0001-Fix-CVE-2016-9844-rhbz-1404283.patch 1.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940
  1. From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001
  2. From: Petr Stodulka <pstodulk@redhat.com>
  3. Date: Wed, 14 Dec 2016 16:30:36 +0100
  4. Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283)
  5. Fixes buffer overflow in zipinfo in similar way like fix for
  6. CVE-2014-9913 provided by upstream.
  7. ---
  8. zipinfo.c | 14 +++++++++++++-
  9. 1 file changed, 13 insertions(+), 1 deletion(-)
  10. diff --git a/zipinfo.c b/zipinfo.c
  11. index c03620e..accca2a 100644
  12. --- a/zipinfo.c
  13. +++ b/zipinfo.c
  14. @@ -1984,7 +1984,19 @@ static int zi_short(__G) /* return PK-type error code */
  15. ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
  16. methbuf[3] = dtype[dnum];
  17. } else if (methnum >= NUM_METHODS) { /* unknown */
  18. - sprintf(&methbuf[1], "%03u", G.crec.compression_method);
  19. + /* 2016-12-05 SMS.
  20. + * https://launchpad.net/bugs/1643750
  21. + * Unexpectedly large compression methods overflow
  22. + * &methbuf[]. Use the old, three-digit decimal format
  23. + * for values which fit. Otherwise, sacrifice the "u",
  24. + * and use four-digit hexadecimal.
  25. + */
  26. + if (G.crec.compression_method <= 999) {
  27. + sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
  28. + } else {
  29. + sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
  30. + }
  31. +
  32. }
  33. for (k = 0; k < 15; ++k)
  34. --
  35. 2.5.5