From patchwork Sat Jul 20 18:26:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Khem Raj X-Patchwork-Id: 169311 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp5387235ilk; Sat, 20 Jul 2019 11:26:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqwuWHgK+eTCFfImJFnUvFeCw3uZp8mS18Uq2RH6sbv2bfhLyGxL8bfq/sF7+DXya6WGEWOd X-Received: by 2002:a17:902:8bc1:: with SMTP id r1mr15470326plo.42.1563647218539; Sat, 20 Jul 2019 11:26:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563647218; cv=none; d=google.com; s=arc-20160816; b=V65cqC2UQifj6mbZwtomKbqQDgviHIye4DNHHpSfNOcCx7R+u08hmtNYtfb7fhb5Tj c1NuPfanY34iqUn2/QHzY8x6N9lo5LREOAIdNiGQhCkSEohtOpiFtCiRXttN/ePRSKvN 9Ya/Jg5YRjca6dgDzxB70bcXLXGeZ5WEdcl17zA1XQdYmCCNJuGDrhKw8qma5Ns++Mkk rnus8tVan5g5UZEqu+PHk7fCuOIywTfFWcCOw7qSHJAZnjF/6Ch1gxkj/lH8WPVr8a1p UO1jQ7iveA/35sTbLDKWPkBm8d3hswMn60/MjnUN1bOfPA2rdkJpS48SaPOUwA++KZi3 PaZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:delivered-to; bh=5uaLHWLPJhr0Evbe9gNs4AZn5czIHw2ZoAYnkIsWeHY=; b=aplKj4cgkxIIAv0NsxUJEIWw2m4620iFpJPzJZ4O+kzvK2v3W6aEpAWAoX58+vz7wX hT/b6KRqGeQiw+/z0fGCNIGagJLShtWfoLyIOE58UTuwn1y+ZV+dkyUmfggbSl0niri2 eMb9ZkzPHjYJnqpQOL0/xUq52OJF4l2rWO5Jh9GEjXxMdO9xE5kAQLIOpZYQyFhKeoe0 s0rVzujbvPmA6UT6Rq4RlD8ZIdd/qZnKNaSavCDCwsT4kqnOeFyOMYPyE54sp92cXcGd rvN3eCki+6W1imp6zUfD6i+pvUTtTzgwT0IHstS8nmiUutVhl6H+pFEMNlvTJXoW+3LF 9ADg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=PTzNIq4m; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id o3si1652923plb.238.2019.07.20.11.26.58; Sat, 20 Jul 2019 11:26:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=PTzNIq4m; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 5EE887F0C2; Sat, 20 Jul 2019 18:26:55 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) by mail.openembedded.org (Postfix) with ESMTP id 661557F0BD for ; Sat, 20 Jul 2019 18:26:54 +0000 (UTC) Received: by mail-pl1-f195.google.com with SMTP id i2so17190857plt.1 for ; Sat, 20 Jul 2019 11:26:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xS8NIQYXsH8mbB22hsWnecLKhi/NlcFZX81eXLZQ1d0=; b=PTzNIq4mjOLW2OGsjhL6JxmguvYxlOSKZFXyjeYbBxKZM51M+iwc3NQGam2ijDL7Xu C9vz5sH7P2LPPQRfsism1x5CBBLBtq1Enhxp/sr4Ko9qYMaI/9rmYE1FlsscEBwJmGV3 5Bx8cBHAW9iQVNolpINbVvQIG/bZt44T4TFtxybiWWGA3iEGN3EAQpUA90LyZ+49exMg zas2hqMdxOhm3LstFzOHfJcQCA9y/DyH5pOZEItLx+W1Gb242bU+iOo3S8WKC9eEf2tU byQyxzeve7n07ZHiFIDK9p3DNX404tUpuCEoUTULq1Ws3O09ugbNI6jw5swkcP9AqI1I kf2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xS8NIQYXsH8mbB22hsWnecLKhi/NlcFZX81eXLZQ1d0=; b=B9KecjNtOTKcvyjfRmPrCvcWmT9UkhgUKkwVPSR77jDHf/kPMIRD9S25/HXszcO8Cr 7KWFdIOhy0p8aSE0ZAuGe4OQm666VIYFFBHp2X1fvbbagabxQdzQuhw6Bp1J7lnf9kPu XqKSreNt+mxKIsUojiInwoCI2IH/RXqDgt7JRcXLKUGpxrI0IEpP5o5kjymHsj64J3ZV 2GUGdUO4u9kDEsvzDFioJ0GgQ42XgnWjOWDRrUIfXzh/4PugASCFf3jiBC4p0RhTzMF3 e+Vc2/yFNiyBNFBIngBNEt1zX7bxaefTq0ZzH/aZXqcL3FTmup66nJRUMklgff7L2nfV iOJg== X-Gm-Message-State: APjAAAVPqQeRuFNwvCPsDTxPZAyQTGZNYbwwYMatX0WBs9IGMnjM6dv1 U4q85Kqa+jMDbPPnuHwngTNvuFWj3ho= X-Received: by 2002:a17:902:e613:: with SMTP id cm19mr60262809plb.299.1563647215045; Sat, 20 Jul 2019 11:26:55 -0700 (PDT) Received: from apollo.hsd1.ca.comcast.net (c-73-71-176-3.hsd1.ca.comcast.net. [73.71.176.3]) by smtp.gmail.com with ESMTPSA id 23sm37896621pfn.176.2019.07.20.11.26.54 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Sat, 20 Jul 2019 11:26:54 -0700 (PDT) From: Khem Raj To: openembedded-core@lists.openembedded.org Date: Sat, 20 Jul 2019 11:26:45 -0700 Message-Id: <20190720182645.16464-1-raj.khem@gmail.com> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 Subject: [OE-core] [PATCH] Revert "unzip: fix CVE-2019-13232" X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org See [1] This reverts commit 4df4de2ac8bc0e80446e1ad0ce67eb244e2d2a32. [1] http://lists.openembedded.org/pipermail/openembedded-core/2019-July/284859.html Signed-off-by: Khem Raj Cc: Anuj Mittal --- .../unzip/unzip/CVE-2019-13232.patch | 339 ------------------ meta/recipes-extended/unzip/unzip_6.0.bb | 1 - 2 files changed, 340 deletions(-) delete mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232.patch -- 2.22.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232.patch deleted file mode 100644 index c808f3d36a..0000000000 --- a/meta/recipes-extended/unzip/unzip/CVE-2019-13232.patch +++ /dev/null @@ -1,339 +0,0 @@ -From: Mark Adler -Subject: Detect and reject a zip bomb using overlapped entries. -Origin: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c -Bug-Debian: https://bugs.debian.org/931433 -X-Debian-version: 6.0-24 - - Detect and reject a zip bomb using overlapped entries. - - This detects an invalid zip file that has at least one entry that - overlaps with another entry or with the central directory to the - end of the file. A Fifield zip bomb uses overlapped local entries - to vastly increase the potential inflation ratio. Such an invalid - zip file is rejected. - - See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's - analysis, construction, and examples of such zip bombs. - - The detection maintains a list of covered spans of the zip files - so far, where the central directory to the end of the file and any - bytes preceding the first entry at zip file offset zero are - considered covered initially. Then as each entry is decompressed - or tested, it is considered covered. When a new entry is about to - be processed, its initial offset is checked to see if it is - contained by a covered span. If so, the zip file is rejected as - invalid. - - This commit depends on a preceding commit: "Fix bug in - undefer_input() that misplaced the input state." - -Upstream-Status: Pending [Patch taken from debian] -CVE: CVE-2019-13232 -Signed-off-by: Anuj Mittal - ---- a/extract.c -+++ b/extract.c -@@ -321,6 +321,125 @@ - "\nerror: unsupported extra-field compression type (%u)--skipping\n"; - static ZCONST char Far BadExtraFieldCRC[] = - "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; -+static ZCONST char Far NotEnoughMemCover[] = -+ "error: not enough memory for bomb detection\n"; -+static ZCONST char Far OverlappedComponents[] = -+ "error: invalid zip file with overlapped components (possible zip bomb)\n"; -+ -+ -+ -+ -+ -+/* A growable list of spans. */ -+typedef zoff_t bound_t; -+typedef struct { -+ bound_t beg; /* start of the span */ -+ bound_t end; /* one past the end of the span */ -+} span_t; -+typedef struct { -+ span_t *span; /* allocated, distinct, and sorted list of spans */ -+ size_t num; /* number of spans in the list */ -+ size_t max; /* allocated number of spans (num <= max) */ -+} cover_t; -+ -+/* -+ * Return the index of the first span in cover whose beg is greater than val. -+ * If there is no such span, then cover->num is returned. -+ */ -+static size_t cover_find(cover, val) -+ cover_t *cover; -+ bound_t val; -+{ -+ size_t lo = 0, hi = cover->num; -+ while (lo < hi) { -+ size_t mid = (lo + hi) >> 1; -+ if (val < cover->span[mid].beg) -+ hi = mid; -+ else -+ lo = mid + 1; -+ } -+ return hi; -+} -+ -+/* Return true if val lies within any one of the spans in cover. */ -+static int cover_within(cover, val) -+ cover_t *cover; -+ bound_t val; -+{ -+ size_t pos = cover_find(cover, val); -+ return pos > 0 && val < cover->span[pos - 1].end; -+} -+ -+/* -+ * Add a new span to the list, but only if the new span does not overlap any -+ * spans already in the list. The new span covers the values beg..end-1. beg -+ * must be less than end. -+ * -+ * Keep the list sorted and merge adjacent spans. Grow the allocated space for -+ * the list as needed. On success, 0 is returned. If the new span overlaps any -+ * existing spans, then 1 is returned and the new span is not added to the -+ * list. If the new span is invalid because beg is greater than or equal to -+ * end, then -1 is returned. If the list needs to be grown but the memory -+ * allocation fails, then -2 is returned. -+ */ -+static int cover_add(cover, beg, end) -+ cover_t *cover; -+ bound_t beg; -+ bound_t end; -+{ -+ size_t pos; -+ int prec, foll; -+ -+ if (beg >= end) -+ /* The new span is invalid. */ -+ return -1; -+ -+ /* Find where the new span should go, and make sure that it does not -+ overlap with any existing spans. */ -+ pos = cover_find(cover, beg); -+ if ((pos > 0 && beg < cover->span[pos - 1].end) || -+ (pos < cover->num && end > cover->span[pos].beg)) -+ return 1; -+ -+ /* Check for adjacencies. */ -+ prec = pos > 0 && beg == cover->span[pos - 1].end; -+ foll = pos < cover->num && end == cover->span[pos].beg; -+ if (prec && foll) { -+ /* The new span connects the preceding and following spans. Merge the -+ following span into the preceding span, and delete the following -+ span. */ -+ cover->span[pos - 1].end = cover->span[pos].end; -+ cover->num--; -+ memmove(cover->span + pos, cover->span + pos + 1, -+ (cover->num - pos) * sizeof(span_t)); -+ } -+ else if (prec) -+ /* The new span is adjacent only to the preceding span. Extend the end -+ of the preceding span. */ -+ cover->span[pos - 1].end = end; -+ else if (foll) -+ /* The new span is adjacent only to the following span. Extend the -+ beginning of the following span. */ -+ cover->span[pos].beg = beg; -+ else { -+ /* The new span has gaps between both the preceding and the following -+ spans. Assure that there is room and insert the span. */ -+ if (cover->num == cover->max) { -+ size_t max = cover->max == 0 ? 16 : cover->max << 1; -+ span_t *span = realloc(cover->span, max * sizeof(span_t)); -+ if (span == NULL) -+ return -2; -+ cover->span = span; -+ cover->max = max; -+ } -+ memmove(cover->span + pos + 1, cover->span + pos, -+ (cover->num - pos) * sizeof(span_t)); -+ cover->num++; -+ cover->span[pos].beg = beg; -+ cover->span[pos].end = end; -+ } -+ return 0; -+} - - - -@@ -376,6 +495,29 @@ - } - #endif /* !SFX || SFX_EXDIR */ - -+ /* One more: initialize cover structure for bomb detection. Start with a -+ span that covers the central directory though the end of the file. */ -+ if (G.cover == NULL) { -+ G.cover = malloc(sizeof(cover_t)); -+ if (G.cover == NULL) { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString(NotEnoughMemCover))); -+ return PK_MEM; -+ } -+ ((cover_t *)G.cover)->span = NULL; -+ ((cover_t *)G.cover)->max = 0; -+ } -+ ((cover_t *)G.cover)->num = 0; -+ if ((G.extra_bytes != 0 && -+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || -+ cover_add((cover_t *)G.cover, -+ G.extra_bytes + G.ecrec.offset_start_central_directory, -+ G.ziplen) != 0) { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString(NotEnoughMemCover))); -+ return PK_MEM; -+ } -+ - /*--------------------------------------------------------------------------- - The basic idea of this function is as follows. Since the central di- - rectory lies at the end of the zipfile and the member files lie at the -@@ -593,7 +735,8 @@ - if (error > error_in_archive) - error_in_archive = error; - /* ...and keep going (unless disk full or user break) */ -- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { -+ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || -+ error == PK_BOMB) { - /* clear reached_end to signal premature stop ... */ - reached_end = FALSE; - /* ... and cancel scanning the central directory */ -@@ -1062,6 +1205,11 @@ - - /* seek_zipf(__G__ pInfo->offset); */ - request = G.pInfo->offset + G.extra_bytes; -+ if (cover_within((cover_t *)G.cover, request)) { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString(OverlappedComponents))); -+ return PK_BOMB; -+ } - inbuf_offset = request % INBUFSIZ; - bufstart = request - inbuf_offset; - -@@ -1602,6 +1750,18 @@ - return IZ_CTRLC; /* cancel operation by user request */ - } - #endif -+ error = cover_add((cover_t *)G.cover, request, -+ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); -+ if (error < 0) { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString(NotEnoughMemCover))); -+ return PK_MEM; -+ } -+ if (error != 0) { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString(OverlappedComponents))); -+ return PK_BOMB; -+ } - #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ - UserStop(); - #endif -@@ -2003,6 +2163,34 @@ - } - - undefer_input(__G); -+ -+ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { -+ /* skip over data descriptor (harder than it sounds, due to signature -+ * ambiguity) -+ */ -+# define SIG 0x08074b50 -+# define LOW 0xffffffff -+ uch buf[12]; -+ unsigned shy = 12 - readbuf((char *)buf, 12); -+ ulg crc = shy ? 0 : makelong(buf); -+ ulg clen = shy ? 0 : makelong(buf + 4); -+ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ -+ if (crc == SIG && /* if not SIG, no signature */ -+ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ -+ (clen == SIG && /* if not SIG, no signature */ -+ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ -+ (ulen == SIG && /* if not SIG, no signature */ -+ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG -+ /* if not SIG, have signature */ -+ ))))) -+ /* skip four more bytes to account for signature */ -+ shy += 4 - readbuf((char *)buf, 4); -+ if (G.zip64) -+ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ -+ if (shy) -+ error = PK_ERR; -+ } -+ - return error; - - } /* end function extract_or_test_member() */ ---- a/globals.c -+++ b/globals.c -@@ -181,6 +181,7 @@ - # if (!defined(NO_TIMESTAMPS)) - uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ - # endif -+ G.cover = NULL; /* not allocated yet */ - #endif - - uO.lflag=(-1); ---- a/globals.h -+++ b/globals.h -@@ -260,12 +260,15 @@ - ecdir_rec ecrec; /* used in unzip.c, extract.c */ - z_stat statbuf; /* used by main, mapname, check_for_newer */ - -+ int zip64; /* true if Zip64 info in extra field */ -+ - int mem_mode; - uch *outbufptr; /* extract.c static */ - ulg outsize; /* extract.c static */ - int reported_backslash; /* extract.c static */ - int disk_full; - int newfile; -+ void **cover; /* used in extract.c for bomb detection */ - - int didCRlast; /* fileio static */ - ulg numlines; /* fileio static: number of lines printed */ ---- a/process.c -+++ b/process.c -@@ -637,6 +637,13 @@ - } - #endif - -+ /* Free the cover span list and the cover structure. */ -+ if (G.cover != NULL) { -+ free(*(G.cover)); -+ free(G.cover); -+ G.cover = NULL; -+ } -+ - } /* end function free_G_buffers() */ - - -@@ -1913,6 +1920,8 @@ - #define Z64FLGS 0xffff - #define Z64FLGL 0xffffffff - -+ G.zip64 = FALSE; -+ - if (ef_len == 0 || ef_buf == NULL) - return PK_COOL; - -@@ -2084,6 +2093,8 @@ - (ZCONST char *)(offset + ef_buf), ULen); - G.unipath_filename[ULen] = '\0'; - } -+ -+ G.zip64 = TRUE; - } - - /* Skip this extra field block */ ---- a/unzip.h -+++ b/unzip.h -@@ -645,6 +645,7 @@ - #define PK_NOZIP 9 /* zipfile not found */ - #define PK_PARAM 10 /* bad or illegal parameters specified */ - #define PK_FIND 11 /* no files found */ -+#define PK_BOMB 12 /* likely zip bomb */ - #define PK_DISK 50 /* disk full */ - #define PK_EOF 51 /* unexpected EOF */ - diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 1d18526ce2..daba722722 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -22,7 +22,6 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://symlink.patch \ file://0001-unzip-fix-CVE-2018-1000035.patch \ file://CVE-2018-18384.patch \ - file://CVE-2019-13232.patch \ " UPSTREAM_VERSION_UNKNOWN = "1"