| blob | 8059a152b0053c773cdd5f81a6b788eeaf793ecf |
1 # --- T2-COPYRIGHT-NOTE-BEGIN ---
2 # T2 SDE: package/*/unzip/CVE-2014-9913.patch
3 # Copyright (C) 2021 The T2 SDE Project
4 #
5 # This Copyright note is generated by scripts/Create-CopyPatch,
6 # more information can be found in the files COPYING and README.
7 #
8 # This patch file is dual-licensed. It is available under the license the
9 # patched project is licensed under, as long as it is an OpenSource license
10 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
11 # of the GNU General Public License version 2 as used by the T2 SDE.
12 # --- T2-COPYRIGHT-NOTE-END ---
14 From: "Steven M. Schweda" <sms@antinode.info>
15 Subject: Fix CVE-2014-9913, buffer overflow in unzip
16 Bug: https://sourceforge.net/p/infozip/bugs/27/
17 Bug-Debian: https://bugs.debian.org/847485
18 Bug-Ubuntu: https://launchpad.net/bugs/387350
19 X-Debian-version: 6.0-21
21 --- a/list.c
22 +++ b/list.c
23 @@ -339,7 +339,18 @@
24 G.crec.compression_method == ENHDEFLATED) {
25 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
26 } else if (methnum >= NUM_METHODS) {
27 - sprintf(&methbuf[4], "%03u", G.crec.compression_method);
28 + /* 2013-02-26 SMS.
29 + * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
30 + * Unexpectedly large compression methods overflow
31 + * &methbuf[]. Use the old, three-digit decimal format
32 + * for values which fit. Otherwise, sacrifice the
33 + * colon, and use four-digit hexadecimal.
34 + */
35 + if (G.crec.compression_method <= 999) {
36 + sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
37 + } else {
38 + sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
39 + }
40 }
42 #if 0 /* GRR/Euro: add this? */