diff --git a/SOURCES/unzip-zipbomb-part4.patch b/SOURCES/unzip-zipbomb-part4.patch new file mode 100644 index 0000000..beffa2c --- /dev/null +++ b/SOURCES/unzip-zipbomb-part4.patch @@ -0,0 +1,25 @@ +From 5e2efcd633a4a1fb95a129a75508e7d769e767be Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 20:36:28 -0800 +Subject: [PATCH] Fix bug in UZbunzip2() that incorrectly updated G.incnt. + +The update assumed a full buffer, which is not always full. This +could result in a false overlapped element detection when a small +bzip2-compressed file was unzipped. This commit remedies that. +--- + extract.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index d9866f9..0cb7bfc 100644 +--- a/extract.c ++++ b/extract.c +@@ -3010,7 +3010,7 @@ __GDEF + #endif + + G.inptr = (uch *)bstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ + + uzbunzip_cleanup_exit: + err = BZ2_bzDecompressEnd(&bstrm); diff --git a/SOURCES/unzip-zipbomb-part5.patch b/SOURCES/unzip-zipbomb-part5.patch new file mode 100644 index 0000000..ca6a43a --- /dev/null +++ b/SOURCES/unzip-zipbomb-part5.patch @@ -0,0 +1,26 @@ +From 5c572555cf5d80309a07c30cf7a54b2501493720 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 21:39:09 -0800 +Subject: [PATCH] Fix bug in UZinflate() that incorrectly updated G.incnt. + +The update assumed a full buffer, which is not always full. This +could result in a false overlapped element detection when a small +deflate-compressed file was unzipped using an old zlib. This +commit remedies that. +--- + inflate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/inflate.c b/inflate.c +index 2f5a015..70e3cc0 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -700,7 +700,7 @@ int UZinflate(__G__ is_defl64) + G.dstrm.total_out)); + + G.inptr = (uch *)G.dstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ + + uzinflate_cleanup_exit: + err = inflateReset(&G.dstrm); diff --git a/SPECS/unzip.spec b/SPECS/unzip.spec index 747b56a..e042528 100644 --- a/SPECS/unzip.spec +++ b/SPECS/unzip.spec @@ -7,7 +7,7 @@ Summary: A utility for unpacking zip files Name: unzip Version: 6.0 -Release: 43%{?dist} +Release: 44%{?dist} License: BSD Group: Applications/Archiving Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -71,6 +71,8 @@ Patch28: unzip-zipbomb-part2.patch Patch29: unzip-zipbomb-part3.patch Patch30: unzip-zipbomb-manpage.patch +Patch31: unzip-zipbomb-part4.patch +Patch32: unzip-zipbomb-part5.patch URL: http://www.info-zip.org/UnZip.html BuildRequires: bzip2-devel @@ -120,6 +122,9 @@ a zip archive. %patch29 -p1 -b .zipbomb3 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 + %build # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X # NOMEMCPY solve problem with memory overlapping - decomression is slowly, @@ -139,6 +144,10 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{ %{_mandir}/*/* %changelog +* Tue Nov 24 2020 Jakub Martisko - 6.0-44 +* Fix out of memory errors while checking for zip-bombs +Resolves: #1900915 + * Mon Nov 18 2019 Jakub Martisko - 6.0-43 - Update the man page with the new exit code introduced in 6.0-42 - Related: CVE-2019-13232