -0000
> @@ -0,0 +1,40 @@
> +$OpenBSD$
> +
> +Fix: increase size of cfactorstr array to avoid buffer overflow
> + https://bugs.debian.org/741384
> +Fix CVE-2014-9913: buffer overflow in unzip
> + https://sourceforge.net/p/infozip/bugs/27/
> + https://bugs.debian.org/847485
> + https://launchpad.net/bugs/387350
> +
> +--- list.c.orig Sun Feb 8 18:11:34 2009
> ++++ list.c Tue Mar 21 16:10:27 2017
> +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */
> + {
> + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
> + #ifndef WINDLL
> +- char sgn, cfactorstr[10];
> ++ char sgn, cfactorstr[12];
> + int longhdr=(uO.vflag>1);
> + #endif
> + int date_format;
> +@@ -339,7 +339,18 @@ int list_files(__G) /* return PK-type error code */
> + G.crec.compression_method == ENHDEFLATED) {
> + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) &
> 3];
> + } else if (methnum >= NUM_METHODS) {
> +- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
> ++ /* 2013-02-26 SMS.
> ++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
> ++ * Unexpectedly large compression methods overflow
> ++ * &methbuf[]. Use the old, three-digit decimal format
> ++ * for values which fit. Otherwise, sacrifice the
> ++ * colon, and use four-digit hexadecimal.
> ++ */
> ++ if (G.crec.compression_method <= 999) {
> ++ sprintf( &methbuf[ 4], "%03u",
> G.crec.compression_method);
> ++ } else {
> ++ sprintf( &methbuf[ 3], "%04X",
> G.crec.compression_method);
> ++ }
> + }
> +
> + #if 0 /* GRR/Euro: add this? */
> Index: archivers/unzip/patches/patch-process_c
> ===================================================================
> RCS file:
> /data/mirror/openbsd/cvs/ports/archivers/unzip/patches/patch-process_c,v
> retrieving revision 1.2
> diff -u -p -r1.2 patch-process_c
> --- archivers/unzip/patches/patch-process_c 6 Feb 2015 21:37:04 -0000
> 1.2
> +++ archivers/unzip/patches/patch-process_c 21 Mar 2017 16:24:58 -0000
> @@ -1,10 +1,16 @@
> $OpenBSD: patch-process_c,v 1.2 2015/02/06 21:37:04 naddy Exp $
>
> -Fix extraction of symlinks
> +Fix: handle the PKWare verification bit of internal attributes
> + https://bugs.debian.org/630078
> +Fix: extraction of symlinks
> Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
> +Fix: do not ignore extra fields containing Unix Timestamps
> + https://bugs.debian.org/842993
> +Fix: restore uid and gid information when requested
> + https://bugs.debian.org/689212
>
> --- process.c.orig Fri Mar 6 02:25:10 2009
> -+++ process.c Thu Feb 5 18:57:59 2015
> ++++ process.c Tue Mar 21 16:10:27 2017
> @@ -1,5 +1,5 @@
> /*
> - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
> @@ -12,7 +18,21 @@ Fix CVE-2014-8141: out-of-bounds read is
>
> See the accompanying file LICENSE, version 2009-Jan-02 or later
> (the contents of which are also included in unzip.h) for terms of use.
> -@@ -1751,6 +1751,12 @@ int process_cdir_file_hdr(__G) /* return PK-type er
> +@@ -1729,6 +1729,13 @@ int process_cdir_file_hdr(__G) /* return PK-type er
> + else if (uO.L_flag > 1) /* let -LL force lower case for all names */
> + G.pInfo->lcflag = 1;
> +
> ++ /* Handle the PKWare verification bit, bit 2 (0x0004) of internal
> ++ attributes. If this is set, then a verification checksum is in the
> ++ first 3 bytes of the external attributes. In this case all we can
> use
> ++ for setting file attributes is the last external attributes byte. */
> ++ if (G.crec.internal_file_attributes & 0x0004)
> ++ G.crec.external_file_attributes &= (ulg)0xff;
> ++
> + /* do Amigas (AMIGA_) also have volume labels? */
> + if (IS_VOLID(G.crec.external_file_attributes) &&
> + (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ ||
> +@@ -1751,6 +1758,12 @@ int process_cdir_file_hdr(__G) /* return PK-type er
> = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
> #endif
>
> @@ -25,7 +45,7 @@ Fix CVE-2014-8141: out-of-bounds read is
> return PK_COOL;
>
> } /* end function process_cdir_file_hdr() */
> -@@ -1888,48 +1894,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
> +@@ -1888,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
> and a 4-byte version of disk start number.
> Sets both local header and central header fields. Not terribly clever,
> but it means that this procedure is only called in one place.
> @@ -124,3 +144,53 @@ Fix CVE-2014-8141: out-of-bounds read is
> ef_buf += (eb_len + EB_HEADSIZE);
> ef_len -= (eb_len + EB_HEADSIZE);
> }
> +@@ -2867,10 +2914,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c,
> dos
> + break;
> +
> + case EF_IZUNIX2:
> +- if (have_new_type_eb == 0) {
> +- flags &= ~0x0ff; /* ignore any previous IZUNIX field
> */
> ++ if (have_new_type_eb == 0) { /* (< 1) */
> + have_new_type_eb = 1;
> + }
> ++ if (have_new_type_eb <= 1) {
> ++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */
> ++ flags &= 0x0ff;
> ++ }
> + #ifdef IZ_HAVE_UXUIDGID
> + if (have_new_type_eb > 1)
> + break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
> +@@ -2886,6 +2936,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
> + /* new 3rd generation Unix ef */
> + have_new_type_eb = 2;
> +
> ++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */
> ++ flags &= 0x0ff;
> + /*
> + Version 1 byte version of this extra field, currently 1
> + UIDSize 1 byte Size of UID field
> +@@ -2897,7 +2949,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
> + #ifdef IZ_HAVE_UXUIDGID
> + if (eb_len >= EB_UX3_MINLEN
> + && z_uidgid != NULL
> +- && (*((EB_HEADSIZE + 0) + ef_buf) == 1)
> ++ && (*((EB_HEADSIZE + 0) + ef_buf) == 1))
> + /* only know about version 1 */
> + {
> + uch uid_size;
> +@@ -2906,13 +2958,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c,
> dos
> + uid_size = *((EB_HEADSIZE + 1) + ef_buf);
> + gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
> +
> +- flags &= ~0x0ff; /* ignore any previous UNIX field */
> +-
> + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
> +- uid_size, z_uidgid[0])
> ++ uid_size, &z_uidgid[0])
> + &&
> + read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf,
> +- gid_size, z_uidgid[1]) )
> ++ gid_size, &z_uidgid[1]) )
> + {
> + flags |= EB_UX2_VALID; /* signal success */
> + }
> Index: archivers/unzip/patches/patch-zipinfo_c
> ===================================================================
> RCS file: archivers/unzip/patches/patch-zipinfo_c
> diff -N archivers/unzip/patches/patch-zipinfo_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ archivers/unzip/patches/patch-zipinfo_c 21 Mar 2017 16:24:58 -0000
> @@ -0,0 +1,38 @@
> +$OpenBSD$
> +
> +Fix CVE-2016-9844: buffer overflow in zipinfo
> + https://bugs.debian.org/847486
> + https://launchpad.net/bugs/1643750
> +Do not crash when hostver byte is >= 100
> +
> +--- zipinfo.c.orig Sun Feb 8 18:04:30 2009
> ++++ zipinfo.c Tue Mar 21 16:10:27 2017
> +@@ -1921,7 +1921,18 @@ static int zi_short(__G) /* return PK-type error cod
> + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
> + methbuf[3] = dtype[dnum];
> + } else if (methnum >= NUM_METHODS) { /* unknown */
> +- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
> ++ /* 2016-12-05 SMS.
> ++ * https://launchpad.net/bugs/1643750
> ++ * Unexpectedly large compression methods overflow
> ++ * &methbuf[]. Use the old, three-digit decimal format
> ++ * for values which fit. Otherwise, sacrifice the "u",
> ++ * and use four-digit hexadecimal.
> ++ */
> ++ if (G.crec.compression_method <= 999) {
> ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
> ++ } else {
> ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
> ++ }
> + }
> +
> + for (k = 0; k < 15; ++k)
> +@@ -2114,7 +2125,7 @@ static int zi_short(__G) /* return PK-type error cod
> + else
> + attribs[9] = (xattr & UNX_ISVTX)? 'T' : '-'; /*
> T==undefined */
> +
> +- sprintf(&attribs[12], "%u.%u", hostver/10, hostver%10);
> ++ sprintf(&attribs[11], "%2u.%u", hostver/10, hostver%10);
> + break;
> +
> + } /* end switch (hostnum: external attributes format) */
>
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
