Fri Nov 20 21:05:34 2015 UTC ()
Pullup ticket #4855 - requested by he
archivers/unzip: security fix

Revisions pulled up:
- archivers/unzip/Makefile                                      1.91
- archivers/unzip/distinfo                                      1.29
- archivers/unzip/patches/patch-crypt.c                         1.1
- archivers/unzip/patches/patch-extract.c                       1.3

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Wed Nov 11 12:47:27 UTC 2015

   Modified Files:
   	pkgsrc/archivers/unzip: Makefile distinfo
   	pkgsrc/archivers/unzip/patches: patch-extract.c
   Added Files:
   	pkgsrc/archivers/unzip/patches: patch-crypt.c

   Log Message:
   Add patches to fix CVE-2015-7696, CVE-2015-7697, and an integer underflow.

   From Debian.

   Bump PKGREVISION.


(bsiegert)
diff -r1.90 -r1.90.4.1 pkgsrc/archivers/unzip/Makefile
diff -r1.27 -r1.27.6.1 pkgsrc/archivers/unzip/distinfo
diff -r0 -r1.1.2.2 pkgsrc/archivers/unzip/patches/patch-crypt.c
diff -r1.2 -r1.2.6.1 pkgsrc/archivers/unzip/patches/patch-extract.c
cvs diff -r1.90 -r1.90.4.1 pkgsrc/archivers/unzip/Makefile (expand / switch to context diff)
--- pkgsrc/archivers/unzip/Makefile 2015/06/05 12:22:28 1.90
+++ pkgsrc/archivers/unzip/Makefile 2015/11/20 21:05:34 1.90.4.1
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.90 2015/06/05 12:22:28 sevan Exp $
+# $NetBSD: Makefile,v 1.90.4.1 2015/11/20 21:05:34 bsiegert Exp $
 
 DISTNAME=	unzip60
 PKGNAME=	unzip-6.0
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=	.tgz
cvs diff -r1.27 -r1.27.6.1 pkgsrc/archivers/unzip/distinfo (expand / switch to context diff)
--- pkgsrc/archivers/unzip/distinfo 2015/02/11 12:35:42 1.27
+++ pkgsrc/archivers/unzip/distinfo 2015/11/20 21:05:34 1.27.6.1
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.27 2015/02/11 12:35:42 wiz Exp $
+$NetBSD: distinfo,v 1.27.6.1 2015/11/20 21:05:34 bsiegert Exp $
 
 SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
 Size (unzip60.tgz) = 1376845 bytes
 SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69
 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154
-SHA1 (patch-extract.c) = bba436910084ec43ef8f8e76a1cd0392c566e4ac
+SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
+SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
 SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635
 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
File Added: pkgsrc/archivers/unzip/patches/patch-crypt.c
$NetBSD: patch-crypt.c,v 1.1.2.2 2015/11/20 21:05:34 bsiegert Exp $

Bug fix for heap overflow, from Debian.
CVE-2015-7696

--- crypt.c.orig	2007-01-05 15:47:36.000000000 +0000
+++ crypt.c
@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
     GLOBAL(pInfo->encrypted) = FALSE;
     defer_leftover_input(__G);
     for (n = 0; n < RAND_HEAD_LEN; n++) {
-        b = NEXTBYTE;
+        /* 2012-11-23 SMS.  (OUSPG report.)
+         * Quit early if compressed size < HEAD_LEN.  The resulting
+         * error message ("unable to get password") could be improved,
+         * but it's better than trying to read nonexistent data, and
+         * then continuing with a negative G.csize.  (See
+         * fileio.c:readbyte()).
+         */
+        if ((b = NEXTBYTE) == (ush)EOF)
+        {
+            return PK_ERR;
+        }
         h[n] = (uch)b;
         Trace((stdout, " (%02x)", h[n]));
     }
cvs diff -r1.2 -r1.2.6.1 pkgsrc/archivers/unzip/patches/patch-extract.c (expand / switch to context diff)
--- pkgsrc/archivers/unzip/patches/patch-extract.c 2015/02/11 12:35:42 1.2
+++ pkgsrc/archivers/unzip/patches/patch-extract.c 2015/11/20 21:05:34 1.2.6.1
@@ -1,4 +1,4 @@
-$NetBSD: patch-extract.c,v 1.2 2015/02/11 12:35:42 wiz Exp $
+$NetBSD: patch-extract.c,v 1.2.6.1 2015/11/20 21:05:34 bsiegert Exp $
 
 Fixes for
 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139
@@ -17,6 +17,10 @@
 
 This patch ensures that when extra fields use STORED mode, the
 "compressed" and uncompressed block sizes match.
+* CVE-2015-7697 (from Debian)
+  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
+* integer underflow
+  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
 
 --- extract.c.orig	2009-03-14 01:32:52.000000000 +0000
 +++ extract.c
@@ -36,7 +40,26 @@
     static ZCONST char Far InvalidComprDataEAs[] =
       " invalid compressed data for EAs\n";
  #  if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G
+         if (G.lrec.compression_method == STORED) {
+             zusz_t csiz_decrypted = G.lrec.csize;
+ 
+-            if (G.pInfo->encrypted)
++            if (G.pInfo->encrypted) {
++                if (csiz_decrypted <= 12) {
++                    /* handle the error now to prevent unsigned overflow */
++                    Info(slide, 0x401, ((char *)slide,
++                      LoadFarStringSmall(ErrUnzipNoFile),
++                      LoadFarString(InvalidComprData),
++                      LoadFarStringSmall2(Inflate)));
++                    return PK_ERR;
++                }
+                 csiz_decrypted -= 12;
++            }
+             if (G.lrec.ucsize != csiz_decrypted) {
+                 Info(slide, 0x401, ((char *)slide,
+                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),
+@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_l
          ebID = makeword(ef);
          ebLen = (unsigned)makeword(ef+EB_LEN);
  
@@ -46,7 +69,7 @@
             /* Discovered some extra field inconsistency! */
              if (uO.qflag)
                  Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -2032,6 +2044,16 @@ static int TestExtraField(__G__ ef, ef_l
                ebLen, (ef_len - EB_HEADSIZE)));
              return PK_ERR;
          }
@@ -63,7 +86,7 @@
  
          switch (ebID) {
              case EF_OS2:
-@@ -2217,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2217,6 +2239,7 @@ static int test_compr_eb(__G__ eb, eb_si
      ulg eb_ucsize;
      uch *eb_ucptr;
      int r;
@@ -71,7 +94,7 @@
  
      if (compr_offset < 4)                /* field is not compressed: */
          return PK_OK;                    /* do nothing and signal OK */
-@@ -2226,6 +2240,13 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2226,6 +2249,13 @@ static int test_compr_eb(__G__ eb, eb_si
           eb_size <= (compr_offset + EB_CMPRHEADLEN)))
          return IZ_EF_TRUNC;               /* no compressed data! */
  
@@ -85,3 +108,16 @@
      if (
  #ifdef INT_16BIT
          (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
+@@ -2701,6 +2731,12 @@ __GDEF
+     int repeated_buf_err;
+     bz_stream bstrm;
+ 
++    if (G.incnt <= 0 && G.csize <= 0L) {
++        /* avoid an infinite loop */
++        Trace((stderr, "UZbunzip2() got empty input\n"));
++        return 2;
++    }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+     if (G.redirect_slide)
+         wsize = G.redirect_size, redirSlide = G.redirect_buffer;