rpms/unzip/devel unzip-5.52-cve-2008-0888.patch, NONE, 1.1 unzip.spec, 1.38, 1.39
Ivana Varekova (varekova)
fedora-extras-commits at redhat.com
Wed Mar 19 13:58:55 UTC 2008
Author: varekova
Update of /cvs/pkgs/rpms/unzip/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18898
Modified Files:
unzip.spec
Added Files:
unzip-5.52-cve-2008-0888.patch
Log Message:
- fix crash (double free) on malformed zip archive
CVE-2008-0888 (#431438)
unzip-5.52-cve-2008-0888.patch:
--- NEW FILE unzip-5.52-cve-2008-0888.patch ---
diff -up unzip-5.52/inflate.c.pom unzip-5.52/inflate.c
--- unzip-5.52/inflate.c.pom 2005-02-27 07:08:46.000000000 +0100
+++ unzip-5.52/inflate.c 2008-03-19 14:47:58.000000000 +0100
@@ -983,6 +983,7 @@ static int inflate_dynamic(__G)
unsigned l; /* last length */
unsigned m; /* mask for bit lengths table */
unsigned n; /* number of lengths to get */
+ struct huft *tlp;
struct huft *tl; /* literal/length code table */
struct huft *td; /* distance code table */
unsigned bl; /* lookup bits for tl */
@@ -995,6 +996,7 @@ static int inflate_dynamic(__G)
register unsigned k; /* number of bits in bit buffer */
int retval = 0; /* error code returned: initialized to "no error" */
+ td = tlp = tl = (struct huft *)NULL;
/* make local bit buffer */
Trace((stderr, "\ndynamic block"));
@@ -1047,9 +1049,9 @@ static int inflate_dynamic(__G)
while (i < n)
{
NEEDBITS(bl)
- j = (td = tl + ((unsigned)b & m))->b;
+ j = (tlp = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
- j = td->v.n;
+ j = tlp->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
else if (j == 16) /* repeat last length 3 to 6 times */
@@ -1149,8 +1151,8 @@ static int inflate_dynamic(__G)
cleanup_and_exit:
/* free the decoding tables, return */
- huft_free(tl);
- huft_free(td);
+ if (tl) huft_free(tl);
+ if (td) huft_free(td);
return retval;
}
Index: unzip.spec
===================================================================
RCS file: /cvs/pkgs/rpms/unzip/devel/unzip.spec,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- unzip.spec 8 Feb 2008 14:10:35 -0000 1.38
+++ unzip.spec 19 Mar 2008 13:58:17 -0000 1.39
@@ -1,7 +1,7 @@
Summary: A utility for unpacking zip files
Name: unzip
Version: 5.52
-Release: 8%{?dist}
+Release: 9%{?dist}
License: BSD
Group: Applications/Archiving
Source: ftp://ftp.info-zip.org/pub/infozip/src/unzip552.tar.gz
@@ -17,6 +17,7 @@
Patch12: unzip-5.52-4GB3.patch
Patch13: unzip-5.52-4GB_types.patch
Patch14: unzip-5.52-249057.patch
+Patch15: unzip-5.52-cve-2008-0888.patch
URL: http://www.info-zip.org/pub/infozip/UnZip.html
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -45,6 +46,7 @@
%patch12 -p1 -b .4GB3
%patch13 -p1 -b .4BG4
%patch14 -p1 -b .err
+%patch15 -p1 -b .cve-2008-0888
ln -s unix/Makefile Makefile
%build
@@ -65,6 +67,10 @@
%{_mandir}/*/*
%changelog
+* Wed Mar 19 2008 Ivana Varekova <varekova at redhat.com> - 5.52-9
+- fix crash (double free) on malformed zip archive
+ CVE-2008-0888 (#431438)
+
* Fri Feb 8 2008 Ivana Varekova <varekova at redhat.com> - 5.52-8
- fix output when out of space error appears
More information about the fedora-extras-commits
mailing list