gnu: unzip: Fix CVE-2014-9636 and some other bugs.

* gnu/packages/patches/unzip-CVE-2014-9636.patch,
  gnu/packages/patches/unzip-allow-greater-hostver-values.patch,
  gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch,
  gnu/packages/patches/unzip-initialize-symlink-flag.patch,
  gnu/packages/patches/unzip-remove-build-date.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (unzip)[source]: Add patches.
  [arguments]: Use 'modify-phases'.  Remove custom 'configure' phase; pass
  additional make-flags instead.  Add custom 'build' phase that builds
  "generic_gcc" target; remove "generic_gcc" from make-flags.
This commit is contained in:
Mark H Weaver 2015-07-15 22:55:26 -04:00
parent 368474150b
commit 385ae063c9
7 changed files with 142 additions and 15 deletions

View File

@ -621,6 +621,11 @@ dist_patch_DATA = \
gnu/packages/patches/unzip-CVE-2014-8139.patch \
gnu/packages/patches/unzip-CVE-2014-8140.patch \
gnu/packages/patches/unzip-CVE-2014-8141.patch \
gnu/packages/patches/unzip-CVE-2014-9636.patch \
gnu/packages/patches/unzip-allow-greater-hostver-values.patch \
gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch \
gnu/packages/patches/unzip-initialize-symlink-flag.patch \
gnu/packages/patches/unzip-remove-build-date.patch \
gnu/packages/patches/util-linux-tests.patch \
gnu/packages/patches/upower-builddir.patch \
gnu/packages/patches/valgrind-glibc-2.21.patch \

View File

@ -0,0 +1,41 @@
Copied from Debian.
From: mancha <mancha1 AT zoho DOT com>
Date: Mon, 3 Nov 2014
Subject: Info-ZIP UnZip buffer overflow
Bug-Debian: http://bugs.debian.org/776589
By carefully crafting a corrupt ZIP archive with "extra fields" that
purport to have compressed blocks larger than the corresponding
uncompressed blocks in STORED no-compression mode, an attacker can
trigger a heap overflow that can result in application crash or
possibly have other unspecified impact.
This patch ensures that when extra fields use STORED mode, the
"compressed" and uncompressed block sizes match.
--- a/extract.c
+++ b/extract.c
@@ -2228,6 +2228,7 @@
ulg eb_ucsize;
uch *eb_ucptr;
int r;
+ ush eb_compr_method;
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
@@ -2244,6 +2245,14 @@
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
return IZ_EF_TRUNC; /* no/bad compressed data! */
+ /* 2014-11-03 Michal Zalewski, SMS.
+ * For STORE method, compressed and uncompressed sizes must agree.
+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+ */
+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
+ return PK_ERR;
+
if (
#ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||

View File

@ -0,0 +1,16 @@
Copied from Debian.
From: Santiago Vila <sanvila@debian.org>
Subject: zipinfo.c: Do not crash when hostver byte is >= 100
--- a/zipinfo.c
+++ b/zipinfo.c
@@ -2114,7 +2114,7 @@
else
attribs[9] = (xattr & UNX_ISVTX)? 'T' : '-'; /* T==undefined */
- sprintf(&attribs[12], "%u.%u", hostver/10, hostver%10);
+ sprintf(&attribs[11], "%2u.%u", hostver/10, hostver%10);
break;
} /* end switch (hostnum: external attributes format) */

View File

@ -0,0 +1,18 @@
Copied from Debian.
From: sms
Subject: Increase size of cfactorstr array to avoid buffer overflow
Bug-Debian: http://bugs.debian.org/741384
X-Debian-version: 6.0-11
--- a/list.c
+++ b/list.c
@@ -97,7 +97,7 @@
{
int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
#ifndef WINDLL
- char sgn, cfactorstr[10];
+ char sgn, cfactorstr[12];
int longhdr=(uO.vflag>1);
#endif
int date_format;

View File

@ -0,0 +1,22 @@
Copied from Debian.
From: Andreas Schwab <schwab@linux-m68k.org>
Subject: Initialize the symlink flag
Bug-Debian: http://bugs.debian.org/717029
X-Debian-version: 6.0-10
--- a/process.c
+++ b/process.c
@@ -1758,6 +1758,12 @@
= (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
#endif
+#ifdef SYMLINKS
+ /* Initialize the symlink flag, may be set by the platform-specific
+ mapattr function. */
+ G.pInfo->symlink = 0;
+#endif
+
return PK_COOL;
} /* end function process_cdir_file_hdr() */

View File

@ -0,0 +1,19 @@
Copied from Debian.
From: Jérémy Bobbio <lunar@debian.org>
Subject: Remove build date
Bug-Debian: http://bugs.debian.org/782851
In order to make unzip build reproducibly, we remove the
(already optional) build date from the binary.
--- a/unix/unix.c
+++ b/unix/unix.c
@@ -1705,7 +1705,7 @@
#endif /* Sun */
#endif /* SGI */
-#ifdef __DATE__
+#if 0
" on ", __DATE__
#else
"", ""

View File

@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;
@ -81,23 +81,29 @@ Compression ratios of 2:1 to 3:1 are common for text files.")
(sha256
(base32
"0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"))
(patches (list (search-patch "unzip-CVE-2014-8139.patch")
(search-patch "unzip-CVE-2014-8140.patch")
(search-patch "unzip-CVE-2014-8141.patch")))))
(patches (map search-patch '("unzip-CVE-2014-8139.patch"
"unzip-CVE-2014-8140.patch"
"unzip-CVE-2014-8141.patch"
"unzip-CVE-2014-9636.patch"
"unzip-allow-greater-hostver-values.patch"
"unzip-increase-size-of-cfactorstr.patch"
"unzip-initialize-symlink-flag.patch"
"unzip-remove-build-date.patch")))))
(build-system gnu-build-system)
;; no inputs; bzip2 is not supported, since not compiled with BZ_NO_STDIO
(arguments
`(#:make-flags '("generic_gcc")
#:phases
(alist-replace
'configure
(lambda* (#:key inputs outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out")))
(copy-file "unix/Makefile" "Makefile")
(substitute* "Makefile"
(("/usr/local") out)
(("/man/") "/share/man/"))))
%standard-phases)))
`(#:phases (modify-phases %standard-phases
(delete 'configure)
(replace 'build
(lambda* (#:key make-flags #:allow-other-keys)
(zero? (apply system* "make"
`("-j" ,(number->string
(parallel-job-count))
,@make-flags
"generic_gcc"))))))
#:make-flags (list "-f" "unix/Makefile"
(string-append "prefix=" %output)
(string-append "MANDIR=" %output "/share/man/man1"))))
(home-page "http://www.info-zip.org/UnZip.html")
(synopsis "Decompression and file extraction utility")
(description