Bug#932318: buster-pu: package unzip/6.0-23+deb10u1
- To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Cc: 932318@bugs.debian.org
- Subject: Bug#932318: buster-pu: package unzip/6.0-23+deb10u1
- From: Santiago Vila <sanvila@unex.es>
- Date: Sat, 3 Aug 2019 10:00:59 +0200
- Message-id: <[🔎] 20190803080059.wo7y5ybc47bby42f@nucold>
- Reply-to: Santiago Vila <sanvila@unex.es>, 932318@bugs.debian.org
- In-reply-to: <ca10f1b6b94b41905a3e027e5a878c6f@mail.adam-barratt.org.uk>
- References: <alpine.DEB.2.20.1907171748260.31728@tulipan.isla-invisible.es> <alpine.DEB.2.20.1907171748260.31728@tulipan.isla-invisible.es> <20190727161851.2d52dpftfqp3apkd@nucold> <ca10f1b6b94b41905a3e027e5a878c6f@mail.adam-barratt.org.uk> <alpine.DEB.2.20.1907171748260.31728@tulipan.isla-invisible.es>
On Sat, Jul 27, 2019 at 01:38:46PM -0300, Adam D. Barratt wrote:
> On 2019-07-27 13:18, Santiago Vila wrote:
> > tags 932318 - moreinfo
> > thanks
> >
> > Hello.
> >
> > The problem with Firefox should now be fixed, and it was unzip's fault.
> >
> > If possible, I'd like this upload I did 6.0-23+deb10u1 to be rejected so
> > that
> > I can reuse the +deb10u1 version with all the fixes included.
>
> Done, pending dak actually processing the request.
Fine. I reuploaded unzip, this is the new debdiff, and this time
I believe it should be suitable for stable.
Thanks.
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
--- unzip-6.0/debian/changelog 2019-05-29 00:24:08.000000000 +0200
+++ unzip-6.0/debian/changelog 2019-07-30 22:26:10.000000000 +0200
@@ -1,3 +1,14 @@
+unzip (6.0-23+deb10u1) buster; urgency=medium
+
+ * Apply three patches by Mark Adler to fix CVE-2019-13232.
+ - Fix bug in undefer_input() that misplaced the input state.
+ - Detect and reject a zip bomb using overlapped entries.
+ Bug discovered by David Fifield. Closes: #931433.
+ - Do not raise a zip bomb alert for a misplaced central directory.
+ Reported by Peter Green. Closes: #932404.
+
+ -- Santiago Vila <sanvila@debian.org> Tue, 30 Jul 2019 22:26:10 +0200
+
unzip (6.0-23) unstable; urgency=medium
* Fix lame code in fileio.c which parsed 64-bit values incorrectly.
diff -Nru unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch
--- unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 2019-07-30 21:22:00.000000000 +0200
@@ -0,0 +1,22 @@
+From: Mark Adler <madler@alumni.caltech.edu>
+Subject: Fix bug in undefer_input() that misplaced the input state.
+Origin: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
+Bug-Debian: https://bugs.debian.org/931433
+X-Debian-version: 6.0-24
+
+ Fix bug in undefer_input() that misplaced the input state.
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -532,8 +532,10 @@
+ * This condition was checked when G.incnt_leftover was set > 0 in
+ * defer_leftover_input(), and it is NOT allowed to touch G.csize
+ * before calling undefer_input() when (G.incnt_leftover > 0)
+- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
+ */
++ if (G.csize < 0L)
++ G.csize = 0L;
+ G.incnt = G.incnt_leftover + (int)G.csize;
+ G.inptr = G.inptr_leftover - (int)G.csize;
+ G.incnt_leftover = 0;
diff -Nru unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
--- unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 2019-07-30 21:23:00.000000000 +0200
@@ -0,0 +1,335 @@
+From: Mark Adler <madler@alumni.caltech.edu>
+Subject: Detect and reject a zip bomb using overlapped entries.
+Origin: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
+Bug-Debian: https://bugs.debian.org/931433
+X-Debian-version: 6.0-24
+
+ Detect and reject a zip bomb using overlapped entries.
+
+ This detects an invalid zip file that has at least one entry that
+ overlaps with another entry or with the central directory to the
+ end of the file. A Fifield zip bomb uses overlapped local entries
+ to vastly increase the potential inflation ratio. Such an invalid
+ zip file is rejected.
+
+ See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
+ analysis, construction, and examples of such zip bombs.
+
+ The detection maintains a list of covered spans of the zip files
+ so far, where the central directory to the end of the file and any
+ bytes preceding the first entry at zip file offset zero are
+ considered covered initially. Then as each entry is decompressed
+ or tested, it is considered covered. When a new entry is about to
+ be processed, its initial offset is checked to see if it is
+ contained by a covered span. If so, the zip file is rejected as
+ invalid.
+
+ This commit depends on a preceding commit: "Fix bug in
+ undefer_input() that misplaced the input state."
+
+--- a/extract.c
++++ b/extract.c
+@@ -321,6 +321,125 @@
+ "\nerror: unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+ "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++ "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++ "error: invalid zip file with overlapped components (possible zip bomb)\n";
++
++
++
++
++
++/* A growable list of spans. */
++typedef zoff_t bound_t;
++typedef struct {
++ bound_t beg; /* start of the span */
++ bound_t end; /* one past the end of the span */
++} span_t;
++typedef struct {
++ span_t *span; /* allocated, distinct, and sorted list of spans */
++ size_t num; /* number of spans in the list */
++ size_t max; /* allocated number of spans (num <= max) */
++} cover_t;
++
++/*
++ * Return the index of the first span in cover whose beg is greater than val.
++ * If there is no such span, then cover->num is returned.
++ */
++static size_t cover_find(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t lo = 0, hi = cover->num;
++ while (lo < hi) {
++ size_t mid = (lo + hi) >> 1;
++ if (val < cover->span[mid].beg)
++ hi = mid;
++ else
++ lo = mid + 1;
++ }
++ return hi;
++}
++
++/* Return true if val lies within any one of the spans in cover. */
++static int cover_within(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t pos = cover_find(cover, val);
++ return pos > 0 && val < cover->span[pos - 1].end;
++}
++
++/*
++ * Add a new span to the list, but only if the new span does not overlap any
++ * spans already in the list. The new span covers the values beg..end-1. beg
++ * must be less than end.
++ *
++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
++ * the list as needed. On success, 0 is returned. If the new span overlaps any
++ * existing spans, then 1 is returned and the new span is not added to the
++ * list. If the new span is invalid because beg is greater than or equal to
++ * end, then -1 is returned. If the list needs to be grown but the memory
++ * allocation fails, then -2 is returned.
++ */
++static int cover_add(cover, beg, end)
++ cover_t *cover;
++ bound_t beg;
++ bound_t end;
++{
++ size_t pos;
++ int prec, foll;
++
++ if (beg >= end)
++ /* The new span is invalid. */
++ return -1;
++
++ /* Find where the new span should go, and make sure that it does not
++ overlap with any existing spans. */
++ pos = cover_find(cover, beg);
++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
++ (pos < cover->num && end > cover->span[pos].beg))
++ return 1;
++
++ /* Check for adjacencies. */
++ prec = pos > 0 && beg == cover->span[pos - 1].end;
++ foll = pos < cover->num && end == cover->span[pos].beg;
++ if (prec && foll) {
++ /* The new span connects the preceding and following spans. Merge the
++ following span into the preceding span, and delete the following
++ span. */
++ cover->span[pos - 1].end = cover->span[pos].end;
++ cover->num--;
++ memmove(cover->span + pos, cover->span + pos + 1,
++ (cover->num - pos) * sizeof(span_t));
++ }
++ else if (prec)
++ /* The new span is adjacent only to the preceding span. Extend the end
++ of the preceding span. */
++ cover->span[pos - 1].end = end;
++ else if (foll)
++ /* The new span is adjacent only to the following span. Extend the
++ beginning of the following span. */
++ cover->span[pos].beg = beg;
++ else {
++ /* The new span has gaps between both the preceding and the following
++ spans. Assure that there is room and insert the span. */
++ if (cover->num == cover->max) {
++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
++ span_t *span = realloc(cover->span, max * sizeof(span_t));
++ if (span == NULL)
++ return -2;
++ cover->span = span;
++ cover->max = max;
++ }
++ memmove(cover->span + pos + 1, cover->span + pos,
++ (cover->num - pos) * sizeof(span_t));
++ cover->num++;
++ cover->span[pos].beg = beg;
++ cover->span[pos].end = end;
++ }
++ return 0;
++}
+
+
+
+@@ -376,6 +495,29 @@
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
++ /* One more: initialize cover structure for bomb detection. Start with a
++ span that covers the central directory though the end of the file. */
++ if (G.cover == NULL) {
++ G.cover = malloc(sizeof(cover_t));
++ if (G.cover == NULL) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ ((cover_t *)G.cover)->span = NULL;
++ ((cover_t *)G.cover)->max = 0;
++ }
++ ((cover_t *)G.cover)->num = 0;
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ cover_add((cover_t *)G.cover,
++ G.extra_bytes + G.ecrec.offset_start_central_directory,
++ G.ziplen) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+ rectory lies at the end of the zipfile and the member files lie at the
+@@ -593,7 +735,8 @@
+ if (error > error_in_archive)
+ error_in_archive = error;
+ /* ...and keep going (unless disk full or user break) */
+- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
++ error == PK_BOMB) {
+ /* clear reached_end to signal premature stop ... */
+ reached_end = FALSE;
+ /* ... and cancel scanning the central directory */
+@@ -1062,6 +1205,11 @@
+
+ /* seek_zipf(__G__ pInfo->offset); */
+ request = G.pInfo->offset + G.extra_bytes;
++ if (cover_within((cover_t *)G.cover, request)) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ inbuf_offset = request % INBUFSIZ;
+ bufstart = request - inbuf_offset;
+
+@@ -1602,6 +1750,18 @@
+ return IZ_CTRLC; /* cancel operation by user request */
+ }
+ #endif
++ error = cover_add((cover_t *)G.cover, request,
++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
++ if (error < 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ if (error != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
+ UserStop();
+ #endif
+@@ -2003,6 +2163,34 @@
+ }
+
+ undefer_input(__G);
++
++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
++ /* skip over data descriptor (harder than it sounds, due to signature
++ * ambiguity)
++ */
++# define SIG 0x08074b50
++# define LOW 0xffffffff
++ uch buf[12];
++ unsigned shy = 12 - readbuf((char *)buf, 12);
++ ulg crc = shy ? 0 : makelong(buf);
++ ulg clen = shy ? 0 : makelong(buf + 4);
++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
++ if (crc == SIG && /* if not SIG, no signature */
++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
++ (clen == SIG && /* if not SIG, no signature */
++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
++ (ulen == SIG && /* if not SIG, no signature */
++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
++ /* if not SIG, have signature */
++ )))))
++ /* skip four more bytes to account for signature */
++ shy += 4 - readbuf((char *)buf, 4);
++ if (G.zip64)
++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
++ if (shy)
++ error = PK_ERR;
++ }
++
+ return error;
+
+ } /* end function extract_or_test_member() */
+--- a/globals.c
++++ b/globals.c
+@@ -181,6 +181,7 @@
+ # if (!defined(NO_TIMESTAMPS))
+ uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
+ # endif
++ G.cover = NULL; /* not allocated yet */
+ #endif
+
+ uO.lflag=(-1);
+--- a/globals.h
++++ b/globals.h
+@@ -260,12 +260,15 @@
+ ecdir_rec ecrec; /* used in unzip.c, extract.c */
+ z_stat statbuf; /* used by main, mapname, check_for_newer */
+
++ int zip64; /* true if Zip64 info in extra field */
++
+ int mem_mode;
+ uch *outbufptr; /* extract.c static */
+ ulg outsize; /* extract.c static */
+ int reported_backslash; /* extract.c static */
+ int disk_full;
+ int newfile;
++ void **cover; /* used in extract.c for bomb detection */
+
+ int didCRlast; /* fileio static */
+ ulg numlines; /* fileio static: number of lines printed */
+--- a/process.c
++++ b/process.c
+@@ -637,6 +637,13 @@
+ }
+ #endif
+
++ /* Free the cover span list and the cover structure. */
++ if (G.cover != NULL) {
++ free(*(G.cover));
++ free(G.cover);
++ G.cover = NULL;
++ }
++
+ } /* end function free_G_buffers() */
+
+
+@@ -1913,6 +1920,8 @@
+ #define Z64FLGS 0xffff
+ #define Z64FLGL 0xffffffff
+
++ G.zip64 = FALSE;
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+@@ -2084,6 +2093,8 @@
+ (ZCONST char *)(offset + ef_buf), ULen);
+ G.unipath_filename[ULen] = '\0';
+ }
++
++ G.zip64 = TRUE;
+ }
+
+ /* Skip this extra field block */
+--- a/unzip.h
++++ b/unzip.h
+@@ -645,6 +645,7 @@
+ #define PK_NOZIP 9 /* zipfile not found */
+ #define PK_PARAM 10 /* bad or illegal parameters specified */
+ #define PK_FIND 11 /* no files found */
++#define PK_BOMB 12 /* likely zip bomb */
+ #define PK_DISK 50 /* disk full */
+ #define PK_EOF 51 /* unexpected EOF */
+
diff -Nru unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
--- unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch 1970-01-01 01:00:00.000000000 +0100
+++ unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch 2019-07-30 21:24:00.000000000 +0200
@@ -0,0 +1,103 @@
+From: Mark Adler <madler@alumni.caltech.edu>
+Subject: Do not raise a zip bomb alert for a misplaced central directory.
+Origin: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
+Bug-Debian: https://bugs.debian.org/932404
+X-Debian-version: 6.0-25
+
+ Do not raise a zip bomb alert for a misplaced central directory.
+
+ There is a zip-like file in the Firefox distribution, omni.ja,
+ which is a zip container with the central directory placed at the
+ start of the file instead of after the local entries as required
+ by the zip standard. This commit marks the actual location of the
+ central directory, as well as the end of central directory records,
+ as disallowed locations. This now permits such containers to not
+ raise a zip bomb alert, where in fact there are no overlaps.
+
+--- a/extract.c
++++ b/extract.c
+@@ -495,8 +495,11 @@
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
+- /* One more: initialize cover structure for bomb detection. Start with a
+- span that covers the central directory though the end of the file. */
++ /* One more: initialize cover structure for bomb detection. Start with
++ spans that cover any extra bytes at the start, the central directory,
++ the end of central directory record (including the Zip64 end of central
++ directory locator, if present), and the Zip64 end of central directory
++ record, if present. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+@@ -508,15 +511,25 @@
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+- if ((G.extra_bytes != 0 &&
+- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+- cover_add((cover_t *)G.cover,
++ if (cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+- G.ziplen) != 0) {
++ G.extra_bytes + G.ecrec.offset_start_central_directory +
++ G.ecrec.size_central_directory) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ (G.ecrec.have_ecr64 &&
++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
++ G.ecrec.ec64_end) != 0) ||
++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
++ G.ecrec.ec_end) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+--- a/process.c
++++ b/process.c
+@@ -1408,6 +1408,10 @@
+
+ /* Now, we are (almost) sure that we have a Zip64 archive. */
+ G.ecrec.have_ecr64 = 1;
++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
++ G.ecrec.ec64_start = ecrec64_start_offset;
++ G.ecrec.ec64_end = ecrec64_start_offset +
++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
+
+ /* Update the "end-of-central-dir offset" for later checks. */
+ G.real_ecrec_offset = ecrec64_start_offset;
+@@ -1542,6 +1546,8 @@
+ makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
+ G.ecrec.zipfile_comment_length =
+ makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
++ G.ecrec.ec_start = G.real_ecrec_offset;
++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
+
+ /* Now, we have to read the archive comment, BEFORE the file pointer
+ is moved away backwards to seek for a Zip64 ECLOC64 structure.
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -2185,6 +2185,16 @@
+ int have_ecr64; /* valid Zip64 ecdir-record exists */
+ int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
+ ush zipfile_comment_length;
++ zusz_t ec_start, ec_end; /* offsets of start and end of the
++ end of central directory record,
++ including if present the Zip64
++ end of central directory locator,
++ which immediately precedes the
++ end of central directory record */
++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
++ are the offsets of the start and
++ end of the Zip64 end of central
++ directory record */
+ } ecdir_rec;
+
+
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series 2019-05-28 23:00:00.000000000 +0200
+++ unzip-6.0/debian/patches/series 2019-07-30 21:00:00.000000000 +0200
@@ -19,3 +19,6 @@
19-cve-2016-9844-zipinfo-buffer-overflow.patch
20-cve-2018-1000035-unzip-buffer-overflow.patch
21-fix-warning-messages-on-big-files.patch
+22-cve-2019-13232-fix-bug-in-undefer-input.patch
+23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
+24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
Reply to: