# HG changeset patch # User Jiri Sasek # Date 1428933989 25200 # Node ID 9738d7207050105d58012140d0c9f138d1db7b69 # Parent fc74767e62e5531423d7fc33ed1b382b0634917f 20869400 problem in UTILITY/ZIP diff -r fc74767e62e5 -r 9738d7207050 components/unzip/patches/CVE-2014-9636.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/CVE-2014-9636.patch Mon Apr 13 07:06:29 2015 -0700 @@ -0,0 +1,44 @@ +Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945 +More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 + +From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 +From: mancha +Date: Mon, 3 Nov 2014 +Subject: Info-ZIP UnZip buffer overflow + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. + +--- + extract.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si + eb_size <= (compr_offset + EB_CMPRHEADLEN))) + return IZ_EF_TRUNC; /* no compressed data! */ + ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) ||