Skip to content

Commit

Permalink
unzip: CVE-2019-13232
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmahut @FRidh
mmahut authored and FRidh committed Jul 17, 2019
1 parent 0d83258 commit 0238946
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions pkgs/tools/archivers/unzip/default.nix
View file
Expand Up @@ -26,6 +26,11 @@ stdenv.mkDerivation {
./CVE-2016-9844.patch
./CVE-2018-18384.patch
./dont-hardcode-cc.patch
(fetchurl {
url = "https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c.patch";
name = "CVE-2019-13232.patch";
sha256 = "0iy2wcjyvzwrjk02iszwcpg85fkjxs1bvb9isvdiywszav4yjs32";
})
] ++ stdenv.lib.optional enableNLS
(fetchurl {
url = "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/unzip/files/unzip-6.0-natspec.patch?revision=1.1";
Expand Down

5 comments on commit 0238946

@edolstra
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a heads up that this breaks docbook5:

$ nix-build -A docbook5
these derivations will be built:
  /nix/store/waygiahid9c3sw8kb2xyz97fa2jk34zd-docbook5-5.0.drv
building '/nix/store/waygiahid9c3sw8kb2xyz97fa2jk34zd-docbook5-5.0.drv'...
unpacking sources
unpacking source archive /nix/store/46wv6aq82031264y9rjvrbh2321f3ng7-docbook-5.0.zip
error: invalid zip file with overlapped components (possible zip bomb)
do not know how to unpack source archive /nix/store/46wv6aq82031264y9rjvrbh2321f3ng7-docbook-5.0.zip
builder for '/nix/store/waygiahid9c3sw8kb2xyz97fa2jk34zd-docbook5-5.0.drv' failed with exit code 1
error: build of '/nix/store/waygiahid9c3sw8kb2xyz97fa2jk34zd-docbook5-5.0.drv' failed

@vcunat
Copy link
Member

@vcunat vcunat commented on 0238946 Jul 20, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's another such problem discussed in the PR: #64909 (comment)

@mmahut
Copy link
Member Author

@mmahut mmahut commented on 0238946 Jul 20, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for reporting this! It appears that the docbook-5.0.zip is also using overlapping files. Given this was released almost 10 years ago, I think it will be not easy to get the upstream to rezip this file correctly.

@edolstra would it be acceptable to upgrade this package from 5.0 to 5.0.1 (I verified the 5.0.1 version is zipped correctly and unpacks without problem)?

$ unzip -q docbook-5.0.zip 
error: invalid zip file with overlapped components (possible zip bomb)
$ unzip -q docbook-5.0.1.zip 
$

5.0 to 5.0.1 changelog:

2018-05-16 00:00 kosek
	* upgraded to a standard Schematron namespace
	* raised version to 5.0.1

2008-02-06 14:01  nwalsh

	* spec/docbook.xml: Fix document draft status

2008-02-06 13:57  nwalsh

	* howto/howto.xml: Fixed pubdate

2008-02-06 13:53  nwalsh

	* spec/docbook.xml: Fixed pubdate

@vcunat
Copy link
Member

@vcunat vcunat commented on 0238946 Jul 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That certainly seems good for unstable, so I pushed it to staging-next as 5e9f1bb (the latest branch with this unzip patch).

@mmahut
Copy link
Member Author

@mmahut mmahut commented on 0238946 Jul 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @vcunat !

Please sign in to comment.