Mercurial Mercurial > upstream > oracle > userland-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/unzip/patches/04_CVE-2014-9636.patch
author Vladimir Marek <Vladimir.Marek@oracle.com>
Fri, 26 Feb 2016 15:01:20 +0100
changeset 5537 fb31633dac76
parent 4108 components/unzip/patches/CVE-2014-9636.patch@9738d7207050
permissions -rw-r--r--
22782878 The option -T (Test for Integrity/ on files named *.war fail
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
4108
9738d7207050 20869400 problem in UTILITY/ZIP
Jiri Sasek <Jiri.Sasek@Oracle.COM>
parents:
diff changeset 
     1
 
Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945
9738d7207050 20869400 problem in UTILITY/ZIP
Jiri Sasek <Jiri.Sasek@Oracle.COM>
parents:
diff changeset 
     2
 
More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
9738d7207050 20869400 problem in UTILITY/ZIP
Jiri Sasek <Jiri.Sasek@Oracle.COM>
parents:
diff changeset 
     3
 












9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




     4


From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




     5


From: mancha <mancha1 AT zoho DOT com>













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




     6


Date: Mon, 3 Nov 2014













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




     7


Subject: Info-ZIP UnZip buffer overflow













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




     8














9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




     9


By carefully crafting a corrupt ZIP archive with "extra fields" that













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    10


purport to have compressed blocks larger than the corresponding













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    11


uncompressed blocks in STORED no-compression mode, an attacker can













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    12


trigger a heap overflow that can result in application crash or













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    13


possibly have other unspecified impact.













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    14














9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    15


This patch ensures that when extra fields use STORED mode, the













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    16


"compressed" and uncompressed block sizes match.













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    17














9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    18


---













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    19


 extract.c |    8 ++++++++













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    20


 1 file changed, 8 insertions(+)













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    21














9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    22


--- a/extract.c













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    23


+++ b/extract.c













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    24


@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    25


     ulg eb_ucsize;













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    26


     uch *eb_ucptr;













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    27


     int r;













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    28


+    ush method;













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    29


 













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    30


     if (compr_offset < 4)                /* field is not compressed: */













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    31


         return PK_OK;                    /* do nothing and signal OK */













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    32


@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    33


          eb_size <= (compr_offset + EB_CMPRHEADLEN)))













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    34


         return IZ_EF_TRUNC;               /* no compressed data! */













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    35


 













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    36


+    method = makeword(eb + (EB_HEADSIZE + compr_offset));













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    37


+    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    38


+	return PK_ERR;			  /* compressed & uncompressed













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    39


+					   * should match in STORED













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    40


+					   * method */













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    41


+













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    42


     if (













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    43


 #ifdef INT_16BIT













9738d7207050
20869400 problem in UTILITY/ZIP



Jiri Sasek <Jiri.Sasek@Oracle.COM>


parents: 

diff
changeset




    44


         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||















upstream/oracle/userland-gate