diff --git a/CVE-2019-13232-fur1.patch b/CVE-2019-13232-fur1.patch index bdc3dc0..ab975d1 100644 --- a/CVE-2019-13232-fur1.patch +++ b/CVE-2019-13232-fur1.patch @@ -24,7 +24,7 @@ index 0973a33..1b73cb0 100644 @@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ } #endif /* !SFX || SFX_EXDIR */ - + - /* One more: initialize cover structure for bomb detection. Start with a - span that covers the central directory though the end of the file. */ + /* One more: initialize cover structure for bomb detection. Start with @@ -62,7 +62,7 @@ index 0973a33..1b73cb0 100644 + LoadFarString(OverlappedComponents))); + return PK_BOMB; + } - + /*--------------------------------------------------------------------------- The basic idea of this function is as follows. Since the central di- diff --git a/process.c b/process.c @@ -70,14 +70,14 @@ index d2e4dc3..d75d405 100644 --- a/process.c +++ b/process.c @@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ - + /* Now, we are (almost) sure that we have a Zip64 archive. */ G.ecrec.have_ecr64 = 1; + G.ecrec.ec_start -= ECLOC64_SIZE+4; + G.ecrec.ec64_start = ecrec64_start_offset; + G.ecrec.ec64_end = ecrec64_start_offset + + 12 + makeint64(&byterec[ECREC64_LENGTH]); - + /* Update the "end-of-central-dir offset" for later checks. */ G.real_ecrec_offset = ecrec64_start_offset; @@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ @@ -86,7 +86,7 @@ index d2e4dc3..d75d405 100644 makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); + G.ecrec.ec_start = G.real_ecrec_offset; + G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; - + /* Now, we have to read the archive comment, BEFORE the file pointer is moved away backwards to seek for a Zip64 ECLOC64 structure. diff --git a/unzpriv.h b/unzpriv.h @@ -108,4 +108,5 @@ index dc9eff5..297b3c7 100644 + end of the Zip64 end of central + directory record */ } ecdir_rec; - + + diff --git a/CVE-2019-13232-fur2.patch b/CVE-2019-13232-fur2.patch index 932ee79..22671a0 100644 --- a/CVE-2019-13232-fur2.patch +++ b/CVE-2019-13232-fur2.patch @@ -22,7 +22,7 @@ index 3a01d13..031efdb 100644 size_t max; /* allocated number of spans (num <= max) */ + unsigned long count; } cover_t; - + /* * Return the index of the first span in cover whose beg is greater than val. * If there is no such span, then cover->num is returned. @@ -62,7 +62,7 @@ index 3a01d13..031efdb 100644 + size_t pos = cover_find(cover, val, 0); return pos > 0 && val < cover->span[pos - 1].end; } - + +static int is_exceed_max_overlaps(cover, val) + cover_t *cover; +{ @@ -80,10 +80,10 @@ index 3a01d13..031efdb 100644 + size_t pos_beg; + size_t pos_end; int prec, foll; - + if (beg >= end) @@ -396,31 +412,76 @@ static int cover_add(cover, beg, end) - + /* Find where the new span should go, and make sure that it does not overlap with any existing spans. */ - pos = cover_find(cover, beg); @@ -92,7 +92,7 @@ index 3a01d13..031efdb 100644 - return 1; + pos_beg = cover_find(cover, beg, 0); + pos_end = cover_find(cover, end, 1); - + /* Check for adjacencies. */ - prec = pos > 0 && beg == cover->span[pos - 1].end; - foll = pos < cover->num && end == cover->span[pos].beg; @@ -198,7 +198,7 @@ index 3a01d13..031efdb 100644 G.extra_bytes + G.ecrec.offset_start_central_directory, G.extra_bytes + G.ecrec.offset_start_central_directory + @@ -1218,7 +1280,7 @@ static int extract_or_test_entrylist(__G__ numchunk, - + /* seek_zipf(__G__ pInfo->offset); */ request = G.pInfo->offset + G.extra_bytes; - if (cover_within((cover_t *)G.cover, request)) { @@ -252,12 +252,12 @@ index 5b7d288..8c4c37e 100644 + -g limit the number of overlap files\n"; #endif /* ?VM_CMS */ #endif /* ?MACOS */ - + @@ -1367,7 +1414,7 @@ int uz_opts(__G__ pargc, pargv) extern char OEM_CP[MAX_CP_NAME]; extern char ISO_CP[MAX_CP_NAME]; #endif -- +- + uO.max_overlaps = (unsigned long)(-1); /* if not set, uncheck overlaps */ while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) { s = *argv + 1; @@ -307,7 +307,7 @@ index ed24a5b..a7e8a64 100644 #endif /* !FUNZIP */ + unsigned long max_overlaps; /* Maximum number of overlaps allowed */ } UzpOpts; - + /* intended to be a private struct: */ diff --git a/unzip.txt b/unzip.txt index e8e9719..6594ee6 100644 @@ -315,23 +315,24 @@ index e8e9719..6594ee6 100644 +++ b/unzip.txt @@ -4,7 +4,7 @@ NAME unzip - list, test and extract compressed files in a ZIP archive - + SYNOPSIS - unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...] + unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^][-g num]] file[.zip] [file(s) ...] [-x xfile(s) ...] [-d exdir] - + DESCRIPTION @@ -177,6 +177,10 @@ OPTIONS implemented but will be in future releases. - + -z display only the archive comment. + -g num + limit the number of overlap files. When the number of overlap f- + iles exceeds the num we set, it is a bomb. the num is a decimal + number. - + MODIFIERS -a convert text files. Ordinarily all files are extracted exactly --- +-- 1.8.3.1 + diff --git a/CVE-2019-13232-pre.patch b/CVE-2019-13232-pre.patch index 64a1b59..edf234a 100644 --- a/CVE-2019-13232-pre.patch +++ b/CVE-2019-13232-pre.patch @@ -1,5 +1,7 @@ From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001 From: Mark Adler +From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001 +From: Mark Adler Date: Mon, 27 May 2019 08:20:32 -0700 Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state. @@ -22,4 +24,4 @@ index c042987..bc00d74 100644 + G.csize = 0L; G.incnt = G.incnt_leftover + (int)G.csize; G.inptr = G.inptr_leftover - (int)G.csize; - G.incnt_leftover = 0; \ No newline at end of file + G.incnt_leftover = 0; diff --git a/CVE-2019-13232.patch b/CVE-2019-13232.patch index d8f4a90..c7ace14 100644 --- a/CVE-2019-13232.patch +++ b/CVE-2019-13232.patch @@ -158,9 +158,9 @@ index 1acd769..0973a33 100644 + } + return 0; +} - - - + + + @@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ } #endif /* !SFX || SFX_EXDIR */ @@ -202,7 +202,7 @@ index 1acd769..0973a33 100644 reached_end = FALSE; /* ... and cancel scanning the central directory */ @@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk, - + /* seek_zipf(__G__ pInfo->offset); */ request = G.pInfo->offset + G.extra_bytes; + if (cover_within((cover_t *)G.cover, request)) { @@ -212,7 +212,7 @@ index 1acd769..0973a33 100644 + } inbuf_offset = request % INBUFSIZ; bufstart = request - inbuf_offset; - + @@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk, return IZ_CTRLC; /* cancel operation by user request */ } @@ -234,7 +234,7 @@ index 1acd769..0973a33 100644 #endif @@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ } - + undefer_input(__G); + + if ((G.lrec.general_purpose_bit_flag & 8) != 0) { @@ -265,7 +265,7 @@ index 1acd769..0973a33 100644 + } + return error; - + } /* end function extract_or_test_member() */ diff --git a/globals.c b/globals.c index fa8cca5..1e0f608 100644 @@ -277,7 +277,7 @@ index fa8cca5..1e0f608 100644 # endif + G.cover = NULL; /* not allocated yet */ #endif - + uO.lflag=(-1); diff --git a/globals.h b/globals.h index 11b7215..2bdcdeb 100644 @@ -286,7 +286,7 @@ index 11b7215..2bdcdeb 100644 @@ -260,12 +260,15 @@ typedef struct Globals { ecdir_rec ecrec; /* used in unzip.c, extract.c */ z_stat statbuf; /* used by main, mapname, check_for_newer */ - + + int zip64; /* true if Zip64 info in extra field */ + int mem_mode; @@ -296,7 +296,7 @@ index 11b7215..2bdcdeb 100644 int disk_full; int newfile; + void **cover; /* used in extract.c for bomb detection */ - + int didCRlast; /* fileio static */ ulg numlines; /* fileio static: number of lines printed */ diff --git a/process.c b/process.c @@ -306,7 +306,7 @@ index 1e9a1e1..d2e4dc3 100644 @@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ } #endif - + + /* Free the cover span list and the cover structure. */ + if (G.cover != NULL) { + free(*(G.cover)); @@ -315,17 +315,17 @@ index 1e9a1e1..d2e4dc3 100644 + } + } /* end function free_G_buffers() */ - - + + @@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len) #define Z64FLGS 0xffff #define Z64FLGL 0xffffffff - + + G.zip64 = FALSE; + if (ef_len == 0 || ef_buf == NULL) return PK_COOL; - + @@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len) G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); offset += 4; @@ -346,4 +346,4 @@ index 5b2a326..ed24a5b 100644 +#define PK_BOMB 12 /* likely zip bomb */ #define PK_DISK 50 /* disk full */ #define PK_EOF 51 /* unexpected EOF */ - \ No newline at end of file +