Package: release.debian.org Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello. I've just uploaded this to fix CVE-2019-13232 by applying the three available patches from Mark Adler, plus a trivial one-liner in fileio.c which is also fixed in buster and sid. Debdiff below. Thanks. diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog --- unzip-6.0/debian/changelog 2019-04-17 21:23:40.000000000 +0200 +++ unzip-6.0/debian/changelog 2019-08-05 18:10:06.000000000 +0200 @@ -1,3 +1,15 @@ +unzip (6.0-21+deb9u2) stretch; urgency=medium + + * Fix incorrect parsing of 64-bit values in fileio.c. Closes: #929502. + * Apply three patches by Mark Adler to fix CVE-2019-13232. + - Fix bug in undefer_input() that misplaced the input state. + - Detect and reject a zip bomb using overlapped entries. + Bug discovered by David Fifield. Closes: #931433. + - Do not raise a zip bomb alert for a misplaced central directory. + Reported by Peter Green. Closes: #932404. + + -- Santiago Vila <sanv...@debian.org> Mon, 05 Aug 2019 18:10:06 +0200 + unzip (6.0-21+deb9u1) stretch; urgency=medium * Fix buffer overflow in password protected ZIP archives. Closes: #889838. diff -Nru unzip-6.0/debian/patches/21-fix-warning-messages-on-big-files.patch unzip-6.0/debian/patches/21-fix-warning-messages-on-big-files.patch --- unzip-6.0/debian/patches/21-fix-warning-messages-on-big-files.patch 1970-01-01 01:00:00.000000000 +0100 +++ unzip-6.0/debian/patches/21-fix-warning-messages-on-big-files.patch 2019-08-05 17:21:00.000000000 +0200 @@ -0,0 +1,15 @@ +From: "Steven M. Schweda" <s...@antinode.info> +Subject: Fix lame code in fileio.c +Bug-Debian: https://bugs.debian.org/929502 +X-Debian-version: 6.0-23 + +--- a/fileio.c ++++ b/fileio.c +@@ -2477,6 +2477,7 @@ + */ + return (((zusz_t)sig[7]) << 56) + + (((zusz_t)sig[6]) << 48) ++ + (((zusz_t)sig[5]) << 40) + + (((zusz_t)sig[4]) << 32) + + (zusz_t)((((ulg)sig[3]) << 24) + + (((ulg)sig[2]) << 16) diff -Nru unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch --- unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 1970-01-01 01:00:00.000000000 +0100 +++ unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 2019-08-05 17:22:00.000000000 +0200 @@ -0,0 +1,22 @@ +From: Mark Adler <mad...@alumni.caltech.edu> +Subject: Fix bug in undefer_input() that misplaced the input state. +Origin: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213 +Bug-Debian: https://bugs.debian.org/931433 +X-Debian-version: 6.0-24 + + Fix bug in undefer_input() that misplaced the input state. + +--- a/fileio.c ++++ b/fileio.c +@@ -532,8 +532,10 @@ + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; diff -Nru unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch --- unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 1970-01-01 01:00:00.000000000 +0100 +++ unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 2019-08-05 17:23:00.000000000 +0200 @@ -0,0 +1,335 @@ +From: Mark Adler <mad...@alumni.caltech.edu> +Subject: Detect and reject a zip bomb using overlapped entries. +Origin: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c +Bug-Debian: https://bugs.debian.org/931433 +X-Debian-version: 6.0-24 + + Detect and reject a zip bomb using overlapped entries. + + This detects an invalid zip file that has at least one entry that + overlaps with another entry or with the central directory to the + end of the file. A Fifield zip bomb uses overlapped local entries + to vastly increase the potential inflation ratio. Such an invalid + zip file is rejected. + + See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's + analysis, construction, and examples of such zip bombs. + + The detection maintains a list of covered spans of the zip files + so far, where the central directory to the end of the file and any + bytes preceding the first entry at zip file offset zero are + considered covered initially. Then as each entry is decompressed + or tested, it is considered covered. When a new entry is about to + be processed, its initial offset is checked to see if it is + contained by a covered span. If so, the zip file is rejected as + invalid. + + This commit depends on a preceding commit: "Fix bug in + undefer_input() that misplaced the input state." + +--- a/extract.c ++++ b/extract.c +@@ -321,6 +321,125 @@ + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ ++ ++ ++ ++ ++/* A growable list of spans. */ ++typedef zoff_t bound_t; ++typedef struct { ++ bound_t beg; /* start of the span */ ++ bound_t end; /* one past the end of the span */ ++} span_t; ++typedef struct { ++ span_t *span; /* allocated, distinct, and sorted list of spans */ ++ size_t num; /* number of spans in the list */ ++ size_t max; /* allocated number of spans (num <= max) */ ++} cover_t; ++ ++/* ++ * Return the index of the first span in cover whose beg is greater than val. ++ * If there is no such span, then cover->num is returned. ++ */ ++static size_t cover_find(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t lo = 0, hi = cover->num; ++ while (lo < hi) { ++ size_t mid = (lo + hi) >> 1; ++ if (val < cover->span[mid].beg) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ return hi; ++} ++ ++/* Return true if val lies within any one of the spans in cover. */ ++static int cover_within(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t pos = cover_find(cover, val); ++ return pos > 0 && val < cover->span[pos - 1].end; ++} ++ ++/* ++ * Add a new span to the list, but only if the new span does not overlap any ++ * spans already in the list. The new span covers the values beg..end-1. beg ++ * must be less than end. ++ * ++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for ++ * the list as needed. On success, 0 is returned. If the new span overlaps any ++ * existing spans, then 1 is returned and the new span is not added to the ++ * list. If the new span is invalid because beg is greater than or equal to ++ * end, then -1 is returned. If the list needs to be grown but the memory ++ * allocation fails, then -2 is returned. ++ */ ++static int cover_add(cover, beg, end) ++ cover_t *cover; ++ bound_t beg; ++ bound_t end; ++{ ++ size_t pos; ++ int prec, foll; ++ ++ if (beg >= end) ++ /* The new span is invalid. */ ++ return -1; ++ ++ /* Find where the new span should go, and make sure that it does not ++ overlap with any existing spans. */ ++ pos = cover_find(cover, beg); ++ if ((pos > 0 && beg < cover->span[pos - 1].end) || ++ (pos < cover->num && end > cover->span[pos].beg)) ++ return 1; ++ ++ /* Check for adjacencies. */ ++ prec = pos > 0 && beg == cover->span[pos - 1].end; ++ foll = pos < cover->num && end == cover->span[pos].beg; ++ if (prec && foll) { ++ /* The new span connects the preceding and following spans. Merge the ++ following span into the preceding span, and delete the following ++ span. */ ++ cover->span[pos - 1].end = cover->span[pos].end; ++ cover->num--; ++ memmove(cover->span + pos, cover->span + pos + 1, ++ (cover->num - pos) * sizeof(span_t)); ++ } ++ else if (prec) ++ /* The new span is adjacent only to the preceding span. Extend the end ++ of the preceding span. */ ++ cover->span[pos - 1].end = end; ++ else if (foll) ++ /* The new span is adjacent only to the following span. Extend the ++ beginning of the following span. */ ++ cover->span[pos].beg = beg; ++ else { ++ /* The new span has gaps between both the preceding and the following ++ spans. Assure that there is room and insert the span. */ ++ if (cover->num == cover->max) { ++ size_t max = cover->max == 0 ? 16 : cover->max << 1; ++ span_t *span = realloc(cover->span, max * sizeof(span_t)); ++ if (span == NULL) ++ return -2; ++ cover->span = span; ++ cover->max = max; ++ } ++ memmove(cover->span + pos + 1, cover->span + pos, ++ (cover->num - pos) * sizeof(span_t)); ++ cover->num++; ++ cover->span[pos].beg = beg; ++ cover->span[pos].end = end; ++ } ++ return 0; ++} + + + +@@ -376,6 +495,29 @@ + } + #endif /* !SFX || SFX_EXDIR */ + ++ /* One more: initialize cover structure for bomb detection. Start with a ++ span that covers the central directory though the end of the file. */ ++ if (G.cover == NULL) { ++ G.cover = malloc(sizeof(cover_t)); ++ if (G.cover == NULL) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ ((cover_t *)G.cover)->span = NULL; ++ ((cover_t *)G.cover)->max = 0; ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.ziplen) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- + rectory lies at the end of the zipfile and the member files lie at the +@@ -593,7 +735,8 @@ + if (error > error_in_archive) + error_in_archive = error; + /* ...and keep going (unless disk full or user break) */ +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || ++ error == PK_BOMB) { + /* clear reached_end to signal premature stop ... */ + reached_end = FALSE; + /* ... and cancel scanning the central directory */ +@@ -1062,6 +1205,11 @@ + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; ++ if (cover_within((cover_t *)G.cover, request)) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; + +@@ -1602,6 +1750,18 @@ + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ if (error != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); + #endif +@@ -2003,6 +2163,34 @@ + } + + undefer_input(__G); ++ ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ /* skip over data descriptor (harder than it sounds, due to signature ++ * ambiguity) ++ */ ++# define SIG 0x08074b50 ++# define LOW 0xffffffff ++ uch buf[12]; ++ unsigned shy = 12 - readbuf((char *)buf, 12); ++ ulg crc = shy ? 0 : makelong(buf); ++ ulg clen = shy ? 0 : makelong(buf + 4); ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ ++ if (crc == SIG && /* if not SIG, no signature */ ++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ ++ (clen == SIG && /* if not SIG, no signature */ ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ ++ (ulen == SIG && /* if not SIG, no signature */ ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ /* if not SIG, have signature */ ++ ))))) ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); ++ if (G.zip64) ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ if (shy) ++ error = PK_ERR; ++ } ++ + return error; + + } /* end function extract_or_test_member() */ +--- a/globals.c ++++ b/globals.c +@@ -181,6 +181,7 @@ + # if (!defined(NO_TIMESTAMPS)) + uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ + # endif ++ G.cover = NULL; /* not allocated yet */ + #endif + + uO.lflag=(-1); +--- a/globals.h ++++ b/globals.h +@@ -260,12 +260,15 @@ + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + ++ int zip64; /* true if Zip64 info in extra field */ ++ + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ + int reported_backslash; /* extract.c static */ + int disk_full; + int newfile; ++ void **cover; /* used in extract.c for bomb detection */ + + int didCRlast; /* fileio static */ + ulg numlines; /* fileio static: number of lines printed */ +--- a/process.c ++++ b/process.c +@@ -637,6 +637,13 @@ + } + #endif + ++ /* Free the cover span list and the cover structure. */ ++ if (G.cover != NULL) { ++ free(*(G.cover)); ++ free(G.cover); ++ G.cover = NULL; ++ } ++ + } /* end function free_G_buffers() */ + + +@@ -1913,6 +1920,8 @@ + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff + ++ G.zip64 = FALSE; ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + +@@ -2084,6 +2093,8 @@ + (ZCONST char *)(offset + ef_buf), ULen); + G.unipath_filename[ULen] = '\0'; + } ++ ++ G.zip64 = TRUE; + } + + /* Skip this extra field block */ +--- a/unzip.h ++++ b/unzip.h +@@ -645,6 +645,7 @@ + #define PK_NOZIP 9 /* zipfile not found */ + #define PK_PARAM 10 /* bad or illegal parameters specified */ + #define PK_FIND 11 /* no files found */ ++#define PK_BOMB 12 /* likely zip bomb */ + #define PK_DISK 50 /* disk full */ + #define PK_EOF 51 /* unexpected EOF */ + diff -Nru unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch --- unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch 1970-01-01 01:00:00.000000000 +0100 +++ unzip-6.0/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch 2019-08-05 17:24:00.000000000 +0200 @@ -0,0 +1,103 @@ +From: Mark Adler <mad...@alumni.caltech.edu> +Subject: Do not raise a zip bomb alert for a misplaced central directory. +Origin: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc +Bug-Debian: https://bugs.debian.org/932404 +X-Debian-version: 6.0-25 + + Do not raise a zip bomb alert for a misplaced central directory. + + There is a zip-like file in the Firefox distribution, omni.ja, + which is a zip container with the central directory placed at the + start of the file instead of after the local entries as required + by the zip standard. This commit marks the actual location of the + central directory, as well as the end of central directory records, + as disallowed locations. This now permits such containers to not + raise a zip bomb alert, where in fact there are no overlaps. + +--- a/extract.c ++++ b/extract.c +@@ -495,8 +495,11 @@ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -508,15 +511,25 @@ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series --- unzip-6.0/debian/patches/series 2019-04-17 20:00:00.000000000 +0200 +++ unzip-6.0/debian/patches/series 2019-08-05 17:00:00.000000000 +0200 @@ -18,3 +18,7 @@ 18-cve-2014-9913-unzip-buffer-overflow.patch 19-cve-2016-9844-zipinfo-buffer-overflow.patch 20-cve-2018-1000035-unzip-buffer-overflow.patch +21-fix-warning-messages-on-big-files.patch +22-cve-2019-13232-fix-bug-in-undefer-input.patch +23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch +24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch