1From: sms 2Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow 3Bug-Debian: http://bugs.debian.org/773722 4 5The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz 6 7Upstream-Status: Backport 8CVE: CVE-2014-8139 9 10Signed-off-by: Roy Li <rongqing.li@windriver.com> 11 12--- a/extract.c 13+++ b/extract.c 14@@ -298,6 +298,8 @@ 15 #ifndef SFX 16 static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ 17 EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; 18+ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ 19+ EF block length (%u bytes) invalid (< %d)\n"; 20 static ZCONST char Far InvalidComprDataEAs[] = 21 " invalid compressed data for EAs\n"; 22 # if (defined(WIN32) && defined(NTSD_EAS)) 23@@ -2023,7 +2025,8 @@ 24 ebID = makeword(ef); 25 ebLen = (unsigned)makeword(ef+EB_LEN); 26 27- if (ebLen > (ef_len - EB_HEADSIZE)) { 28+ if (ebLen > (ef_len - EB_HEADSIZE)) 29+ { 30 /* Discovered some extra field inconsistency! */ 31 if (uO.qflag) 32 Info(slide, 1, ((char *)slide, "%-22s ", 33@@ -2158,11 +2161,19 @@ 34 } 35 break; 36 case EF_PKVMS: 37- if (makelong(ef+EB_HEADSIZE) != 38+ if (ebLen < 4) 39+ { 40+ Info(slide, 1, 41+ ((char *)slide, LoadFarString(TooSmallEBlength), 42+ ebLen, 4)); 43+ } 44+ else if (makelong(ef+EB_HEADSIZE) != 45 crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), 46 (extent)(ebLen-4))) 47+ { 48 Info(slide, 1, ((char *)slide, 49 LoadFarString(BadCRC_EAs))); 50+ } 51 break; 52 case EF_PKW32: 53 case EF_PKUNIX: 54