Date: Wednesday, February 16, 2022 @ 17:08:57 Author: diabonas Revision: 437501
upgpkg: unzip 6.0-16: fix NULL pointer dereference (CVE-2021-4217, FS#73542) See https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 for a bug report including a reproducer and a proposed patch. The first part of the patch is already covered by "unzip-6.0-valgrind.patch", so apply only the changes to process.c directly related to CVE-2021-4217. After applying the patch, the reproducer does not crash unzip any more. Added: unzip/trunk/unzip-6.0_CVE-2021-4217.patch Modified: unzip/trunk/PKGBUILD -------------------------------+ PKGBUILD | 6 ++++-- unzip-6.0_CVE-2021-4217.patch | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-02-16 16:34:04 UTC (rev 437500) +++ PKGBUILD 2022-02-16 17:08:57 UTC (rev 437501) @@ -40,7 +40,7 @@ 'https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch' 'https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch' 'https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch' - ) + 'unzip-6.0_CVE-2021-4217.patch') sha512sums=('0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d' '3c7f525687b198aaa8547a8b30e744f7f184943624279d5c70170d5b9bb3f0c0f27f3e69bc808dd0d144690107bc76a10c06e160bf99c54fd5684246208b7cff' '8423e32bbc1e1fe9366118bd10795bb8307f5a9a1afba1f0f62e46443d198b7f3cfcc41dedf57f31830f4c7328c9f5ae573982ca8664822b5f2a2ecdbc389df9' @@ -68,7 +68,8 @@ 'f31b0b70025651397235ee7d759c04f0f4658908287c82d1253a2048ace170f05f67fa19930061fe2b7ac48a8b6989a95117ab93ac0081422dad9203ac9f8ec1' '27d45a25a6a51415af609a4fdefcb7c95a1105d511a6e18e2a7464e9d3773ba2ccb25f138a3cc6ddc6e5e9c558b633ee60d273cebf562c2a7d1e99d3f229d1ba' '48875d7e08d669637e26a7e800f8b2a3812d477e6f249c8d4962fdf93ba6d346f5b22b83d82cb65317b506dff84c441d42c0fe7d1c042a065619d39bdf25fdd0' - 'a788d57fe0fb9ae6106381d2a8fe566aa35bb037012139dc7c283fe5eb316056835dffa9ea9778c15a5b39e50a75329a135a0dffdfc6a53d575ef2013b1d478a') + 'a788d57fe0fb9ae6106381d2a8fe566aa35bb037012139dc7c283fe5eb316056835dffa9ea9778c15a5b39e50a75329a135a0dffdfc6a53d575ef2013b1d478a' + 'fc1f4246b6974c3c554aed1127f512f0b2ac8fa13aff7c3b54877411e15856522e35633c45b2326d96b5094a9106d697a0883c1879af2c616d9dd51180b6887b') prepare() { cd "${srcdir}/${pkgname}${_pkgver}" @@ -100,6 +101,7 @@ patch -p1 -i ../unzip-zipbomb-part4.patch patch -p1 -i ../unzip-zipbomb-part5.patch patch -p1 -i ../unzip-zipbomb-part6.patch + patch -p1 -i ../unzip-6.0_CVE-2021-4217.patch # FS#73542 } build() { Added: unzip-6.0_CVE-2021-4217.patch =================================================================== --- unzip-6.0_CVE-2021-4217.patch (rev 0) +++ unzip-6.0_CVE-2021-4217.patch 2022-02-16 17:08:57 UTC (rev 437501) @@ -0,0 +1,19 @@ +diff --git a/process.c b/process.c +index d2a846e..cba2463 100644 +--- a/process.c ++++ b/process.c +@@ -2064,10 +2064,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full));
