fix 2019-13232

2020-03-03 09:49:06 +08:00 · 2020-03-03 09:49:06 +08:00 · b2c29345c8
commit b2c29345c8
parent 675c835d46
4 changed files with 41 additions and 37 deletions
--- a/CVE-2019-13232-fur1.patch
+++ b/CVE-2019-13232-fur1.patch
@ -24,7 +24,7 @@ index 0973a33..1b73cb0 100644
@@ -493,8 +493,11 @@ int extract_or_test_files(__G)    /* return PK-type error code */
     }
 #endif /* !SFX || SFX_EXDIR */
-
+ 
 -    /* One more: initialize cover structure for bomb detection. Start with a
 -       span that covers the central directory though the end of the file. */
 +    /* One more: initialize cover structure for bomb detection. Start with
@ -62,7 +62,7 @@ index 0973a33..1b73cb0 100644
 +          LoadFarString(OverlappedComponents)));
 +        return PK_BOMB;
 +    }
-
+ 
 /*---------------------------------------------------------------------------
     The basic idea of this function is as follows.  Since the central di-
 diff --git a/process.c b/process.c
@ -70,14 +70,14 @@ index d2e4dc3..d75d405 100644
 --- a/process.c
 +++ b/process.c
@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen)         /* return PK-class error */
-
+ 
     /* Now, we are (almost) sure that we have a Zip64 archive. */
     G.ecrec.have_ecr64 = 1;
 +    G.ecrec.ec_start -= ECLOC64_SIZE+4;
 +    G.ecrec.ec64_start = ecrec64_start_offset;
 +    G.ecrec.ec64_end = ecrec64_start_offset +
 +                       12 + makeint64(&byterec[ECREC64_LENGTH]);
-
+ 
     /* Update the "end-of-central-dir offset" for later checks. */
     G.real_ecrec_offset = ecrec64_start_offset;
@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen)          /* return PK-class error */
@ -86,7 +86,7 @@ index d2e4dc3..d75d405 100644
       makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
 +    G.ecrec.ec_start = G.real_ecrec_offset;
 +    G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
-
+ 
     /* Now, we have to read the archive comment, BEFORE the file pointer
        is moved away backwards to seek for a Zip64 ECLOC64 structure.
 diff --git a/unzpriv.h b/unzpriv.h
@ -108,4 +108,5 @@ index dc9eff5..297b3c7 100644
 +                                           end of the Zip64 end of central
 +                                           directory record */
    } ecdir_rec;
-
+ 
+ 
--- a/CVE-2019-13232-fur2.patch
+++ b/CVE-2019-13232-fur2.patch
@ -22,7 +22,7 @@ index 3a01d13..031efdb 100644
     size_t max;         /* allocated number of spans (num <= max) */
 +    unsigned long count;
 } cover_t;
-
+ 
 /*
  * Return the index of the first span in cover whose beg is greater than val.
  * If there is no such span, then cover->num is returned.
@ -62,7 +62,7 @@ index 3a01d13..031efdb 100644
 +    size_t pos = cover_find(cover, val, 0);
     return pos > 0 && val < cover->span[pos - 1].end;
 }
-
+ 
 +static int is_exceed_max_overlaps(cover, val)
 +    cover_t *cover;
 +{
@ -80,10 +80,10 @@ index 3a01d13..031efdb 100644
 +    size_t pos_beg;
 +    size_t pos_end;
     int prec, foll;
-
+ 
     if (beg >= end)
@@ -396,31 +412,76 @@ static int cover_add(cover, beg, end)
-
+ 
     /* Find where the new span should go, and make sure that it does not
        overlap with any existing spans. */
 -    pos = cover_find(cover, beg);
@ -92,7 +92,7 @@ index 3a01d13..031efdb 100644
 -        return 1;
 +    pos_beg = cover_find(cover, beg, 0);
 +    pos_end = cover_find(cover, end, 1);
-
+ 
     /* Check for adjacencies. */
 -    prec = pos > 0 && beg == cover->span[pos - 1].end;
 -    foll = pos < cover->num && end == cover->span[pos].beg;
@ -198,7 +198,7 @@ index 3a01d13..031efdb 100644
                   G.extra_bytes + G.ecrec.offset_start_central_directory,
                   G.extra_bytes + G.ecrec.offset_start_central_directory +
@@ -1218,7 +1280,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
-
+ 
         /* seek_zipf(__G__ pInfo->offset);  */
         request = G.pInfo->offset + G.extra_bytes;
 -        if (cover_within((cover_t *)G.cover, request)) {
@ -252,12 +252,12 @@ index 5b7d288..8c4c37e 100644
 +  -g  limit the number of overlap files\n";
 #endif /* ?VM_CMS */
 #endif /* ?MACOS */
-
+ 
@@ -1367,7 +1414,7 @@ int uz_opts(__G__ pargc, pargv)
     extern char OEM_CP[MAX_CP_NAME];
     extern char ISO_CP[MAX_CP_NAME];
 #endif
-
+-    
 +    uO.max_overlaps = (unsigned long)(-1);  /* if not set, uncheck overlaps */
     while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
         s = *argv + 1;
@ -307,7 +307,7 @@ index ed24a5b..a7e8a64 100644
 #endif /* !FUNZIP */
 +    unsigned long max_overlaps;  /* Maximum number of overlaps allowed */
 } UzpOpts;
-
+ 
 /* intended to be a private struct: */
 diff --git a/unzip.txt b/unzip.txt
 index e8e9719..6594ee6 100644
@ -315,23 +315,24 @@ index e8e9719..6594ee6 100644
 +++ b/unzip.txt
@@ -4,7 +4,7 @@ NAME
        unzip - list, test and extract compressed files in a ZIP archive
-
+ 
 SYNOPSIS
 -       unzip  [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...]
 +       unzip  [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^][-g num]] file[.zip] [file(s) ...]
        [-x xfile(s) ...] [-d exdir]
-
+ 
 DESCRIPTION
@@ -177,6 +177,10 @@ OPTIONS
               implemented but will be in future releases.
-
+ 
        -z     display only the archive comment.
 +       -g num
 +              limit the number of overlap files. When the number of overlap f-
 +              iles exceeds the num we set, it is a bomb. the num is a decimal
 +              number.
-
+ 
 MODIFIERS
        -a     convert  text files.  Ordinarily all files are extracted exactly
--
+-- 
 1.8.3.1
+
--- a/CVE-2019-13232-pre.patch
+++ b/CVE-2019-13232-pre.patch
@ -1,5 +1,7 @@
 From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
 From: Mark Adler <madler@alumni.caltech.edu>
+From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
 Date: Mon, 27 May 2019 08:20:32 -0700
 Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.

@ -22,4 +24,4 @@ index c042987..bc00d74 100644
 +            G.csize = 0L;
         G.incnt = G.incnt_leftover + (int)G.csize;
         G.inptr = G.inptr_leftover - (int)G.csize;
-         G.incnt_leftover = 0;
+         G.incnt_leftover = 0;
--- a/CVE-2019-13232.patch
+++ b/CVE-2019-13232.patch
@ -158,9 +158,9 @@ index 1acd769..0973a33 100644
 +    }
 +    return 0;
 +}
-
-
-
+ 
+ 
+ 
@@ -374,6 +493,29 @@ int extract_or_test_files(__G)    /* return PK-type error code */
     }
 #endif /* !SFX || SFX_EXDIR */
@ -202,7 +202,7 @@ index 1acd769..0973a33 100644
                 reached_end = FALSE;
                 /* ... and cancel scanning the central directory */
@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
-
+ 
         /* seek_zipf(__G__ pInfo->offset);  */
         request = G.pInfo->offset + G.extra_bytes;
 +        if (cover_within((cover_t *)G.cover, request)) {
@ -212,7 +212,7 @@ index 1acd769..0973a33 100644
 +        }
         inbuf_offset = request % INBUFSIZ;
         bufstart = request - inbuf_offset;
-
+ 
@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk,
             return IZ_CTRLC;        /* cancel operation by user request */
         }
@ -234,7 +234,7 @@ index 1acd769..0973a33 100644
 #endif
@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G)    /* return PK-type error code */
     }
-
+ 
     undefer_input(__G);
 +
 +    if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
@ -265,7 +265,7 @@ index 1acd769..0973a33 100644
 +    }
 +
     return error;
-
+ 
 } /* end function extract_or_test_member() */
 diff --git a/globals.c b/globals.c
 index fa8cca5..1e0f608 100644
@ -277,7 +277,7 @@ index fa8cca5..1e0f608 100644
 # endif
 +    G.cover = NULL;     /* not allocated yet */
 #endif
-
+ 
     uO.lflag=(-1);
 diff --git a/globals.h b/globals.h
 index 11b7215..2bdcdeb 100644
@ -286,7 +286,7 @@ index 11b7215..2bdcdeb 100644
@@ -260,12 +260,15 @@ typedef struct Globals {
     ecdir_rec       ecrec;         /* used in unzip.c, extract.c */
     z_stat   statbuf;              /* used by main, mapname, check_for_newer */
-
+ 
 +    int zip64;                     /* true if Zip64 info in extra field */
 +
     int      mem_mode;
@ -296,7 +296,7 @@ index 11b7215..2bdcdeb 100644
     int      disk_full;
     int      newfile;
 +    void     **cover;              /* used in extract.c for bomb detection */
-
+ 
     int      didCRlast;            /* fileio static */
     ulg      numlines;             /* fileio static: number of lines printed */
 diff --git a/process.c b/process.c
@ -306,7 +306,7 @@ index 1e9a1e1..d2e4dc3 100644
@@ -637,6 +637,13 @@ void free_G_buffers(__G)     /* releases all memory allocated in global vars */
     }
 #endif
-
+ 
 +    /* Free the cover span list and the cover structure. */
 +    if (G.cover != NULL) {
 +        free(*(G.cover));
@ -315,17 +315,17 @@ index 1e9a1e1..d2e4dc3 100644
 +    }
 +
 } /* end function free_G_buffers() */
-
-
+ 
+ 
@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
 #define Z64FLGS 0xffff
 #define Z64FLGL 0xffffffff
-
+ 
 +    G.zip64 = FALSE;
 +
     if (ef_len == 0 || ef_buf == NULL)
         return PK_COOL;
-
+ 
@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
             offset += 4;
@ -346,4 +346,4 @@ index 5b2a326..ed24a5b 100644
 +#define PK_BOMB           12   /* likely zip bomb */
 #define PK_DISK           50   /* disk full */
 #define PK_EOF            51   /* unexpected EOF */
- 
+