NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/minizip-zlib: fix CVE-2023-45853

Browse Source 
MiniZip in zlib through 1.3 has an integer overflow and resultant
heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
filename, comment, or extra field. NOTE: MiniZip is not a supported part
of the zlib product.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2023-10-22 23:32:26 +02:00 committed by Peter Korsgaard
parent 17ffb91551
commit de7bc4ada2
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
package/minizip-zlib/0001-Reject-overflows-of-zip-header-fields-in-minizip.patch Normal file
View File

@ -0,0 +1,39 @@
From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
From: Hans Wennborg <hans@chromium.org>
Date: Fri, 18 Aug 2023 11:05:33 +0200
Subject: [PATCH] Reject overflows of zip header fields in minizip.
This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.
Upstream: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
contrib/minizip/zip.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
index 3d3d4cadd..0446109b2 100644
--- a/contrib/minizip/zip.c
+++ b/contrib/minizip/zip.c
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
return ZIP_PARAMERROR;
#endif
+ // The filename and comment length must fit in 16 bits.
+ if ((filename!=NULL) && (strlen(filename)>0xffff))
+ return ZIP_PARAMERROR;
+ if ((comment!=NULL) && (strlen(comment)>0xffff))
+ return ZIP_PARAMERROR;
+ // The extra field length must fit in 16 bits. If the member also requires
+ // a Zip64 extra block, that will also need to fit within that 16-bit
+ // length, but that will be checked for later.
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+ return ZIP_PARAMERROR;
+
zi = (zip64_internal*)file;
if (zi->in_opened_file_inzip == 1)

2
package/minizip-zlib/minizip-zlib.mk
View File

@ -16,5 +16,7 @@ MINIZIP_ZLIB_AUTORECONF = YES
MINIZIP_ZLIB_DEPENDENCIES = zlib
# demos must be disabled to avoid a conflict with BR2_PACKAGE_MINIZIP_DEMOS
MINIZIP_ZLIB_CONF_OPTS = --disable-demos
# 0001-Reject-overflows-of-zip-header-fields-in-minizip.patch
MINIZIP_ZLIB_IGNORE_CVES += CVE-2023-45853
$(eval $(autotools-package))