rpms/unzip/devel unzip-5.52-cve-2008-0888.patch, NONE, 1.1 unzip.spec, 1.38, 1.39

Ivana Varekova (varekova) fedora-extras-commits at redhat.com
Wed Mar 19 13:58:55 UTC 2008


Author: varekova

Update of /cvs/pkgs/rpms/unzip/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18898

Modified Files:
	unzip.spec 
Added Files:
	unzip-5.52-cve-2008-0888.patch 
Log Message:
- fix crash (double free) on malformed zip archive
  CVE-2008-0888 (#431438)


unzip-5.52-cve-2008-0888.patch:

--- NEW FILE unzip-5.52-cve-2008-0888.patch ---
diff -up unzip-5.52/inflate.c.pom unzip-5.52/inflate.c
--- unzip-5.52/inflate.c.pom	2005-02-27 07:08:46.000000000 +0100
+++ unzip-5.52/inflate.c	2008-03-19 14:47:58.000000000 +0100
@@ -983,6 +983,7 @@ static int inflate_dynamic(__G)
   unsigned l;           /* last length */
   unsigned m;           /* mask for bit lengths table */
   unsigned n;           /* number of lengths to get */
+  struct huft *tlp;
   struct huft *tl;      /* literal/length code table */
   struct huft *td;      /* distance code table */
   unsigned bl;          /* lookup bits for tl */
@@ -995,6 +996,7 @@ static int inflate_dynamic(__G)
   register unsigned k;  /* number of bits in bit buffer */
   int retval = 0;       /* error code returned: initialized to "no error" */
 
+  td = tlp = tl = (struct huft *)NULL;
 
   /* make local bit buffer */
   Trace((stderr, "\ndynamic block"));
@@ -1047,9 +1049,9 @@ static int inflate_dynamic(__G)
   while (i < n)
   {
     NEEDBITS(bl)
-    j = (td = tl + ((unsigned)b & m))->b;
+    j = (tlp = tl + ((unsigned)b & m))->b;
     DUMPBITS(j)
-    j = td->v.n;
+    j = tlp->v.n;
     if (j < 16)                 /* length of code in bits (0..15) */
       ll[i++] = l = j;          /* save last length in l */
     else if (j == 16)           /* repeat last length 3 to 6 times */
@@ -1149,8 +1151,8 @@ static int inflate_dynamic(__G)
 
 cleanup_and_exit:
   /* free the decoding tables, return */
-  huft_free(tl);
-  huft_free(td);
+  if (tl) huft_free(tl);
+  if (td) huft_free(td);
   return retval;
 }
 


Index: unzip.spec
===================================================================
RCS file: /cvs/pkgs/rpms/unzip/devel/unzip.spec,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- unzip.spec	8 Feb 2008 14:10:35 -0000	1.38
+++ unzip.spec	19 Mar 2008 13:58:17 -0000	1.39
@@ -1,7 +1,7 @@
 Summary: A utility for unpacking zip files
 Name: unzip
 Version: 5.52
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: BSD
 Group: Applications/Archiving
 Source: ftp://ftp.info-zip.org/pub/infozip/src/unzip552.tar.gz
@@ -17,6 +17,7 @@
 Patch12: unzip-5.52-4GB3.patch
 Patch13: unzip-5.52-4GB_types.patch
 Patch14: unzip-5.52-249057.patch
+Patch15: unzip-5.52-cve-2008-0888.patch
 URL: http://www.info-zip.org/pub/infozip/UnZip.html
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -45,6 +46,7 @@
 %patch12 -p1 -b .4GB3
 %patch13 -p1 -b .4BG4
 %patch14 -p1 -b .err
+%patch15 -p1 -b .cve-2008-0888
 ln -s unix/Makefile Makefile
 
 %build
@@ -65,6 +67,10 @@
 %{_mandir}/*/*
 
 %changelog
+* Wed Mar 19 2008 Ivana Varekova <varekova at redhat.com> - 5.52-9
+- fix crash (double free) on malformed zip archive
+  CVE-2008-0888 (#431438)
+
 * Fri Feb  8 2008 Ivana Varekova <varekova at redhat.com> - 5.52-8
 - fix output when out of space error appears
 




More information about the fedora-extras-commits mailing list