diff --git a/0025-unzip-6.0-COVSCAN-strcpy-with-overlapping-strings.patch b/0025-unzip-6.0-COVSCAN-strcpy-with-overlapping-strings.patch new file mode 100644 index 0000000000000000000000000000000000000000..e073c5f12289b06691e3b023e67d870e4ae5a7da --- /dev/null +++ b/0025-unzip-6.0-COVSCAN-strcpy-with-overlapping-strings.patch @@ -0,0 +1,34 @@ +From 8f6be666289211661906922cdfe6ea5a08c5b458 Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Tue, 13 Nov 2018 09:57:43 +0100 +Subject: [PATCH] envargs.c: strcpy with overlapping strings + +--- + envargs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/envargs.c b/envargs.c +index f0a230d..daa3e47 100644 +--- a/envargs.c ++++ b/envargs.c +@@ -31,6 +31,7 @@ + #define __ENVARGS_C /* identifies this source module */ + #define UNZIP_INTERNAL + #include "unzip.h" ++#include + + #ifdef __EMX__ /* emx isspace() returns TRUE on extended ASCII !! */ + # define ISspace(c) ((c) & 0x80 ? 0 : isspace((unsigned)c)) +@@ -118,7 +119,8 @@ int envargs(Pargc, Pargv, envstr, envstr2) + + /* remove escape characters */ + while ((argstart = MBSCHR(argstart, '\\')) != (char *)NULL) { +- strcpy(argstart, argstart + 1); ++ //strcpy(argstart, argstart + 1); ++ memmove(argstart, argstart + 1,strlen(argstart + 1) + 1); + if (*argstart) + ++argstart; + } +-- +2.14.5 + diff --git a/0026-unzip-zipbomb-part1.patch b/0026-unzip-zipbomb-part1.patch new file mode 100644 index 0000000000000000000000000000000000000000..35cf85652294738510b138aa7029969a480a5778 --- /dev/null +++ b/0026-unzip-zipbomb-part1.patch @@ -0,0 +1,25 @@ +From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 27 May 2019 08:20:32 -0700 +Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state. + +--- + fileio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fileio.c b/fileio.c +index c042987..bc00d74 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -530,8 +530,10 @@ void undefer_input(__G) + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; diff --git a/0027-unzip-zipbomb-part2.patch b/0027-unzip-zipbomb-part2.patch new file mode 100644 index 0000000000000000000000000000000000000000..903c8457636fefa863faa867a7e9b3259b01499c --- /dev/null +++ b/0027-unzip-zipbomb-part2.patch @@ -0,0 +1,349 @@ +From 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Tue, 11 Jun 2019 22:01:18 -0700 +Subject: [PATCH] Detect and reject a zip bomb using overlapped entries. + +This detects an invalid zip file that has at least one entry that +overlaps with another entry or with the central directory to the +end of the file. A Fifield zip bomb uses overlapped local entries +to vastly increase the potential inflation ratio. Such an invalid +zip file is rejected. + +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's +analysis, construction, and examples of such zip bombs. + +The detection maintains a list of covered spans of the zip files +so far, where the central directory to the end of the file and any +bytes preceding the first entry at zip file offset zero are +considered covered initially. Then as each entry is decompressed +or tested, it is considered covered. When a new entry is about to +be processed, its initial offset is checked to see if it is +contained by a covered span. If so, the zip file is rejected as +invalid. + +This commit depends on a preceding commit: "Fix bug in +undefer_input() that misplaced the input state." +--- + extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + globals.c | 1 + + globals.h | 3 + + process.c | 11 ++++ + unzip.h | 1 + + 5 files changed, 205 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 1acd769..0973a33 100644 +--- a/extract.c ++++ b/extract.c +@@ -319,6 +319,125 @@ static ZCONST char Far UnsupportedExtraField[] = + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ ++ ++ ++ ++ ++/* A growable list of spans. */ ++typedef zoff_t bound_t; ++typedef struct { ++ bound_t beg; /* start of the span */ ++ bound_t end; /* one past the end of the span */ ++} span_t; ++typedef struct { ++ span_t *span; /* allocated, distinct, and sorted list of spans */ ++ size_t num; /* number of spans in the list */ ++ size_t max; /* allocated number of spans (num <= max) */ ++} cover_t; ++ ++/* ++ * Return the index of the first span in cover whose beg is greater than val. ++ * If there is no such span, then cover->num is returned. ++ */ ++static size_t cover_find(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t lo = 0, hi = cover->num; ++ while (lo < hi) { ++ size_t mid = (lo + hi) >> 1; ++ if (val < cover->span[mid].beg) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ return hi; ++} ++ ++/* Return true if val lies within any one of the spans in cover. */ ++static int cover_within(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t pos = cover_find(cover, val); ++ return pos > 0 && val < cover->span[pos - 1].end; ++} ++ ++/* ++ * Add a new span to the list, but only if the new span does not overlap any ++ * spans already in the list. The new span covers the values beg..end-1. beg ++ * must be less than end. ++ * ++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for ++ * the list as needed. On success, 0 is returned. If the new span overlaps any ++ * existing spans, then 1 is returned and the new span is not added to the ++ * list. If the new span is invalid because beg is greater than or equal to ++ * end, then -1 is returned. If the list needs to be grown but the memory ++ * allocation fails, then -2 is returned. ++ */ ++static int cover_add(cover, beg, end) ++ cover_t *cover; ++ bound_t beg; ++ bound_t end; ++{ ++ size_t pos; ++ int prec, foll; ++ ++ if (beg >= end) ++ /* The new span is invalid. */ ++ return -1; ++ ++ /* Find where the new span should go, and make sure that it does not ++ overlap with any existing spans. */ ++ pos = cover_find(cover, beg); ++ if ((pos > 0 && beg < cover->span[pos - 1].end) || ++ (pos < cover->num && end > cover->span[pos].beg)) ++ return 1; ++ ++ /* Check for adjacencies. */ ++ prec = pos > 0 && beg == cover->span[pos - 1].end; ++ foll = pos < cover->num && end == cover->span[pos].beg; ++ if (prec && foll) { ++ /* The new span connects the preceding and following spans. Merge the ++ following span into the preceding span, and delete the following ++ span. */ ++ cover->span[pos - 1].end = cover->span[pos].end; ++ cover->num--; ++ memmove(cover->span + pos, cover->span + pos + 1, ++ (cover->num - pos) * sizeof(span_t)); ++ } ++ else if (prec) ++ /* The new span is adjacent only to the preceding span. Extend the end ++ of the preceding span. */ ++ cover->span[pos - 1].end = end; ++ else if (foll) ++ /* The new span is adjacent only to the following span. Extend the ++ beginning of the following span. */ ++ cover->span[pos].beg = beg; ++ else { ++ /* The new span has gaps between both the preceding and the following ++ spans. Assure that there is room and insert the span. */ ++ if (cover->num == cover->max) { ++ size_t max = cover->max == 0 ? 16 : cover->max << 1; ++ span_t *span = realloc(cover->span, max * sizeof(span_t)); ++ if (span == NULL) ++ return -2; ++ cover->span = span; ++ cover->max = max; ++ } ++ memmove(cover->span + pos + 1, cover->span + pos, ++ (cover->num - pos) * sizeof(span_t)); ++ cover->num++; ++ cover->span[pos].beg = beg; ++ cover->span[pos].end = end; ++ } ++ return 0; ++} + + + +@@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + ++ /* One more: initialize cover structure for bomb detection. Start with a ++ span that covers the central directory though the end of the file. */ ++ if (G.cover == NULL) { ++ G.cover = malloc(sizeof(cover_t)); ++ if (G.cover == NULL) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ ((cover_t *)G.cover)->span = NULL; ++ ((cover_t *)G.cover)->max = 0; ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.ziplen) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- + rectory lies at the end of the zipfile and the member files lie at the +@@ -591,7 +733,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + if (error > error_in_archive) + error_in_archive = error; + /* ...and keep going (unless disk full or user break) */ +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || ++ error == PK_BOMB) { + /* clear reached_end to signal premature stop ... */ + reached_end = FALSE; + /* ... and cancel scanning the central directory */ +@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; ++ if (cover_within((cover_t *)G.cover, request)) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; + +@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk, + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ if (error != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); + #endif +@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + } + + undefer_input(__G); ++ ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ /* skip over data descriptor (harder than it sounds, due to signature ++ * ambiguity) ++ */ ++# define SIG 0x08074b50 ++# define LOW 0xffffffff ++ uch buf[12]; ++ unsigned shy = 12 - readbuf((char *)buf, 12); ++ ulg crc = shy ? 0 : makelong(buf); ++ ulg clen = shy ? 0 : makelong(buf + 4); ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ ++ if (crc == SIG && /* if not SIG, no signature */ ++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ ++ (clen == SIG && /* if not SIG, no signature */ ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ ++ (ulen == SIG && /* if not SIG, no signature */ ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ /* if not SIG, have signature */ ++ ))))) ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); ++ if (G.zip64) ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ if (shy) ++ error = PK_ERR; ++ } ++ + return error; + + } /* end function extract_or_test_member() */ +diff --git a/globals.c b/globals.c +index fa8cca5..1e0f608 100644 +--- a/globals.c ++++ b/globals.c +@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor() + # if (!defined(NO_TIMESTAMPS)) + uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ + # endif ++ G.cover = NULL; /* not allocated yet */ + #endif + + uO.lflag=(-1); +diff --git a/globals.h b/globals.h +index 11b7215..2bdcdeb 100644 +--- a/globals.h ++++ b/globals.h +@@ -260,12 +260,15 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + ++ int zip64; /* true if Zip64 info in extra field */ ++ + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ + int reported_backslash; /* extract.c static */ + int disk_full; + int newfile; ++ void **cover; /* used in extract.c for bomb detection */ + + int didCRlast; /* fileio static */ + ulg numlines; /* fileio static: number of lines printed */ +diff --git a/process.c b/process.c +index 1e9a1e1..d2e4dc3 100644 +--- a/process.c ++++ b/process.c +@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ + } + #endif + ++ /* Free the cover span list and the cover structure. */ ++ if (G.cover != NULL) { ++ free(*(G.cover)); ++ free(G.cover); ++ G.cover = NULL; ++ } ++ + } /* end function free_G_buffers() */ + + +@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff + ++ G.zip64 = FALSE; ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + +@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + #if 0 + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ ++ ++ G.zip64 = TRUE; + } + + /* Skip this extra field block. */ +diff --git a/unzip.h b/unzip.h +index 5b2a326..ed24a5b 100644 +--- a/unzip.h ++++ b/unzip.h +@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec { + #define PK_NOZIP 9 /* zipfile not found */ + #define PK_PARAM 10 /* bad or illegal parameters specified */ + #define PK_FIND 11 /* no files found */ ++#define PK_BOMB 12 /* likely zip bomb */ + #define PK_DISK 50 /* disk full */ + #define PK_EOF 51 /* unexpected EOF */ + diff --git a/0028-unzip-zipbomb-part3.patch b/0028-unzip-zipbomb-part3.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b8d67b7732f7d0e1ca19e48d0e28de4eee056b3 --- /dev/null +++ b/0028-unzip-zipbomb-part3.patch @@ -0,0 +1,112 @@ +From 6d351831be705cc26d897db44f878a978f4138fc Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Thu, 25 Jul 2019 20:43:17 -0700 +Subject: [PATCH] Do not raise a zip bomb alert for a misplaced central + directory. + +There is a zip-like file in the Firefox distribution, omni.ja, +which is a zip container with the central directory placed at the +start of the file instead of after the local entries as required +by the zip standard. This commit marks the actual location of the +central directory, as well as the end of central directory records, +as disallowed locations. This now permits such containers to not +raise a zip bomb alert, where in fact there are no overlaps. +--- + extract.c | 25 +++++++++++++++++++------ + process.c | 6 ++++++ + unzpriv.h | 10 ++++++++++ + 3 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/extract.c b/extract.c +index 0973a33..1b73cb0 100644 +--- a/extract.c ++++ b/extract.c +@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -506,15 +509,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +diff --git a/process.c b/process.c +index d2e4dc3..d75d405 100644 +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +diff --git a/unzpriv.h b/unzpriv.h +index dc9eff5..297b3c7 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + diff --git a/0029-unzip-zipbomb-part4.patch b/0029-unzip-zipbomb-part4.patch new file mode 100644 index 0000000000000000000000000000000000000000..beffa2c9987254315f962c7456dfd5c166407ee6 --- /dev/null +++ b/0029-unzip-zipbomb-part4.patch @@ -0,0 +1,25 @@ +From 5e2efcd633a4a1fb95a129a75508e7d769e767be Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 20:36:28 -0800 +Subject: [PATCH] Fix bug in UZbunzip2() that incorrectly updated G.incnt. + +The update assumed a full buffer, which is not always full. This +could result in a false overlapped element detection when a small +bzip2-compressed file was unzipped. This commit remedies that. +--- + extract.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index d9866f9..0cb7bfc 100644 +--- a/extract.c ++++ b/extract.c +@@ -3010,7 +3010,7 @@ __GDEF + #endif + + G.inptr = (uch *)bstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ + + uzbunzip_cleanup_exit: + err = BZ2_bzDecompressEnd(&bstrm); diff --git a/0030-unzip-zipbomb-part5.patch b/0030-unzip-zipbomb-part5.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca6a43a7c5be08c5847fc7ba72ba50d29aec92f9 --- /dev/null +++ b/0030-unzip-zipbomb-part5.patch @@ -0,0 +1,26 @@ +From 5c572555cf5d80309a07c30cf7a54b2501493720 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 21:39:09 -0800 +Subject: [PATCH] Fix bug in UZinflate() that incorrectly updated G.incnt. + +The update assumed a full buffer, which is not always full. This +could result in a false overlapped element detection when a small +deflate-compressed file was unzipped using an old zlib. This +commit remedies that. +--- + inflate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/inflate.c b/inflate.c +index 2f5a015..70e3cc0 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -700,7 +700,7 @@ int UZinflate(__G__ is_defl64) + G.dstrm.total_out)); + + G.inptr = (uch *)G.dstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ + + uzinflate_cleanup_exit: + err = inflateReset(&G.dstrm); diff --git a/0031-unzip-zipbomb-part6.patch b/0031-unzip-zipbomb-part6.patch new file mode 100644 index 0000000000000000000000000000000000000000..3dce6e3421e1d8fe38001865ac4689e794d79d02 --- /dev/null +++ b/0031-unzip-zipbomb-part6.patch @@ -0,0 +1,95 @@ +From 122050bac16fae82a460ff739fb1ca0f106e9d85 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 2 Jan 2021 13:09:34 -0800 +Subject: [PATCH] Determine Zip64 status entry-by-entry instead of for entire + file. + +Fixes a bug for zip files with mixed Zip64 and not Zip64 entries, +which resulted in an incorrect data descriptor length. The bug is +seen when a Zip64 entry precedes a non-Zip64 entry, in which case +the data descriptor would have been assumed to be larger than it +is, resulting in an incorrect bomb warning due to a perceived +overlap with the next entry. This commit determines and saves the +Zip64 status for each entry based on the central directory, and +then computes the length of each data descriptor accordingly. +--- + extract.c | 5 +++-- + globals.h | 2 -- + process.c | 4 +--- + unzpriv.h | 1 + + 4 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/extract.c b/extract.c +index 504afd6..878817d 100644 +--- a/extract.c ++++ b/extract.c +@@ -658,6 +658,7 @@ int extract_or_test_files(__G) /* return PK-type error code */ + break; + } + } ++ G.pInfo->zip64 = FALSE; + if ((error = do_string(__G__ G.crec.extra_field_length, + EXTRA_FIELD)) != 0) + { +@@ -2187,12 +2188,12 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + (clen == SIG && /* if not SIG, no signature */ + ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ + (ulen == SIG && /* if not SIG, no signature */ +- (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ (G.pInfo->zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG + /* if not SIG, have signature */ + ))))) + /* skip four more bytes to account for signature */ + shy += 4 - readbuf((char *)buf, 4); +- if (G.zip64) ++ if (G.pInfo->zip64) + shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ + if (shy) + error = PK_ERR; +diff --git a/globals.h b/globals.h +index f9c6daf..a883c90 100644 +--- a/globals.h ++++ b/globals.h +@@ -261,8 +261,6 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + +- int zip64; /* true if Zip64 info in extra field */ +- + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ +diff --git a/process.c b/process.c +index d75d405..d643c6f 100644 +--- a/process.c ++++ b/process.c +@@ -1903,8 +1903,6 @@ int getZip64Data(__G__ ef_buf, ef_len) + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff + +- G.zip64 = FALSE; +- + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + +@@ -1943,7 +1941,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ + +- G.zip64 = TRUE; ++ G.pInfo->zip64 = TRUE; + } + + /* Skip this extra field block. */ +diff --git a/unzpriv.h b/unzpriv.h +index 09f288e..75b3359 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2034,6 +2034,7 @@ typedef struct min_info { + #ifdef UNICODE_SUPPORT + unsigned GPFIsUTF8: 1; /* crec gen_purpose_flag UTF-8 bit 11 is set */ + #endif ++ unsigned zip64: 1; /* true if entry has Zip64 extra block */ + #ifndef SFX + char Far *cfilname; /* central header version of filename */ + #endif diff --git a/0032-unzip-zipbomb-switch.patch b/0032-unzip-zipbomb-switch.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6d33c026b987ec35e70d8f08ed4453fe3356581 --- /dev/null +++ b/0032-unzip-zipbomb-switch.patch @@ -0,0 +1,215 @@ +From 5b44c818b96193b3e240f38f61985fa2bc780eb7 Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Tue, 30 Nov 2021 15:42:17 +0100 +Subject: [PATCH] Add an option to disable the zipbomb detection + +This can be done by settting a newly introduced environment variable +UNZIP_DISABLE_ZIPBOMB_DETECTION to {TRUE,True,true}. If the variable is unset, or +set to any other value the zipbomb detection is left enabled. + +Example: + UNZIP_DISABLE_ZIPBOMB_DETECTION=True unzip ./zbsm.zip -d ./test +--- + extract.c | 85 ++++++++++++++++++++++++++++++------------------------- + unzip.c | 15 ++++++++-- + unzip.h | 1 + + 3 files changed, 60 insertions(+), 41 deletions(-) + +diff --git a/extract.c b/extract.c +index 878817d..3e58071 100644 +--- a/extract.c ++++ b/extract.c +@@ -322,7 +322,8 @@ static ZCONST char Far BadExtraFieldCRC[] = + static ZCONST char Far NotEnoughMemCover[] = + "error: not enough memory for bomb detection\n"; + static ZCONST char Far OverlappedComponents[] = +- "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ "error: invalid zip file with overlapped components (possible zip bomb)\n \ ++To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable\n"; + + + +@@ -502,35 +503,37 @@ int extract_or_test_files(__G) /* return PK-type error code */ + the end of central directory record (including the Zip64 end of central + directory locator, if present), and the Zip64 end of central directory + record, if present. */ +- if (G.cover == NULL) { ++ if (uO.zipbomb == TRUE) { ++ if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +- Info(slide, 0x401, ((char *)slide, +- LoadFarString(NotEnoughMemCover))); +- return PK_MEM; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; + } + ((cover_t *)G.cover)->span = NULL; + ((cover_t *)G.cover)->max = 0; +- } +- ((cover_t *)G.cover)->num = 0; +- if (cover_add((cover_t *)G.cover, +- G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.extra_bytes + G.ecrec.offset_start_central_directory + +- G.ecrec.size_central_directory) != 0) { ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if (cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(NotEnoughMemCover))); ++ LoadFarString(NotEnoughMemCover))); + return PK_MEM; +- } +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- (G.ecrec.have_ecr64 && +- cover_add((cover_t *)G.cover, G.ecrec.ec64_start, +- G.ecrec.ec64_end) != 0) || +- cover_add((cover_t *)G.cover, G.ecrec.ec_start, +- G.ecrec.ec_end) != 0) { ++ } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(OverlappedComponents))); ++ LoadFarString(OverlappedComponents))); + return PK_BOMB; ++ } + } + + /*--------------------------------------------------------------------------- +@@ -1222,10 +1225,12 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; +- if (cover_within((cover_t *)G.cover, request)) { ++ if (uO.zipbomb == TRUE) { ++ if (cover_within((cover_t *)G.cover, request)) { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(OverlappedComponents))); ++ LoadFarString(OverlappedComponents))); + return PK_BOMB; ++ } + } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; +@@ -1758,17 +1763,19 @@ reprompt: + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif +- error = cover_add((cover_t *)G.cover, request, +- G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); +- if (error < 0) { ++ if (uO.zipbomb == TRUE) { ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(NotEnoughMemCover))); ++ LoadFarString(NotEnoughMemCover))); + return PK_MEM; +- } +- if (error != 0) { ++ } ++ if (error != 0) { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(OverlappedComponents))); ++ LoadFarString(OverlappedComponents))); + return PK_BOMB; ++ } + } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); +@@ -2171,8 +2178,8 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + } + + undefer_input(__G); +- +- if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ if (uO.zipbomb == TRUE) { ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { + /* skip over data descriptor (harder than it sounds, due to signature + * ambiguity) + */ +@@ -2189,16 +2196,16 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ + (ulen == SIG && /* if not SIG, no signature */ + (G.pInfo->zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG +- /* if not SIG, have signature */ ++ /* if not SIG, have signature */ + ))))) +- /* skip four more bytes to account for signature */ +- shy += 4 - readbuf((char *)buf, 4); ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); + if (G.pInfo->zip64) +- shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ + if (shy) +- error = PK_ERR; ++ error = PK_ERR; ++ } + } +- + return error; + + } /* end function extract_or_test_member() */ +diff --git a/unzip.c b/unzip.c +index 8dbfc95..abb3644 100644 +--- a/unzip.c ++++ b/unzip.c +@@ -1329,10 +1329,9 @@ int uz_opts(__G__ pargc, pargv) + int *pargc; + char ***pargv; + { +- char **argv, *s; ++ char **argv, *s, *zipbomb_envar; + int argc, c, error=FALSE, negative=0, showhelp=0; + +- + argc = *pargc; + argv = *pargv; + +@@ -1923,6 +1922,18 @@ opts_done: /* yes, very ugly...but only used by UnZipSFX with -x xlist */ + else + G.extract_flag = TRUE; + ++ /* Disable the zipbomb detection, this is the only option set only via the shell variables but it should at least not clash with something in the future. */ ++ zipbomb_envar = getenv("UNZIP_DISABLE_ZIPBOMB_DETECTION"); ++ uO.zipbomb = TRUE; ++ if (zipbomb_envar != NULL) { ++ /* strcasecmp might be a better approach here but it is POSIX-only */ ++ if ((strcmp ("TRUE", zipbomb_envar) == 0) ++ || (strcmp ("True", zipbomb_envar) == 0) ++ || (strcmp ("true",zipbomb_envar) == 0)) { ++ uO.zipbomb = FALSE; ++ } ++ } ++ + *pargc = argc; + *pargv = argv; + return PK_OK; +diff --git a/unzip.h b/unzip.h +index ed24a5b..e7665e8 100644 +--- a/unzip.h ++++ b/unzip.h +@@ -559,6 +559,7 @@ typedef struct _UzpOpts { + #ifdef UNIX + int cflxflag; /* -^: allow control chars in extracted filenames */ + #endif ++ int zipbomb; + #endif /* !FUNZIP */ + } UzpOpts; + +-- +2.33.0 + diff --git a/unzip.spec b/unzip.spec index 54edf66d127a6bfee6256327d8e64e916a58b1a4..5901be8bbfb75e5d54e75b0db81e6b5f2db72342 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 Name: unzip Epoch: 1 @@ -57,7 +57,17 @@ Patch23: 0023-unzip-6.0-cve-2018-18384.patch # covscan issues Patch24: 0024-unzip-6.0-COVSCAN-fix-unterminated-string.patch +Patch25: 0025-unzip-6.0-COVSCAN-strcpy-with-overlapping-strings.patch +# zipbomb related patches ( CVE-2019-13232 ) +Patch26: 0026-unzip-zipbomb-part1.patch +Patch27: 0027-unzip-zipbomb-part2.patch +Patch28: 0028-unzip-zipbomb-part3.patch +Patch29: 0029-unzip-zipbomb-part4.patch +Patch30: 0030-unzip-zipbomb-part5.patch +Patch31: 0031-unzip-zipbomb-part6.patch + +Patch32: 0032-unzip-zipbomb-switch.patch BuildRequires: make BuildRequires: bzip2-devel, gcc @@ -103,6 +113,9 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_ %doc README BUGS %changelog +* Wed Oct 26 2022 Jing Zhang - 1:6.0-3 +- add fixes for CVE and bugs + * Sun Oct 09 2022 mgb01105731 - 1:6.0-2 - add doc package