-
Notifications
You must be signed in to change notification settings - Fork 506
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Backport commit merged to develop branch from PR linked in NVD report: * https://nvd.nist.gov/vuln/detail/CVE-2023-45853 * madler/zlib#843 Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Steve Sakoman <[email protected]>
- Loading branch information
1 parent
0547b60
commit 6e265e4
Showing
2 changed files
with
43 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001 | ||
From: Hans Wennborg <[email protected]> | ||
Date: Fri, 18 Aug 2023 11:05:33 +0200 | ||
Subject: [PATCH] Reject overflows of zip header fields in minizip. | ||
|
||
This checks the lengths of the file name, extra field, and comment | ||
that would be put in the zip headers, and rejects them if they are | ||
too long. They are each limited to 65535 bytes in length by the zip | ||
format. This also avoids possible buffer overflows if the provided | ||
fields are too long. | ||
|
||
CVE: CVE-2023-45853 | ||
Upstream-Status: Backport [https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c] | ||
|
||
Signed-off-by: Peter Marko <[email protected]> | ||
|
||
--- | ||
contrib/minizip/zip.c | 11 +++++++++++ | ||
1 file changed, 11 insertions(+) | ||
|
||
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c | ||
index 3d3d4cadd..0446109b2 100644 | ||
--- a/contrib/minizip/zip.c | ||
+++ b/contrib/minizip/zip.c | ||
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c | ||
return ZIP_PARAMERROR; | ||
#endif | ||
|
||
+ // The filename and comment length must fit in 16 bits. | ||
+ if ((filename!=NULL) && (strlen(filename)>0xffff)) | ||
+ return ZIP_PARAMERROR; | ||
+ if ((comment!=NULL) && (strlen(comment)>0xffff)) | ||
+ return ZIP_PARAMERROR; | ||
+ // The extra field length must fit in 16 bits. If the member also requires | ||
+ // a Zip64 extra block, that will also need to fit within that 16-bit | ||
+ // length, but that will be checked for later. | ||
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) | ||
+ return ZIP_PARAMERROR; | ||
+ | ||
zi = (zip64_internal*)file; | ||
|
||
if (zi->in_opened_file_inzip == 1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6e265e4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Linked to: