Your message dated Thu, 29 Jan 2015 18:03:40 +0000
with message-id <[email protected]>
and subject line Bug#776589: fixed in unzip 6.0-15
has caused the Debian Bug report #776589,
regarding unzip: CVE-2014-9636 heap overflow via mismatched block sizes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
776589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776589
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unzip
Version: 6.0-13
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu vivid ubuntu-patch
*** /tmp/tmp7DfOwv/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: heap overflow via mismatched block sizes
- debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
uncompressed block sizes match when using STORED method in extract.c.
- CVE-2014-9636
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers utopic-updates
APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500,
'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-30-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
diff -Nru unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb
--- unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 1969-12-31 19:00:00.000000000 -0500
+++ unzip-6.0/debian/patches/12-cve-2014-9636-test-compr-eb 2015-01-29 11:15:34.000000000 -0500
@@ -0,0 +1,43 @@
+From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+---
+ extract.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: unzip-6.0/extract.c
+===================================================================
+--- unzip-6.0.orig/extract.c 2015-01-29 11:15:31.118569464 -0500
++++ unzip-6.0/extract.c 2015-01-29 11:15:31.114569431 -0500
+@@ -2230,6 +2230,7 @@
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2246,6 +2247,12 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ method = makeword(eb + (EB_HEADSIZE + compr_offset));
++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR; /* compressed & uncompressed
++ * should match in STORED
++ * method */
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series
--- unzip-6.0/debian/patches/series 2014-12-25 07:37:44.000000000 -0500
+++ unzip-6.0/debian/patches/series 2015-01-29 11:25:49.000000000 -0500
@@ -9,4 +9,5 @@
09-cve-2014-8139-crc-overflow
10-cve-2014-8140-test-compr-eb
11-cve-2014-8141-getzip64data
+12-cve-2014-9636-test-compr-eb
20-unzip60-alt-iconv-utf8
--- End Message ---
--- Begin Message ---
Source: unzip
Source-Version: 6.0-15
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Jan 2015 18:39:52 +0100
Source: unzip
Binary: unzip
Architecture: source amd64
Version: 6.0-15
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Description:
unzip - De-archiver for .zip files
Closes: 776589
Changes:
unzip (6.0-15) unstable; urgency=medium
.
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
Checksums-Sha1:
2d038d4bcd7d137899646ebc9274fc3749e84961 1311 unzip_6.0-15.dsc
8a049e0d903f58d439aa7e0f6c45afeedec4022a 14140 unzip_6.0-15.debian.tar.xz
1aa126a6d12994460bad85eca1f69671271cc6fc 161076 unzip_6.0-15_amd64.deb
Checksums-Sha256:
e0b97d254cb2261dd93df9a461d736472bdc082216d7f0ee5f99ed71263d38cf 1311
unzip_6.0-15.dsc
a33731552f52583e82d40465f1a6496ff4df3a5f9c1c33862a02b2d293561fcd 14140
unzip_6.0-15.debian.tar.xz
7f76a2a59a09afa7910eead74f0ed51d00392fcbc4ef1a73e5bd45cbb527bf6c 161076
unzip_6.0-15_amd64.deb
Files:
ad5d13642adb55aa422af32d1c5ddde7 1311 utils optional unzip_6.0-15.dsc
42a3daaecd6d4af4ea47c6668bb949a1 14140 utils optional
unzip_6.0-15.debian.tar.xz
7ec9a16aa0cfafa1de6e84227869952a 161076 utils optional unzip_6.0-15_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUynFiAAoJEEHOfwufG4symBIH/3dbm/Ovx1V9JP05DNHBlc09
j1KxyFK4U5EpWyCZ31H5Sc2tQ54NVeVocEsCFm9bj1z1KCyD/r+B9/DxFTJqgi6c
sl/fE/gw4MVX848mWEADYKsEZAkDCgzf6a+w3Gy9bwGP7SYMzKdA54T9nsQ6O6zQ
Z7DoLk2tCP2jL52yuZEf75Zl80Cl1isQ3L2rNcIl6lB+0bbJCgwolnQhZ3r23mKX
jjku7UP1F/AQGMIdOEyC2d5/VHvfgmNerJCYLiVwNKuz0FBoE976kPLDsyyW+Ul+
HRMdJRf/HXEIfgEJ+Z8plUF3aheavfTpagNE85zj079zCJ5mlX514ACQBplOiGo=
=D4fT
-----END PGP SIGNATURE-----
--- End Message ---