rpms / zziplib

Clone
Source Code
GIT

Blame SOURCES/0001-fix-CVE-2018-7726.patch

c7-beta c7-rt c7-sig-core
  1.   c7-rt
  2.   SOURCES
  3.   0001-fix-CVE-2018-7726.patch
Blob History Raw
628a65 
From 7eec5e4b9a4b6efea5ef5f6b793a6cbef40e980d Mon Sep 17 00:00:00 2001
628a65 
From: Jakub Martisko <jamartis@redhat.com>
628a65 
Date: Wed, 23 May 2018 10:15:07 +0200
628a65 
Subject: [PATCH] fix: CVE-2018-7726
628a65
628a65 
---
628a65 
 zzip/zip.c | 12 ++++++++++++
628a65 
 1 file changed, 12 insertions(+)
628a65
628a65 
diff --git a/zzip/zip.c b/zzip/zip.c
628a65 
index a574b24..a6c7ced 100644
628a65 
--- a/zzip/zip.c
628a65 
+++ b/zzip/zip.c
628a65 
@@ -323,6 +323,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
628a65 
                     trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig);
628a65 
                     trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig);
628a65 
 #                  endif
628a65 
+                    if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
628a65 
+                       return(ZZIP_CORRUPTED); // forged value
628a65
628a65 
                     __fixup_rootseek(offset + tail - mapped, trailer);
628a65 
                     { return(0); }
628a65 
@@ -343,6 +345,14 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
628a65 
                         zzip_disk64_trailer_finalentries(orig);
628a65 
                     trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
628a65 
                     trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
628a65 
+                    if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
628a65 
+                       return(ZZIP_CORRUPTED); // forged value
628a65 
+                    /*
628a65 
+ 		     * "extract data from files archived in a single zip file."
628a65 
+ 		     * So the file offsets must be within the current ZIP archive!
628a65 
+		     */
628a65 
+                    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
628a65 
+                        return(ZZIP_CORRUPTED);
628a65 
                     { return(0); }
628a65 
 #                  endif
628a65 
                 }
628a65 
@@ -410,6 +420,8 @@ __zzip_parse_root_directory(int fd,
628a65 
     zzip_off64_t zz_rootsize = _disk_trailer_rootsize(trailer);
628a65 
     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
628a65 
     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
628a65 
+    if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
628a65 
+        return ZZIP_CORRUPTED;
628a65
628a65 
     hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
628a65 
     if (! hdr0)
628a65 
--
628a65 
2.14.3
628a65

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation