Mercurial > vanilla
view compression/unzip/CVE-2014-9636.patch @ 586:1218a8f753b6
core/busybox: let's re-add /etc/inittab support
While busybox has weird /etc/inittab support the predefined actions without it
are too minimalistic so re-add the support for it but don't install an
/etc/inittab file.
The file /etc/inittab file is still installed with sysvinit but if someone wants
to use busybox's init it should create its own /etc/inittab file with the
busybox syntax and do not install sysvinit afterwards.
| author | David Demelier <markand@malikania.fr> |
|---|---|
| date | Mon, 08 Jul 2019 20:35:00 +0200 |
| parents | 8c4366128400 |
| children |
line wrap: on
line source
From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 From: mancha <mancha1 AT zoho DOT com> Date: Wed, 11 Feb 2015 Subject: Info-ZIP UnZip buffer overflow By carefully crafting a corrupt ZIP archive with "extra fields" that purport to have compressed blocks larger than the corresponding uncompressed blocks in STORED no-compression mode, an attacker can trigger a heap overflow that can result in application crash or possibly have other unspecified impact. This patch ensures that when extra fields use STORED mode, the "compressed" and uncompressed block sizes match. --- extract.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/extract.c +++ b/extract.c @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si ulg eb_ucsize; uch *eb_ucptr; int r; + ush method; if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si eb_size <= (compr_offset + EB_CMPRHEADLEN))) return IZ_EF_TRUNC; /* no compressed data! */ + method = makeword(eb + (EB_HEADSIZE + compr_offset)); + if ((method == STORED) && + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) + return PK_ERR; /* compressed & uncompressed + * should match in STORED + * method */ + if ( #ifdef INT_16BIT (((ulg)(extent)eb_ucsize) != eb_ucsize) ||