unzip: fix for CVE-2018-18384

Submitted by changqing.li@windriver.com on Nov. 2, 2018, 6:08 a.m. | Patch ID: 156047

Details

Message ID 1541138937-68270-1-git-send-email-changqing.li@windriver.com
State Master Next
Commit 2ddb3b25ed063b47d3fe2b3e9e17b7f9d0e2a7e5
Headers show

Commit Message

changqing.li@windriver.com Nov. 2, 2018, 6:08 a.m.
From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../unzip/unzip/CVE-2018-18384.patch               | 39 ++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch b/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
new file mode 100644
index 0000000..cc9e2c1
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
@@ -0,0 +1,39 @@ 
+Upstream-Status: Backport [https://sourceforge.net/p/infozip/bugs/53/]
+CVE: CVE-2018-18384
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+--- unzip60/list.c	
++++ unzip60/list.c	
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[1+10+1+1];	/* <sgn><int>%NUL */
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
+@@ -389,9 +389,9 @@ int list_files(__G)    /* return PK-type
+             }
+ #else /* !WINDLL */
+             if (cfactor == 100)
+-                sprintf(cfactorstr, LoadFarString(CompFactor100));
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+             else
+-                sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+             if (longhdr)
+                 Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
+                   FmZofft(G.crec.ucsize, "8", "u"), methbuf,
+@@ -471,9 +471,9 @@ int list_files(__G)    /* return PK-type
+ 
+ #else /* !WINDLL */
+         if (cfactor == 100)
+-            sprintf(cfactorstr, LoadFarString(CompFactor100));
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+         else
+-            sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+         if (longhdr) {
+             Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
+               FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),

Comments

Armin Kuster Nov. 9, 2018, 4:08 p.m.
On 11/1/18 11:08 PM, changqing.li@windriver.com wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>  .../unzip/unzip/CVE-2018-18384.patch               | 39 ++++++++++++++++++++++


Change missing update to bb file

- armin

>  1 file changed, 39 insertions(+)
>  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
>
> diff --git a/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch b/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
> new file mode 100644
> index 0000000..cc9e2c1
> --- /dev/null
> +++ b/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
> @@ -0,0 +1,39 @@
> +Upstream-Status: Backport [https://sourceforge.net/p/infozip/bugs/53/]
> +CVE: CVE-2018-18384
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +
> +--- unzip60/list.c	
> ++++ unzip60/list.c	
> +@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
> + {
> +     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
> + #ifndef WINDLL
> +-    char sgn, cfactorstr[10];
> ++    char sgn, cfactorstr[1+10+1+1];	/* <sgn><int>%NUL */
> +     int longhdr=(uO.vflag>1);
> + #endif
> +     int date_format;
> +@@ -389,9 +389,9 @@ int list_files(__G)    /* return PK-type
> +             }
> + #else /* !WINDLL */
> +             if (cfactor == 100)
> +-                sprintf(cfactorstr, LoadFarString(CompFactor100));
> ++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
> +             else
> +-                sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
> ++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
> +             if (longhdr)
> +                 Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
> +                   FmZofft(G.crec.ucsize, "8", "u"), methbuf,
> +@@ -471,9 +471,9 @@ int list_files(__G)    /* return PK-type
> + 
> + #else /* !WINDLL */
> +         if (cfactor == 100)
> +-            sprintf(cfactorstr, LoadFarString(CompFactor100));
> ++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
> +         else
> +-            sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
> ++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
> +         if (longhdr) {
> +             Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
> +               FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),