[OE-core] [oe-core][thud][PATCH v3] unzip: fix CVE-2019-13232
Mittal, Anuj
anuj.mittal at intel.com
Wed Sep 25 23:47:05 UTC 2019
This applies as-is to master and warrior too since the versions there
are same. Can this be merged there too please since those branches are
also affected?
Thanks,
Anuj
On Wed, 2019-09-25 at 23:30 +0000, msft.dantran at gmail.com wrote:
> From: Dan Tran <dantran at microsoft.com>
>
> Signed-off-by: Dan Tran <dantran at microsoft.com>
> ---
> .../unzip/unzip/CVE-2019-13232_p1.patch | 33 ++
> .../unzip/unzip/CVE-2019-13232_p2.patch | 356
> ++++++++++++++++++
> .../unzip/unzip/CVE-2019-13232_p3.patch | 121 ++++++
> meta/recipes-extended/unzip/unzip_6.0.bb | 3 +
> 4 files changed, 513 insertions(+)
> create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p1.patch
> create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p2.patch
> create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p3.patch
>
> diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p1.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p1.patch
> new file mode 100644
> index 0000000000..d485a1bd6e
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
> @@ -0,0 +1,33 @@
> +From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00
> 2001
> +From: Mark Adler <madler at alumni.caltech.edu>
> +Date: Mon, 27 May 2019 08:20:32 -0700
> +Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the
> input
> + state.
> +
> +CVE: CVE-2019-13232
> +Upstream-Status: Backport
> +[
> https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
> ]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + fileio.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/fileio.c b/fileio.c
> +index 7605a29..14460f3 100644
> +--- a/fileio.c
> ++++ b/fileio.c
> +@@ -532,8 +532,10 @@ void undefer_input(__G)
> + * This condition was checked when G.incnt_leftover was set
> > 0 in
> + * defer_leftover_input(), and it is NOT allowed to touch
> G.csize
> + * before calling undefer_input() when (G.incnt_leftover >
> 0)
> +- * (single exception: see read_byte()'s "G.csize <= 0"
> handling) !!
> ++ * (single exception: see readbyte()'s "G.csize <= 0"
> handling) !!
> + */
> ++ if (G.csize < 0L)
> ++ G.csize = 0L;
> + G.incnt = G.incnt_leftover + (int)G.csize;
> + G.inptr = G.inptr_leftover - (int)G.csize;
> + G.incnt_leftover = 0;
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p2.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p2.patch
> new file mode 100644
> index 0000000000..41037a8e24
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
> @@ -0,0 +1,356 @@
> +From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00
> 2001
> +From: Mark Adler <madler at alumni.caltech.edu>
> +Date: Tue, 11 Jun 2019 22:01:18 -0700
> +Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped
> entries.
> +
> +This detects an invalid zip file that has at least one entry that
> +overlaps with another entry or with the central directory to the
> +end of the file. A Fifield zip bomb uses overlapped local entries
> +to vastly increase the potential inflation ratio. Such an invalid
> +zip file is rejected.
> +
> +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
> +analysis, construction, and examples of such zip bombs.
> +
> +The detection maintains a list of covered spans of the zip files
> +so far, where the central directory to the end of the file and any
> +bytes preceding the first entry at zip file offset zero are
> +considered covered initially. Then as each entry is decompressed
> +or tested, it is considered covered. When a new entry is about to
> +be processed, its initial offset is checked to see if it is
> +contained by a covered span. If so, the zip file is rejected as
> +invalid.
> +
> +This commit depends on a preceding commit: "Fix bug in
> +undefer_input() that misplaced the input state."
> +
> +CVE: CVE-2019-13232
> +Upstream-Status: Backport
> +[
> https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
> ]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + extract.c | 190
> +++++++++++++++++++++++++++++++++++++++++++++++++++++-
> + globals.c | 1 +
> + globals.h | 3 +
> + process.c | 10 +++
> + unzip.h | 1 +
> + 5 files changed, 204 insertions(+), 1 deletion(-)
> +
> +diff --git a/extract.c b/extract.c
> +index 24db2a8..2bb72ba 100644
> +--- a/extract.c
> ++++ b/extract.c
> +@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[]
> =
> + "\nerror: unsupported extra-field compression type (%u)
> --skipping\n";
> + static ZCONST char Far BadExtraFieldCRC[] =
> + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
> ++static ZCONST char Far NotEnoughMemCover[] =
> ++ "error: not enough memory for bomb detection\n";
> ++static ZCONST char Far OverlappedComponents[] =
> ++ "error: invalid zip file with overlapped components (possible zip
> bomb)\n";
> ++
> ++
> ++
> ++
> ++
> ++/* A growable list of spans. */
> ++typedef zoff_t bound_t;
> ++typedef struct {
> ++ bound_t beg; /* start of the span */
> ++ bound_t end; /* one past the end of the span */
> ++} span_t;
> ++typedef struct {
> ++ span_t *span; /* allocated, distinct, and sorted list of
> spans */
> ++ size_t num; /* number of spans in the list */
> ++ size_t max; /* allocated number of spans (num <= max)
> */
> ++} cover_t;
> ++
> ++/*
> ++ * Return the index of the first span in cover whose beg is greater
> than val.
> ++ * If there is no such span, then cover->num is returned.
> ++ */
> ++static size_t cover_find(cover, val)
> ++ cover_t *cover;
> ++ bound_t val;
> ++{
> ++ size_t lo = 0, hi = cover->num;
> ++ while (lo < hi) {
> ++ size_t mid = (lo + hi) >> 1;
> ++ if (val < cover->span[mid].beg)
> ++ hi = mid;
> ++ else
> ++ lo = mid + 1;
> ++ }
> ++ return hi;
> ++}
> ++
> ++/* Return true if val lies within any one of the spans in cover. */
> ++static int cover_within(cover, val)
> ++ cover_t *cover;
> ++ bound_t val;
> ++{
> ++ size_t pos = cover_find(cover, val);
> ++ return pos > 0 && val < cover->span[pos - 1].end;
> ++}
> ++
> ++/*
> ++ * Add a new span to the list, but only if the new span does not
> overlap any
> ++ * spans already in the list. The new span covers the values
> beg..end-1. beg
> ++ * must be less than end.
> ++ *
> ++ * Keep the list sorted and merge adjacent spans. Grow the
> allocated space for
> ++ * the list as needed. On success, 0 is returned. If the new span
> overlaps any
> ++ * existing spans, then 1 is returned and the new span is not added
> to the
> ++ * list. If the new span is invalid because beg is greater than or
> equal to
> ++ * end, then -1 is returned. If the list needs to be grown but the
> memory
> ++ * allocation fails, then -2 is returned.
> ++ */
> ++static int cover_add(cover, beg, end)
> ++ cover_t *cover;
> ++ bound_t beg;
> ++ bound_t end;
> ++{
> ++ size_t pos;
> ++ int prec, foll;
> ++
> ++ if (beg >= end)
> ++ /* The new span is invalid. */
> ++ return -1;
> ++
> ++ /* Find where the new span should go, and make sure that it
> does not
> ++ overlap with any existing spans. */
> ++ pos = cover_find(cover, beg);
> ++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
> ++ (pos < cover->num && end > cover->span[pos].beg))
> ++ return 1;
> ++
> ++ /* Check for adjacencies. */
> ++ prec = pos > 0 && beg == cover->span[pos - 1].end;
> ++ foll = pos < cover->num && end == cover->span[pos].beg;
> ++ if (prec && foll) {
> ++ /* The new span connects the preceding and following spans.
> Merge the
> ++ following span into the preceding span, and delete the
> following
> ++ span. */
> ++ cover->span[pos - 1].end = cover->span[pos].end;
> ++ cover->num--;
> ++ memmove(cover->span + pos, cover->span + pos + 1,
> ++ (cover->num - pos) * sizeof(span_t));
> ++ }
> ++ else if (prec)
> ++ /* The new span is adjacent only to the preceding span.
> Extend the end
> ++ of the preceding span. */
> ++ cover->span[pos - 1].end = end;
> ++ else if (foll)
> ++ /* The new span is adjacent only to the following span.
> Extend the
> ++ beginning of the following span. */
> ++ cover->span[pos].beg = beg;
> ++ else {
> ++ /* The new span has gaps between both the preceding and the
> following
> ++ spans. Assure that there is room and insert the
> span. */
> ++ if (cover->num == cover->max) {
> ++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
> ++ span_t *span = realloc(cover->span, max *
> sizeof(span_t));
> ++ if (span == NULL)
> ++ return -2;
> ++ cover->span = span;
> ++ cover->max = max;
> ++ }
> ++ memmove(cover->span + pos + 1, cover->span + pos,
> ++ (cover->num - pos) * sizeof(span_t));
> ++ cover->num++;
> ++ cover->span[pos].beg = beg;
> ++ cover->span[pos].end = end;
> ++ }
> ++ return 0;
> ++}
> +
> +
> +
> +@@ -376,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-
> type error code */
> + }
> + #endif /* !SFX || SFX_EXDIR */
> +
> ++ /* One more: initialize cover structure for bomb detection.
> Start with a
> ++ span that covers the central directory though the end of the
> file. */
> ++ if (G.cover == NULL) {
> ++ G.cover = malloc(sizeof(cover_t));
> ++ if (G.cover == NULL) {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString(NotEnoughMemCover)));
> ++ return PK_MEM;
> ++ }
> ++ ((cover_t *)G.cover)->span = NULL;
> ++ ((cover_t *)G.cover)->max = 0;
> ++ }
> ++ ((cover_t *)G.cover)->num = 0;
> ++ if ((G.extra_bytes != 0 &&
> ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
> ++ cover_add((cover_t *)G.cover,
> ++ G.extra_bytes +
> G.ecrec.offset_start_central_directory,
> ++ G.ziplen) != 0) {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString(NotEnoughMemCover)));
> ++ return PK_MEM;
> ++ }
> ++
> + /*-----------------------------------------------------------------
> ----------
> + The basic idea of this function is as follows. Since the
> central di-
> + rectory lies at the end of the zipfile and the member files lie
> at the
> +@@ -593,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-
> type error code */
> + if (error > error_in_archive)
> + error_in_archive = error;
> + /* ...and keep going (unless disk full or user break)
> */
> +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
> ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
> ++ error == PK_BOMB) {
> + /* clear reached_end to signal premature stop ...
> */
> + reached_end = FALSE;
> + /* ... and cancel scanning the central directory */
> +@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__
> numchunk,
> +
> + /* seek_zipf(__G__ pInfo->offset); */
> + request = G.pInfo->offset + G.extra_bytes;
> ++ if (cover_within((cover_t *)G.cover, request)) {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString(OverlappedComponents)));
> ++ return PK_BOMB;
> ++ }
> + inbuf_offset = request % INBUFSIZ;
> + bufstart = request - inbuf_offset;
> +
> +@@ -1593,6 +1741,18 @@ reprompt:
> + return IZ_CTRLC; /* cancel operation by user
> request */
> + }
> + #endif
> ++ error = cover_add((cover_t *)G.cover, request,
> ++ G.cur_zipfile_bufstart + (G.inptr -
> G.inbuf));
> ++ if (error < 0) {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString(NotEnoughMemCover)));
> ++ return PK_MEM;
> ++ }
> ++ if (error != 0) {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString(OverlappedComponents)));
> ++ return PK_BOMB;
> ++ }
> + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-
> handling by hand */
> + UserStop();
> + #endif
> +@@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G) /*
> return PK-type error code */
> + }
> +
> + undefer_input(__G);
> ++
> ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
> ++ /* skip over data descriptor (harder than it sounds, due to
> signature
> ++ * ambiguity)
> ++ */
> ++# define SIG 0x08074b50
> ++# define LOW 0xffffffff
> ++ uch buf[12];
> ++ unsigned shy = 12 - readbuf((char *)buf, 12);
> ++ ulg crc = shy ? 0 : makelong(buf);
> ++ ulg clen = shy ? 0 : makelong(buf + 4);
> ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if
> ZIP64 */
> ++ if (crc == SIG && /* if not SIG, no
> signature */
> ++ (G.lrec.crc32 != SIG || /* if not SIG, have
> signature */
> ++ (clen == SIG && /* if not SIG, no
> signature */
> ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have
> signature */
> ++ (ulen == SIG && /* if not SIG, no
> signature */
> ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) !=
> SIG
> ++ /* if not SIG, have
> signature */
> ++ )))))
> ++ /* skip four more bytes to account for signature
> */
> ++ shy += 4 - readbuf((char *)buf, 4);
> ++ if (G.zip64)
> ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more
> for ZIP64 */
> ++ if (shy)
> ++ error = PK_ERR;
> ++ }
> ++
> + return error;
> +
> + } /* end function extract_or_test_member() */
> +diff --git a/globals.c b/globals.c
> +index fa8cca5..1e0f608 100644
> +--- a/globals.c
> ++++ b/globals.c
> +@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
> + # if (!defined(NO_TIMESTAMPS))
> + uO.D_flag=1; /* default to '-D', no restoration of dir
> timestamps */
> + # endif
> ++ G.cover = NULL; /* not allocated yet */
> + #endif
> +
> + uO.lflag=(-1);
> +diff --git a/globals.h b/globals.h
> +index 11b7215..2bdcdeb 100644
> +--- a/globals.h
> ++++ b/globals.h
> +@@ -260,12 +260,15 @@ typedef struct Globals {
> + ecdir_rec ecrec; /* used in unzip.c, extract.c */
> + z_stat statbuf; /* used by main, mapname,
> check_for_newer */
> +
> ++ int zip64; /* true if Zip64 info in extra
> field */
> ++
> + int mem_mode;
> + uch *outbufptr; /* extract.c static */
> + ulg outsize; /* extract.c static */
> + int reported_backslash; /* extract.c static */
> + int disk_full;
> + int newfile;
> ++ void **cover; /* used in extract.c for bomb
> detection */
> +
> + int didCRlast; /* fileio static */
> + ulg numlines; /* fileio static: number of
> lines printed */
> +diff --git a/process.c b/process.c
> +index a3c1a4d..208619c 100644
> +--- a/process.c
> ++++ b/process.c
> +@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all
> memory allocated in global vars */
> + }
> + #endif
> +
> ++ /* Free the cover span list and the cover structure. */
> ++ if (G.cover != NULL) {
> ++ free(*(G.cover));
> ++ free(G.cover);
> ++ G.cover = NULL;
> ++ }
> ++
> + } /* end function free_G_buffers() */
> +
> +
> +@@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
> +
> + #define Z64FLGS 0xffff
> + #define Z64FLGL 0xffffffff
> ++ G.zip64 = FALSE;
> +
> + if (ef_len == 0 || ef_buf == NULL)
> + return PK_COOL;
> +@@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
> + G.crec.disk_number_start = (zuvl_t)makelong(offset +
> ef_buf);
> + offset += 4;
> + }
> ++
> ++ G.zip64 = TRUE;
> + #if 0
> + break; /* Expect only one EF_PKSZ64 block.
> */
> + #endif /* 0 */
> +diff --git a/unzip.h b/unzip.h
> +index 5b2a326..ed24a5b 100644
> +--- a/unzip.h
> ++++ b/unzip.h
> +@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
> + #define PK_NOZIP 9 /* zipfile not found */
> + #define PK_PARAM 10 /* bad or illegal parameters
> specified */
> + #define PK_FIND 11 /* no files found */
> ++#define PK_BOMB 12 /* likely zip bomb */
> + #define PK_DISK 50 /* disk full */
> + #define PK_EOF 51 /* unexpected EOF */
> +
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p3.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-
> 13232_p3.patch
> new file mode 100644
> index 0000000000..fd26fdd833
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
> @@ -0,0 +1,121 @@
> +From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00
> 2001
> +From: Mark Adler <madler at alumni.caltech.edu>
> +Date: Thu, 25 Jul 2019 20:43:17 -0700
> +Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced
> central
> + directory.
> +
> +There is a zip-like file in the Firefox distribution, omni.ja,
> +which is a zip container with the central directory placed at the
> +start of the file instead of after the local entries as required
> +by the zip standard. This commit marks the actual location of the
> +central directory, as well as the end of central directory records,
> +as disallowed locations. This now permits such containers to not
> +raise a zip bomb alert, where in fact there are no overlaps.
> +
> +CVE: CVE-2019-13232
> +Upstream-Status: Backport
> +[
> https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
> ]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + extract.c | 25 +++++++++++++++++++------
> + process.c | 6 ++++++
> + unzpriv.h | 10 ++++++++++
> + 3 files changed, 35 insertions(+), 6 deletions(-)
> +
> +diff --git a/extract.c b/extract.c
> +index 2bb72ba..a9dcca8 100644
> +--- a/extract.c
> ++++ b/extract.c
> +@@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-
> type error code */
> + }
> + #endif /* !SFX || SFX_EXDIR */
> +
> +- /* One more: initialize cover structure for bomb detection.
> Start with a
> +- span that covers the central directory though the end of the
> file. */
> ++ /* One more: initialize cover structure for bomb detection.
> Start with
> ++ spans that cover any extra bytes at the start, the central
> directory,
> ++ the end of central directory record (including the Zip64 end
> of central
> ++ directory locator, if present), and the Zip64 end of central
> directory
> ++ record, if present. */
> + if (G.cover == NULL) {
> + G.cover = malloc(sizeof(cover_t));
> + if (G.cover == NULL) {
> +@@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return
> PK-type error code */
> + ((cover_t *)G.cover)->max = 0;
> + }
> + ((cover_t *)G.cover)->num = 0;
> +- if ((G.extra_bytes != 0 &&
> +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
> +- cover_add((cover_t *)G.cover,
> ++ if (cover_add((cover_t *)G.cover,
> + G.extra_bytes +
> G.ecrec.offset_start_central_directory,
> +- G.ziplen) != 0) {
> ++ G.extra_bytes +
> G.ecrec.offset_start_central_directory +
> ++ G.ecrec.size_central_directory) != 0) {
> + Info(slide, 0x401, ((char *)slide,
> + LoadFarString(NotEnoughMemCover)));
> + return PK_MEM;
> + }
> ++ if ((G.extra_bytes != 0 &&
> ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
> ++ (G.ecrec.have_ecr64 &&
> ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
> ++ G.ecrec.ec64_end) != 0) ||
> ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
> ++ G.ecrec.ec_end) != 0) {
> ++ Info(slide, 0x401, ((char *)slide,
> ++ LoadFarString(OverlappedComponents)));
> ++ return PK_BOMB;
> ++ }
> +
> + /*-----------------------------------------------------------------
> ----------
> + The basic idea of this function is as follows. Since the
> central di-
> +diff --git a/process.c b/process.c
> +index 208619c..5f8f6c6 100644
> +--- a/process.c
> ++++ b/process.c
> +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__
> searchlen) /* return PK-class error */
> +
> + /* Now, we are (almost) sure that we have a Zip64 archive. */
> + G.ecrec.have_ecr64 = 1;
> ++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
> ++ G.ecrec.ec64_start = ecrec64_start_offset;
> ++ G.ecrec.ec64_end = ecrec64_start_offset +
> ++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
> +
> + /* Update the "end-of-central-dir offset" for later checks. */
> + G.real_ecrec_offset = ecrec64_start_offset;
> +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__
> searchlen) /* return PK-class error */
> + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
> + G.ecrec.zipfile_comment_length =
> + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
> ++ G.ecrec.ec_start = G.real_ecrec_offset;
> ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 +
> G.ecrec.zipfile_comment_length;
> +
> + /* Now, we have to read the archive comment, BEFORE the file
> pointer
> + is moved away backwards to seek for a Zip64 ECLOC64
> structure.
> +diff --git a/unzpriv.h b/unzpriv.h
> +index c8d3eab..5e177c7 100644
> +--- a/unzpriv.h
> ++++ b/unzpriv.h
> +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
> + int have_ecr64; /* valid Zip64 ecdir-record
> exists */
> + int is_zip64_archive; /* Zip64 ecdir-record is
> mandatory */
> + ush zipfile_comment_length;
> ++ zusz_t ec_start, ec_end; /* offsets of start and end
> of the
> ++ end of central directory
> record,
> ++ including if present the
> Zip64
> ++ end of central directory
> locator,
> ++ which immediately
> precedes the
> ++ end of central directory
> record */
> ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true,
> then these
> ++ are the offsets of the
> start and
> ++ end of the Zip64 end of
> central
> ++ directory record */
> + } ecdir_rec;
> +
> +
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> +
> diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-
> extended/unzip/unzip_6.0.bb
> index daba722722..464d73d0f3 100644
> --- a/meta/recipes-extended/unzip/unzip_6.0.bb
> +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
> @@ -22,6 +22,9 @@ SRC_URI =
> "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0
> /
> file://symlink.patch \
> file://0001-unzip-fix-CVE-2018-1000035.patch \
> file://CVE-2018-18384.patch \
> + file://CVE-2019-13232_p1.patch \
> + file://CVE-2019-13232_p2.patch \
> + file://CVE-2019-13232_p3.patch \
> "
> UPSTREAM_VERSION_UNKNOWN = "1"
>
> --
> 2.17.1
>
More information about the Openembedded-core
mailing list