Bug#851527: jessie-pu: package unzip/6.0-16+deb8u3
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Managers:
The Security Team asked me to do this upload because it does not
deserve a DSA.
It's just an update of the version currently in stable, taking the
security bits from the last version in unstable.
The debdiff is attached.
Thanks.
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
--- unzip-6.0/debian/changelog 2015-11-09 20:53:24.000000000 +0100
+++ unzip-6.0/debian/changelog 2017-01-15 23:30:30.000000000 +0100
@@ -1,3 +1,14 @@
+unzip (6.0-16+deb8u3) jessie; urgency=medium
+
+ * Update patch 12-cve-2014-9636-test-compr-eb to follow revised
+ patch "unzip-6.0_overflow3.diff" from mancha (patch author).
+ * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
+ Patch by the author.
+ * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
+ Patch by the author.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 15 Jan 2017 23:30:30 +0100
+
unzip (6.0-16+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb
--- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 2015-11-09 20:53:24.000000000 +0100
+++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 2017-01-15 22:12:00.000000000 +0100
@@ -1,7 +1,7 @@
From: mancha <mancha1 AT zoho DOT com>
-Date: Mon, 3 Nov 2014
+Date: Wed, 11 Feb 2015
Subject: Info-ZIP UnZip buffer overflow
-Bug-Debian: http://bugs.debian.org/776589
+Bug-Debian: https://bugs.debian.org/776589
By carefully crafting a corrupt ZIP archive with "extra fields" that
purport to have compressed blocks larger than the corresponding
@@ -22,16 +22,17 @@
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
-@@ -2244,6 +2245,14 @@
+@@ -2244,6 +2245,15 @@
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
return IZ_EF_TRUNC; /* no/bad compressed data! */
-+ /* 2014-11-03 Michal Zalewski, SMS.
++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
+ * For STORE method, compressed and uncompressed sizes must agree.
+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+ */
+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
-+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ if ((eb_compr_method == STORED) &&
++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
+ return PK_ERR;
+
if (
diff -Nru unzip-6.0/debian/patches/18-cve-2014-9913-unzip-buffer-overflow unzip-6.0/debian/patches/18-cve-2014-9913-unzip-buffer-overflow
--- unzip-6.0/debian/patches/18-cve-2014-9913-unzip-buffer-overflow 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/18-cve-2014-9913-unzip-buffer-overflow 2017-01-15 22:16:00.000000000 +0100
@@ -0,0 +1,29 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-9913, buffer overflow in unzip
+Bug: https://sourceforge.net/p/infozip/bugs/27/
+Bug-Debian: https://bugs.debian.org/847485
+Bug-Ubuntu: https://launchpad.net/bugs/387350
+X-Debian-version: 6.0-21
+
+--- a/list.c
++++ b/list.c
+@@ -339,7 +339,18 @@
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* 2013-02-26 SMS.
++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the
++ * colon, and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
diff -Nru unzip-6.0/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow unzip-6.0/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow
--- unzip-6.0/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow 2017-01-15 22:17:00.000000000 +0100
@@ -0,0 +1,28 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
+Bug-Debian: https://bugs.debian.org/847486
+Bug-Ubuntu: https://launchpad.net/bugs/1643750
+X-Debian-version: 6.0-21
+
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -1921,7 +1921,18 @@
+ ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+ methbuf[3] = dtype[dnum];
+ } else if (methnum >= NUM_METHODS) { /* unknown */
+- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++ /* 2016-12-05 SMS.
++ * https://launchpad.net/bugs/1643750
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the "u",
++ * and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++ }
+ }
+
+ for (k = 0; k < 15; ++k)
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series 2015-11-09 20:53:24.000000000 +0100
+++ unzip-6.0/debian/patches/series 2017-01-15 22:00:00.000000000 +0100
@@ -13,3 +13,5 @@
14-cve-2015-7696
15-cve-2015-7697
16-fix-integer-underflow-csiz-decrypted
+18-cve-2014-9913-unzip-buffer-overflow
+19-cve-2016-9844-zipinfo-buffer-overflow
Reply to: