Hi ports@,
according to the following link a CVE for unzip exists.
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
Attached is a diff that adds the patch to /usr/ports.
The author of the patch claimed the following:
> I attached a fix for the reported issue. However, since I am not
> familiar with unzip, someone should review it. Thanks!
Any thoughts on this?
mbuhl
Index: archivers/unzip/Makefile
===================================================================
RCS file: /cvs/ports/archivers/unzip/Makefile,v
retrieving revision 1.66
diff -u -p -r1.66 Makefile
--- archivers/unzip/Makefile 14 Nov 2020 17:45:17 -0000 1.66
+++ archivers/unzip/Makefile 29 Jan 2022 17:06:07 -0000
@@ -7,7 +7,7 @@ COMMENT = extract, list & test files in
VERSION = 6.0
DISTNAME = unzip${VERSION:S/.//}
PKGNAME = unzip-${VERSION}
-REVISION = 14
+REVISION = 15
CATEGORIES = archivers
MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=infozip/} \
ftp://ftp.info-zip.org/pub/infozip/src/
Index: archivers/unzip/patches/patch-fileio_c
===================================================================
RCS file: /cvs/ports/archivers/unzip/patches/patch-fileio_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-fileio_c
--- archivers/unzip/patches/patch-fileio_c 11 Mar 2020 21:57:32 -0000 1.2
+++ archivers/unzip/patches/patch-fileio_c 29 Jan 2022 17:05:57 -0000
@@ -5,6 +5,9 @@ Fix CVE-2018-1000035: buffer overflow fo
https://security-tracker.debian.org/tracker/CVE-2018-1000035
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
+Fix CVE-2021-4217: null pointer dereference
+https://bugs.launchpad.net/bugs/cve/2021-4217
+https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
Index: fileio.c
--- fileio.c.orig
@@ -60,9 +63,16 @@ Index: fileio.c
sprintf(prompt, LoadFarString(PasswPrompt),
FnFilter1(zfn), FnFilter2(efn));
m = prompt;
-@@ -2295,7 +2311,12 @@ int do_string(__G__ length, option) /* return PK-typ
- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+@@ -2292,10 +2308,18 @@ int do_string(__G__ length, option) /* return PK-typ
+ seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
+ (G.inptr-G.inbuf) + length);
+ } else {
+- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
++ if (bytes_read == 0)
return PK_EOF;
++ if (bytes_read != length)
++ return PK_ERR;
/* Looks like here is where extra fields are read */
- getZip64Data(__G__ G.extra_field, length);
+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
Index: archivers/unzip/patches/patch-process_c
===================================================================
RCS file: /cvs/ports/archivers/unzip/patches/patch-process_c,v
retrieving revision 1.5
diff -u -p -r1.5 patch-process_c
--- archivers/unzip/patches/patch-process_c 14 Nov 2020 17:45:17 -0000 1.5
+++ archivers/unzip/patches/patch-process_c 29 Jan 2022 17:05:03 -0000
@@ -11,6 +11,9 @@ Fix: restore uid and gid information whe
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
+Fix CVE-2021-4217: null pointer dereference
+https://bugs.launchpad.net/bugs/cve/2021-4217
+https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
Index: process.c
--- process.c.orig
@@ -184,7 +187,23 @@ Index: process.c
ef_buf += (eb_len + EB_HEADSIZE);
ef_len -= (eb_len + EB_HEADSIZE);
}
-@@ -2037,6 +2099,8 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+@@ -2002,10 +2064,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+ G.unipath_checksum = makelong(offset + ef_buf);
+ offset += 4;
+
++ if (!G.filename_full) {
++ /* Check if we have a unicode extra section but no filename set */
++ return PK_ERR;
++ }
++
+ /*
+ * Compute 32-bit crc
+ */
+-
+ chksum = crc32(chksum, (uch *)(G.filename_full),
+ strlen(G.filename_full));
+
+@@ -2037,6 +2103,8 @@ int getUnicodeData(__G__ ef_buf, ef_len)
(ZCONST char *)(offset + ef_buf), ULen);
G.unipath_filename[ULen] = '\0';
}
@@ -193,7 +212,7 @@ Index: process.c
}
/* Skip this extra field block */
-@@ -2867,10 +2931,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
+@@ -2867,10 +2935,13 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
break;
case EF_IZUNIX2:
@@ -209,7 +228,7 @@ Index: process.c
#ifdef IZ_HAVE_UXUIDGID
if (have_new_type_eb > 1)
break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
-@@ -2886,6 +2953,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
+@@ -2886,6 +2957,8 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
/* new 3rd generation Unix ef */
have_new_type_eb = 2;
@@ -218,7 +237,7 @@ Index: process.c
/*
Version 1 byte version of this extra field, currently 1
UIDSize 1 byte Size of UID field
-@@ -2897,7 +2966,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
+@@ -2897,7 +2970,7 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
#ifdef IZ_HAVE_UXUIDGID
if (eb_len >= EB_UX3_MINLEN
&& z_uidgid != NULL
@@ -227,7 +246,7 @@ Index: process.c
/* only know about version 1 */
{
uch uid_size;
-@@ -2906,13 +2975,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
+@@ -2906,13 +2979,11 @@ unsigned ef_scan_for_izux(ef_buf, ef_len, ef_is_c, dos
uid_size = *((EB_HEADSIZE + 1) + ef_buf);
gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
No comments:
Post a Comment