code.ossystems Code Review - openembedded-core.git/commit

unzip: CVE-2014-9913 CVE-2016-9844

Backport the patches for CVE-2014-9913 CVE-2016-9844

CVE-2016-9844:
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via a large compression method value in the central
directory file header.
CVE-2014-9913:
Buffer overflow in the list_files function in list.c in Info-Zip
UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via vectors related to the compression method.

Patches come from:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/archivers/unzip/ or
https://release.debian.org/proposed-updates/stable_diffs/unzip_6.0-16+deb8u3.debdiff

Bug-Debian: https://bugs.debian.org/847486
Bug-Ubuntu: https://launchpad.net/bugs/1643750

(LOCAL REV: NOT UPSTREAM) --send to oe-core on 20170222

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>

author	Zhixiong Chi <zhixiong.chi@windriver.com>
	Wed, 22 Feb 2017 07:14:42 +0000 (15:14 +0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Wed, 1 Mar 2017 12:54:21 +0000 (12:54 +0000)
commit	fc386ed4afb76bd3e5a3afff54d7dc8dde14fe9c
tree	1f3aa2ca38829ef4da07e5fdc36764024ae3ed58	tree \| snapshot
parent	f65baebafc3d1389c5e5000c6cd921b7569123a1	commit \| diff

meta/recipes-extended/unzip/unzip/18-cve-2014-9913-unzip-buffer-overflow.patch	[new file with mode: 0644]	blob
meta/recipes-extended/unzip/unzip/19-cve-2016-9844-zipinfo-buffer-overflow.patch	[new file with mode: 0644]	blob
meta/recipes-extended/unzip/unzip_6.0.bb		diff \| blob \| history