--- Begin Message ---
- To: Debian BTS <submit@bugs.debian.org>
- Subject: stretch-pu: package unzip/6.0-21+deb9u1
- From: Santiago Vila <sanvila@unex.es>
- Date: Sun, 10 Feb 2019 21:02:49 +0100 (CET)
- Message-id: <alpine.DEB.2.20.1902102056430.5085@tulipan.isla-invisible.es>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello. Security team tells me this does not deserve a DSA but it's ok
for stable-proposed-updates.
(I know it's a little bit late for 9.8. Sorry for that, and no problem
if this is for 9.9 instead).
Debdiff below.
Thanks.
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
--- unzip-6.0/debian/changelog 2016-12-11 21:03:30.000000000 +0100
+++ unzip-6.0/debian/changelog 2019-02-10 20:53:00.000000000 +0100
@@ -1,3 +1,10 @@
+unzip (6.0-21+deb9u1) stretch; urgency=medium
+
+ * Fix buffer overflow in password protected ZIP archives. Closes: #889838.
+ Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 10 Feb 2019 20:53:00 +0100
+
unzip (6.0-21) unstable; urgency=medium
* Rename all debian/patches/* to have .patch ending.
diff -Nru unzip-6.0/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch unzip-6.0/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch
--- unzip-6.0/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch 2019-02-10 20:53:00.000000000 +0100
@@ -0,0 +1,35 @@
+From: Karol Babioch <kbabioch@suse.com>
+Subject: Fix buffer overflow in password protected zip archives
+Bug-Debian: https://bugs.debian.org/889838
+Origin: https://bugzilla.novell.com/attachment.cgi?id=759406
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -1582,6 +1582,10 @@
+ int r = IZ_PW_ENTERED;
+ char *m;
+ char *prompt;
++ char *zfnf;
++ char *efnf;
++ size_t zfnfl;
++ int isOverflow;
+
+ #ifndef REENTRANT
+ /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,7 +1594,15 @@
+
+ if (*rcnt == 0) { /* First call for current entry */
+ *rcnt = 2;
+- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
++ zfnf = FnFilter1(zfn);
++ efnf = FnFilter2(efn);
++ zfnfl = strlen(zfnf);
++ isOverflow = TRUE;
++ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
++ {
++ isOverflow = FALSE;
++ }
++ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
+ sprintf(prompt, LoadFarString(PasswPrompt),
+ FnFilter1(zfn), FnFilter2(efn));
+ m = prompt;
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series 2016-12-11 20:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/series 2019-02-10 20:51:54.000000000 +0100
@@ -17,3 +17,4 @@
17-restore-unix-timestamps-accurately.patch
18-cve-2014-9913-unzip-buffer-overflow.patch
19-cve-2016-9844-zipinfo-buffer-overflow.patch
+20-cve-2018-1000035-unzip-buffer-overflow.patch
--- End Message ---