diff options
| -rw-r--r-- | meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | 67 | ||||
| -rw-r--r-- | meta/recipes-extended/unzip/unzip_6.0.bb | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | |||
| @@ -0,0 +1,67 @@ | |||
| 1 | From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nils Bars <nils.bars@t-online.de> | ||
| 3 | Date: Mon, 17 Jan 2022 16:53:16 +0000 | ||
| 4 | Subject: [PATCH] Fix null pointer dereference and use of uninitialized data | ||
| 5 | |||
| 6 | This fixes a bug that causes use of uninitialized heap data if `readbuf` fails | ||
| 7 | to read as many bytes as indicated by the extra field length attribute. | ||
| 8 | Furthermore, this fixes a null pointer dereference if an archive contains an | ||
| 9 | `EF_UNIPATH` extra field but does not have a filename set. | ||
| 10 | --- | ||
| 11 | fileio.c | 5 ++++- | ||
| 12 | process.c | 6 +++++- | ||
| 13 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
| 14 | --- | ||
| 15 | |||
| 16 | Patch from: | ||
| 17 | https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 | ||
| 18 | https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch | ||
| 19 | Regenerated to apply without offsets. | ||
| 20 | |||
| 21 | CVE: CVE-2021-4217 | ||
| 22 | |||
| 23 | Upstream-Status: Pending [infozip upstream inactive] | ||
| 24 | |||
| 25 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
| 26 | |||
| 27 | |||
| 28 | diff --git a/fileio.c b/fileio.c | ||
| 29 | index 14460f3..1dc319e 100644 | ||
| 30 | --- a/fileio.c | ||
| 31 | +++ b/fileio.c | ||
| 32 | @@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ | ||
| 33 | seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + | ||
| 34 | (G.inptr-G.inbuf) + length); | ||
| 35 | } else { | ||
| 36 | - if (readbuf(__G__ (char *)G.extra_field, length) == 0) | ||
| 37 | + unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); | ||
| 38 | + if (bytes_read == 0) | ||
| 39 | return PK_EOF; | ||
| 40 | + if (bytes_read != length) | ||
| 41 | + return PK_ERR; | ||
| 42 | /* Looks like here is where extra fields are read */ | ||
| 43 | if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | ||
| 44 | { | ||
| 45 | diff --git a/process.c b/process.c | ||
| 46 | index 5f8f6c6..de843a5 100644 | ||
| 47 | --- a/process.c | ||
| 48 | +++ b/process.c | ||
| 49 | @@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) | ||
| 50 | G.unipath_checksum = makelong(offset + ef_buf); | ||
| 51 | offset += 4; | ||
| 52 | |||
| 53 | + if (!G.filename_full) { | ||
| 54 | + /* Check if we have a unicode extra section but no filename set */ | ||
| 55 | + return PK_ERR; | ||
| 56 | + } | ||
| 57 | + | ||
| 58 | /* | ||
| 59 | * Compute 32-bit crc | ||
| 60 | */ | ||
| 61 | - | ||
| 62 | chksum = crc32(chksum, (uch *)(G.filename_full), | ||
| 63 | strlen(G.filename_full)); | ||
| 64 | |||
| 65 | -- | ||
| 66 | 2.32.0 | ||
| 67 | |||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 0bc6abcd4b..d074db37b4 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
| @@ -27,6 +27,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ | |||
| 27 | file://CVE-2019-13232_p2.patch \ | 27 | file://CVE-2019-13232_p2.patch \ |
| 28 | file://CVE-2019-13232_p3.patch \ | 28 | file://CVE-2019-13232_p3.patch \ |
| 29 | file://unzip_optimization.patch \ | 29 | file://unzip_optimization.patch \ |
| 30 | file://CVE-2021-4217.patch \ | ||
| 30 | " | 31 | " |
| 31 | UPSTREAM_VERSION_UNKNOWN = "1" | 32 | UPSTREAM_VERSION_UNKNOWN = "1" |
| 32 | 33 | ||