pyrox.dev
unzip: CVE-2015-7696, CVE-2015-7697
+66
pkgs/tools/archivers/unzip/CVE-2015-7696.diff
+66
pkgs/tools/archivers/unzip/CVE-2015-7696.diff
···
···
1
+
From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001
2
+
From: Petr Stodulka <pstodulk@redhat.com>
3
+
Date: Mon, 14 Sep 2015 18:23:17 +0200
4
+
Subject: [PATCH 1/2] upstream fix for heap overflow
5
+
6
+
https://bugzilla.redhat.com/attachment.cgi?id=1073002
7
+
---
8
+
crypt.c | 12 +++++++++++-
9
+
1 file changed, 11 insertions(+), 1 deletion(-)
10
+
11
+
diff --git a/crypt.c b/crypt.c
12
+
index 784e411..a8975f2 100644
13
+
--- a/crypt.c
14
+
+++ b/crypt.c
15
+
@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
16
+
GLOBAL(pInfo->encrypted) = FALSE;
17
+
defer_leftover_input(__G);
18
+
for (n = 0; n < RAND_HEAD_LEN; n++) {
19
+
- b = NEXTBYTE;
20
+
+ /* 2012-11-23 SMS. (OUSPG report.)
21
+
+ * Quit early if compressed size < HEAD_LEN. The resulting
22
+
+ * error message ("unable to get password") could be improved,
23
+
+ * but it's better than trying to read nonexistent data, and
24
+
+ * then continuing with a negative G.csize. (See
25
+
+ * fileio.c:readbyte()).
26
+
+ */
27
+
+ if ((b = NEXTBYTE) == (ush)EOF)
28
+
+ {
29
+
+ return PK_ERR;
30
+
+ }
31
+
h[n] = (uch)b;
32
+
Trace((stdout, " (%02x)", h[n]));
33
+
}
34
+
--
35
+
2.4.6
36
+
37
+
38
+
From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001
39
+
From: Kamil Dudka <kdudka@redhat.com>
40
+
Date: Mon, 14 Sep 2015 18:24:56 +0200
41
+
Subject: [PATCH 2/2] fix infinite loop when extracting empty bzip2 data
42
+
43
+
---
44
+
extract.c | 6 ++++++
45
+
1 file changed, 6 insertions(+)
46
+
47
+
diff --git a/extract.c b/extract.c
48
+
index 7134bfe..29db027 100644
49
+
--- a/extract.c
50
+
+++ b/extract.c
51
+
@@ -2733,6 +2733,12 @@ __GDEF
52
+
int repeated_buf_err;
53
+
bz_stream bstrm;
54
+
55
+
+ if (G.incnt <= 0 && G.csize <= 0L) {
56
+
+ /* avoid an infinite loop */
57
+
+ Trace((stderr, "UZbunzip2() got empty input\n"));
58
+
+ return 2;
59
+
+ }
60
+
+
61
+
#if (defined(DLL) && !defined(NO_SLIDE_REDIR))
62
+
if (G.redirect_slide)
63
+
wsize = G.redirect_size, redirSlide = G.redirect_buffer;
64
+
--
65
+
2.4.6
66
+
+36
pkgs/tools/archivers/unzip/CVE-2015-7697.diff
+36
pkgs/tools/archivers/unzip/CVE-2015-7697.diff
···
···
1
+
From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
2
+
From: Kamil Dudka <kdudka@redhat.com>
3
+
Date: Tue, 22 Sep 2015 18:52:23 +0200
4
+
Subject: [PATCH] extract: prevent unsigned overflow on invalid input
5
+
6
+
Suggested-by: Stefan Cornelius
7
+
---
8
+
extract.c | 11 ++++++++++-
9
+
1 file changed, 10 insertions(+), 1 deletion(-)
10
+
11
+
diff --git a/extract.c b/extract.c
12
+
index 29db027..b9ae667 100644
13
+
--- a/extract.c
14
+
+++ b/extract.c
15
+
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
16
+
if (G.lrec.compression_method == STORED) {
17
+
zusz_t csiz_decrypted = G.lrec.csize;
18
+
19
+
- if (G.pInfo->encrypted)
20
+
+ if (G.pInfo->encrypted) {
21
+
+ if (csiz_decrypted <= 12) {
22
+
+ /* handle the error now to prevent unsigned overflow */
23
+
+ Info(slide, 0x401, ((char *)slide,
24
+
+ LoadFarStringSmall(ErrUnzipNoFile),
25
+
+ LoadFarString(InvalidComprData),
26
+
+ LoadFarStringSmall2(Inflate)));
27
+
+ return PK_ERR;
28
+
+ }
29
+
csiz_decrypted -= 12;
30
+
+ }
31
+
if (G.lrec.ucsize != csiz_decrypted) {
32
+
Info(slide, 0x401, ((char *)slide,
33
+
LoadFarStringSmall2(WrnStorUCSizCSizDiff),
34
+
--
35
+
2.5.2
36
+
+2
pkgs/tools/archivers/unzip/default.nix
+2
pkgs/tools/archivers/unzip/default.nix
···
14
./CVE-2014-8140.diff
15
./CVE-2014-8141.diff
16
./CVE-2014-9636.diff
17
+
./CVE-2015-7696.diff
18
+
./CVE-2015-7697.diff
19
] ++ stdenv.lib.optional enableNLS
20
(fetchurl {
21
url = "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/unzip/files/unzip-6.0-natspec.patch?revision=1.1";