unzip: patch CVE-2015-7696, CVE-2015-7697 and integer underflow

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
9 years ago · b88213b3a7
--- a/utils/unzip/Makefile
+++ b/utils/unzip/Makefile
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=unzip
 PKG_REV:=60
 PKG_VERSION:=6.0
 PKG_RELEASE:=2
 PKG_RELEASE:=3
 PKG_SOURCE:=$(PKG_NAME)$(PKG_REV).tar.gz
 PKG_SOURCE_URL:=@SF/infozip
--- a/utils/unzip/patches/005-CVE-2015-7696-heap-overflow.patch
+++ b/utils/unzip/patches/005-CVE-2015-7696-heap-overflow.patch
@ -0,0 +1,21 @@
 --- a/crypt.c
 +++ b/crypt.c
@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
     GLOBAL(pInfo->encrypted) = FALSE;
     defer_leftover_input(__G);
     for (n = 0; n < RAND_HEAD_LEN; n++) {
 -        b = NEXTBYTE;
 +        /* 2012-11-23 SMS.  (OUSPG report.)
 +         * Quit early if compressed size < HEAD_LEN.  The resulting
 +         * error message ("unable to get password") could be improved,
 +         * but it's better than trying to read nonexistent data, and
 +         * then continuing with a negative G.csize.  (See
 +         * fileio.c:readbyte()).
 +         */
 +        if ((b = NEXTBYTE) == (ush)EOF)
 +        {
 +            return PK_ERR;
 +        }
         h[n] = (uch)b;
         Trace((stdout, " (%02x)", h[n]));
     }
--- a/utils/unzip/patches/006-CVE-2015-7697-infinite-loop.patch
+++ b/utils/unzip/patches/006-CVE-2015-7697-infinite-loop.patch
@ -0,0 +1,15 @@
 --- a/extract.c
 +++ b/extract.c
@@ -2728,6 +2728,12 @@ __GDEF
     int repeated_buf_err;
     bz_stream bstrm;
 +    if (G.incnt <= 0 && G.csize <= 0L) {
 +        /* avoid an infinite loop */
 +        Trace((stderr, "UZbunzip2() got empty input\n"));
 +        return 2;
 +    }
 +
 #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
     if (G.redirect_slide)
         wsize = G.redirect_size, redirSlide = G.redirect_buffer;
--- a/utils/unzip/patches/007-integer-underflow-csiz_decrypted.patch
+++ b/utils/unzip/patches/007-integer-underflow-csiz_decrypted.patch
@ -0,0 +1,21 @@
 --- a/extract.c
 +++ b/extract.c
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G
         if (G.lrec.compression_method == STORED) {
             zusz_t csiz_decrypted = G.lrec.csize;
 -            if (G.pInfo->encrypted)
 +            if (G.pInfo->encrypted) {
 +                if (csiz_decrypted <= 12) {
 +                    /* handle the error now to prevent unsigned overflow */
 +                    Info(slide, 0x401, ((char *)slide,
 +                      LoadFarStringSmall(ErrUnzipNoFile),
 +                      LoadFarString(InvalidComprData),
 +                      LoadFarStringSmall2(Inflate)));
 +                    return PK_ERR;
 +                }
                 csiz_decrypted -= 12;
 +            }
             if (G.lrec.ucsize != csiz_decrypted) {
                 Info(slide, 0x401, ((char *)slide,
                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),