commit aff3a23d670909f4f7ff9fac0bb273c32f1190eb · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

unzip: CVE-2015-7696, CVE-2015-7697

Domen Kožar 10 years ago aff3a23d 1496b0f6

+104

3 changed files

expand all

unified split

pkgs

tools

archivers

unzip

CVE-2015-7696.diff

CVE-2015-7697.diff

default.nix

+66

pkgs/tools/archivers/unzip/CVE-2015-7696.diff

··· 1 + From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001 2 + From: Petr Stodulka <pstodulk@redhat.com> 3 + Date: Mon, 14 Sep 2015 18:23:17 +0200 4 + Subject: [PATCH 1/2] upstream fix for heap overflow 5 + 6 + https://bugzilla.redhat.com/attachment.cgi?id=1073002 7 + --- 8 + crypt.c | 12 +++++++++++- 9 + 1 file changed, 11 insertions(+), 1 deletion(-) 10 + 11 + diff --git a/crypt.c b/crypt.c 12 + index 784e411..a8975f2 100644 13 + --- a/crypt.c 14 + +++ b/crypt.c 15 + @@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) 16 + GLOBAL(pInfo->encrypted) = FALSE; 17 + defer_leftover_input(__G); 18 + for (n = 0; n < RAND_HEAD_LEN; n++) { 19 + - b = NEXTBYTE; 20 + + /* 2012-11-23 SMS. (OUSPG report.) 21 + + * Quit early if compressed size < HEAD_LEN. The resulting 22 + + * error message ("unable to get password") could be improved, 23 + + * but it's better than trying to read nonexistent data, and 24 + + * then continuing with a negative G.csize. (See 25 + + * fileio.c:readbyte()). 26 + + */ 27 + + if ((b = NEXTBYTE) == (ush)EOF) 28 + + { 29 + + return PK_ERR; 30 + + } 31 + h[n] = (uch)b; 32 + Trace((stdout, " (%02x)", h[n])); 33 + } 34 + -- 35 + 2.4.6 36 + 37 + 38 + From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001 39 + From: Kamil Dudka <kdudka@redhat.com> 40 + Date: Mon, 14 Sep 2015 18:24:56 +0200 41 + Subject: [PATCH 2/2] fix infinite loop when extracting empty bzip2 data 42 + 43 + --- 44 + extract.c | 6 ++++++ 45 + 1 file changed, 6 insertions(+) 46 + 47 + diff --git a/extract.c b/extract.c 48 + index 7134bfe..29db027 100644 49 + --- a/extract.c 50 + +++ b/extract.c 51 + @@ -2733,6 +2733,12 @@ __GDEF 52 + int repeated_buf_err; 53 + bz_stream bstrm; 54 + 55 + + if (G.incnt <= 0 && G.csize <= 0L) { 56 + + /* avoid an infinite loop */ 57 + + Trace((stderr, "UZbunzip2() got empty input\n")); 58 + + return 2; 59 + + } 60 + + 61 + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) 62 + if (G.redirect_slide) 63 + wsize = G.redirect_size, redirSlide = G.redirect_buffer; 64 + -- 65 + 2.4.6 66 +

+36

pkgs/tools/archivers/unzip/CVE-2015-7697.diff

··· 1 + From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 2 + From: Kamil Dudka <kdudka@redhat.com> 3 + Date: Tue, 22 Sep 2015 18:52:23 +0200 4 + Subject: [PATCH] extract: prevent unsigned overflow on invalid input 5 + 6 + Suggested-by: Stefan Cornelius 7 + --- 8 + extract.c | 11 ++++++++++- 9 + 1 file changed, 10 insertions(+), 1 deletion(-) 10 + 11 + diff --git a/extract.c b/extract.c 12 + index 29db027..b9ae667 100644 13 + --- a/extract.c 14 + +++ b/extract.c 15 + @@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, 16 + if (G.lrec.compression_method == STORED) { 17 + zusz_t csiz_decrypted = G.lrec.csize; 18 + 19 + - if (G.pInfo->encrypted) 20 + + if (G.pInfo->encrypted) { 21 + + if (csiz_decrypted <= 12) { 22 + + /* handle the error now to prevent unsigned overflow */ 23 + + Info(slide, 0x401, ((char *)slide, 24 + + LoadFarStringSmall(ErrUnzipNoFile), 25 + + LoadFarString(InvalidComprData), 26 + + LoadFarStringSmall2(Inflate))); 27 + + return PK_ERR; 28 + + } 29 + csiz_decrypted -= 12; 30 + + } 31 + if (G.lrec.ucsize != csiz_decrypted) { 32 + Info(slide, 0x401, ((char *)slide, 33 + LoadFarStringSmall2(WrnStorUCSizCSizDiff), 34 + -- 35 + 2.5.2 36 +

pkgs/tools/archivers/unzip/default.nix

··· 14 14 ./CVE-2014-8140.diff 15 15 ./CVE-2014-8141.diff 16 16 ./CVE-2014-9636.diff 17 + ./CVE-2015-7696.diff 18 + ./CVE-2015-7697.diff 17 19 ] ++ stdenv.lib.optional enableNLS 18 20 (fetchurl { 19 21 url = "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/unzip/files/unzip-6.0-natspec.patch?revision=1.1";