Mercurial > vanilla
annotate compression/unzip/CVE-2014-9636.patch @ 586:1218a8f753b6
core/busybox: let's re-add /etc/inittab support
While busybox has weird /etc/inittab support the predefined actions without it
are too minimalistic so re-add the support for it but don't install an
/etc/inittab file.
The file /etc/inittab file is still installed with sysvinit but if someone wants
to use busybox's init it should create its own /etc/inittab file with the
busybox syntax and do not install sysvinit afterwards.
author | David Demelier <markand@malikania.fr> |
---|---|
date | Mon, 08 Jul 2019 20:35:00 +0200 |
parents | 8c4366128400 |
children |
rev | line source |
---|---|
452
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
1 From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
2 From: mancha <mancha1 AT zoho DOT com> |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
3 Date: Wed, 11 Feb 2015 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
4 Subject: Info-ZIP UnZip buffer overflow |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
5 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
6 By carefully crafting a corrupt ZIP archive with "extra fields" that |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
7 purport to have compressed blocks larger than the corresponding |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
8 uncompressed blocks in STORED no-compression mode, an attacker can |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
9 trigger a heap overflow that can result in application crash or |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
10 possibly have other unspecified impact. |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
11 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
12 This patch ensures that when extra fields use STORED mode, the |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
13 "compressed" and uncompressed block sizes match. |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
14 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
15 --- |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
16 extract.c | 8 ++++++++ |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
17 1 file changed, 8 insertions(+) |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
18 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
19 --- a/extract.c |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
20 +++ b/extract.c |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
21 @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
22 ulg eb_ucsize; |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
23 uch *eb_ucptr; |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
24 int r; |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
25 + ush method; |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
26 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
27 if (compr_offset < 4) /* field is not compressed: */ |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
28 return PK_OK; /* do nothing and signal OK */ |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
29 @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
30 eb_size <= (compr_offset + EB_CMPRHEADLEN))) |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
31 return IZ_EF_TRUNC; /* no compressed data! */ |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
32 |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
33 + method = makeword(eb + (EB_HEADSIZE + compr_offset)); |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
34 + if ((method == STORED) && |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
35 + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
36 + return PK_ERR; /* compressed & uncompressed |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
37 + * should match in STORED |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
38 + * method */ |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
39 + |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
40 if ( |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
41 #ifdef INT_16BIT |
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
42 (((ulg)(extent)eb_ucsize) != eb_ucsize) || |