cvs commit: ports/archivers/cabextract Makefile distinfo

Gabor Kovesdan gabor at FreeBSD.org
Thu Jul 29 22:45:52 UTC 2010 

gabor       2010-07-29 22:45:51 UTC

  FreeBSD ports repository

  Modified files:
    archivers/cabextract Makefile distinfo 
  Log:
  Update to 1.3, which fixes two security bugs. Detailed description
  from the author follows.
  
  Bug 1: Infinite loop in MS-ZIP decoder [1]
  
  The MS-ZIP and Quantum decoders read bits in roughly the same way as the LZX
  decoder, however they don't have "inject two fake bytes" code.
  
  In the situation where read() provides zero bytes, e.g. at the end of file or
  end of a CAB block, the LZX decoder handles this by injecting two fake bytes,
  then returns an error on subsequent calls. MS-ZIP and Quantum instead return
  zero bytes without error. However, all three decoders are written to presume
  they will get at least one byte. So this could lead to an infinite loop in
  MS-ZIP and Quantum. An infinite loop has definitely been seen in MS-ZIP -
  there is a while loop in inflate() of an uncompressed block (block type 0)
  which won't end until enough input is provided.
  
  Partial solution: change "if (read < 0)" to "if (read <= 0)" in mszipd.c and
  qtmd.c.
  - http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=90
  
  However, this breaks compatibility with a number of MS-ZIP/Quantum encoded
  files. A full solution would be to implement the same bit-reading system as
  LZX. I've done this now, merging all the bit-reading and huffman-reading
  code into two new files; readbits.h and readhuff.h
  - http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=95
  
  There are several further changes made to integrate readbits.h and readhuff.h,
  I recommend you look at the latest version in the source repository.
  - http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/
  
  Bug 2: Segmentation fault in "cabextract -t"
  
  This bug may not affect you, depending on your implementation of
  mspack_system->write(). It does cause a segfault in cabextract's
  cabx_write() in "-t" (test archive) mode.
  
  In the Quantum decoder, when the window wrap is reached, all currently
  unwritten data is flushed to disk. Sometimes, less data is needed than
  is flushed, which makes the variable out_bytes negative.
  
  When the main decoding loop finishes, a final call to write() is made if
  out_bytes is not zero. In that situation, it calls mspack_system->write() with
  a negative byte count, e.g. -129 bytes. You should reject this. In
  cabextract's "-t" mode, this is not caught, but instead converted to an
  unsigned integer and passed to md5_process_bytes(), which tries to
  read e.g. 4294967167 bytes, causing it to read beyond the end of
  valid process space and thus segfault.
  
  Solution:
  - Break out to the end of the decoding loop immediately if the flush would be more than needed.
     http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/qtmd.c?r1=114&r2=113
  - Add checking of the "bytes" argument in mspack_system read() / write() implementations, just to be sure.
     http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=118
  
  Security:       SA40719 [1]
  
  Revision  Changes    Path
  1.20      +2 -1      ports/archivers/cabextract/Makefile
  1.12      +3 -3      ports/archivers/cabextract/distinfo

More information about the cvs-ports mailing list