[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#777076: marked as done (unblock: unzip/6.0-16)

Your message dated Wed, 04 Feb 2015 21:07:19 +0100
with message-id <54D27BF7.6040900@thykier.net>
and subject line Re: Bug#777076: unblock: unzip/6.0-16
has caused the Debian Bug report #777076,
regarding unblock: unzip/6.0-16
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
777076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777076
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team!

unzip/6.0-15 had already an unblock so far, but unfortunately the
original patch for CVE-2014-8139 was defective, and caused
regressions, see #775640. The update to unstable 6.0-16 fixed that
patch and refreshed the other two patches due to the changes.

Could you please unblock also this version? Here are the changes from
the version in testing:

unzip (6.0-16) unstable; urgency=medium

  * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
    the right way (patch by the author). Closes: #775640.
  * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
  * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
    file from the author.

 -- Santiago Vila <sanvila@debian.org>  Fri, 30 Jan 2015 22:16:08 +0100

unzip (6.0-15) unstable; urgency=medium

  * Fix heap overflow. Ensure that compressed and uncompressed
    block sizes match when using STORED method in extract.c.
    Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
    For reference, this is CVE-2014-9636.

 -- Santiago Vila <sanvila@debian.org>  Thu, 29 Jan 2015 18:39:52 +0100

and attached is the debdiff.

unblock unzip/6.0-16

Thanks for considering this unblock!

Regards,
Salvatore

diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
--- unzip-6.0/debian/changelog	2014-12-30 22:17:20.000000000 +0100
+++ unzip-6.0/debian/changelog	2015-01-30 22:16:15.000000000 +0100
@@ -1,3 +1,22 @@
+unzip (6.0-16) unstable; urgency=medium
+
+  * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
+    the right way (patch by the author). Closes: #775640.
+  * Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
+  * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
+    file from the author.
+
+ -- Santiago Vila <sanvila@debian.org>  Fri, 30 Jan 2015 22:16:08 +0100
+
+unzip (6.0-15) unstable; urgency=medium
+
+  * Fix heap overflow. Ensure that compressed and uncompressed
+    block sizes match when using STORED method in extract.c.
+    Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
+    For reference, this is CVE-2014-9636.
+
+ -- Santiago Vila <sanvila@debian.org>  Thu, 29 Jan 2015 18:39:52 +0100
+
 unzip (6.0-14) unstable; urgency=medium
 
   * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
diff -Nru unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow
--- unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow	2014-12-22 18:57:45.000000000 +0100
+++ unzip-6.0/debian/patches/09-cve-2014-8139-crc-overflow	2015-01-30 22:11:35.000000000 +0100
@@ -15,7 +15,7 @@
  #ifndef SFX
     static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
       EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
-+   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++   static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
 +     EF block length (%u bytes) invalid (< %d)\n";
     static ZCONST char Far InvalidComprDataEAs[] =
       " invalid compressed data for EAs\n";
@@ -30,20 +30,24 @@
             /* Discovered some extra field inconsistency! */
              if (uO.qflag)
                  Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@
-               ebLen, (ef_len - EB_HEADSIZE)));
-             return PK_ERR;
-         }
-+        else if (ebLen < EB_HEADSIZE)
-+        {
-+            /* Extra block length smaller than header length. */
-+            if (uO.qflag)
-+                Info(slide, 1, ((char *)slide, "%-22s ",
-+                  FnFilter1(G.filename)));
-+            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
-+              ebLen, EB_HEADSIZE));
-+            return PK_ERR;
-+        }
- 
-         switch (ebID) {
-             case EF_OS2:
+@@ -2158,11 +2161,19 @@
+                 }
+                 break;
+             case EF_PKVMS:
+-                if (makelong(ef+EB_HEADSIZE) !=
++                if (ebLen < 4)
++                {
++                    Info(slide, 1,
++                     ((char *)slide, LoadFarString(TooSmallEBlength),
++                     ebLen, 4));
++                }
++                else if (makelong(ef+EB_HEADSIZE) !=
+                     crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+                           (extent)(ebLen-4)))
++                {
+                     Info(slide, 1, ((char *)slide,
+                       LoadFarString(BadCRC_EAs)));
++                }
+                 break;
+             case EF_PKW32:
+             case EF_PKUNIX:
diff -Nru unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb
--- unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb	2014-12-22 18:57:52.000000000 +0100
+++ unzip-6.0/debian/patches/10-cve-2014-8140-test-compr-eb	2015-01-30 22:11:36.000000000 +0100
@@ -4,7 +4,7 @@
 
 --- a/extract.c
 +++ b/extract.c
-@@ -2234,10 +2234,17 @@
+@@ -2232,10 +2232,17 @@
      if (compr_offset < 4)                /* field is not compressed: */
          return PK_OK;                    /* do nothing and signal OK */
  
diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb
--- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb	1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb	2015-01-30 22:11:37.000000000 +0100
@@ -0,0 +1,39 @@
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: http://bugs.debian.org/776589
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+--- a/extract.c
++++ b/extract.c
+@@ -2228,6 +2228,7 @@
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
++    ush eb_compr_method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@
+      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+         return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
++    /* 2014-11-03 Michal Zalewski, SMS.
++     * For STORE method, compressed and uncompressed sizes must agree.
++     * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++     */
++    eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++    if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++        return PK_ERR;
++
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series	2014-12-22 19:14:31.000000000 +0100
+++ unzip-6.0/debian/patches/series	2015-01-30 22:11:36.000000000 +0100
@@ -9,3 +9,4 @@
 09-cve-2014-8139-crc-overflow
 10-cve-2014-8140-test-compr-eb
 11-cve-2014-8141-getzip64data
+12-cve-2014-9636-test-compr-eb

--- End Message ---
--- Begin Message --- 
On 2015-02-04 20:59, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi Release Team!
> 
> unzip/6.0-15 had already an unblock so far, but unfortunately the
> original patch for CVE-2014-8139 was defective, and caused
> regressions, see #775640. The update to unstable 6.0-16 fixed that
> patch and refreshed the other two patches due to the changes.
> 
> Could you please unblock also this version? Here are the changes from
> the version in testing:
> 
> [...]
> 
> and attached is the debdiff.
> 
> unblock unzip/6.0-16
> 
> Thanks for considering this unblock!
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: