Bug#1010355: marked as done (unzip: CVE-2022-0529 CVE-2022-0530)

Sat, 13 Aug 2022 11:21:14 -0700 

Your message dated Sat, 13 Aug 2022 18:18:12 +0000
with message-id <[email protected]>
and subject line Bug#1010355: fixed in unzip 6.0-26+deb11u1
has caused the Debian Bug report #1010355,
regarding unzip: CVE-2022-0529 CVE-2022-0530
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1010355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <[email protected]>

Fixed: 6.0-26

Hello,

details are at https://security-tracker.debian.org/tracker/CVE-2022-0530

stretch and buster segfault:

  $ unzip testcase-0530 
  Archive:  testcase-0530
  warning [testcase-0530]:  16 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  error [testcase-0530]:  reported length of central directory is
    -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
    zipfile?).  Compensating...
  error:  zipfile probably corrupt (segmentation violation)

bullseye errors out without valgrind issues reported:

  $ unzip testcase-0530
  Archive:  testcase-0530
  warning [testcase-0530]:  16 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  error [testcase-0530]:  reported length of central directory is
    -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
    zipfile?).  Compensating...
  
mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥:
  mismatching "local" filename 
(mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q),
           continuing with "central" filename version
     skipping: 
mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥
  unable to get password

The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.

I'm attaching a proposed patch that adds the missing error handling.


Enrico


-- System Information:
Debian Release: 11.3
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages unzip depends on:
ii  libbz2-1.0  1.0.8-4
ii  libc6       2.31-13+deb11u3

unzip recommends no packages.

Versions of packages unzip suggests:
ii  zip  3.0-12

-- no debconf information

diff --git a/fileio.c b/fileio.c
index 6290824..77e4b5f 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option)   /* return PK-type 
error code */
                   /* convert UTF-8 to local character set */
                   fn = utf8_to_local_string(G.unipath_filename,
                                             G.unicode_escape_all);
+                  if (fn == NULL)
+                    return PK_ERR;
+
                   /* make sure filename is short enough */
                   if (strlen(fn) >= FILNAMSIZ) {
                     fn[FILNAMSIZ - 1] = '\0';
diff --git a/process.c b/process.c
index d2a846e..715bc0f 100644
--- a/process.c
+++ b/process.c
@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
   int escape_all;
 {
   zwchar *wide = utf8_to_wide_string(utf8_string);
+  if (wide == NULL)
+    return NULL;
   char *loc = wide_to_local_string(wide, escape_all);
   free(wide);
   return loc;

--- End Message ---
--- Begin Message --- 
Source: unzip
Source-Version: 6.0-26+deb11u1
Done: Santiago Vila <[email protected]>

We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated unzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 07 Aug 2022 01:45:00 +0200
Source: unzip
Architecture: source
Version: 6.0-26+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Closes: 1010355
Changes:
 unzip (6.0-26+deb11u1) bullseye-security; urgency=medium
 .
   * Apply upstream patch for CVE-2022-0529 and CVE-2022-0530.
   - Fix null pointer dereference on invalid UTF-8 input.
   - Fix wide string conversion in process.c.
     Closes: #1010355.
Checksums-Sha1:
 561de8d8b7db2daf9ce360d9689e5d451f99b577 1383 unzip_6.0-26+deb11u1.dsc
 acde56ac8e532a3b3cf22415ba84b5d8a20f13bc 24996 
unzip_6.0-26+deb11u1.debian.tar.xz
 33221eb735cb7b214e85c51000478b9fef11ed16 5509 
unzip_6.0-26+deb11u1_source.buildinfo
Checksums-Sha256:
 44f7e29339e16ea91cffc121927ca6a36ce89230fbb1c31c4526ac6cbaa0df8c 1383 
unzip_6.0-26+deb11u1.dsc
 7f15d1a95de7d8198348da54e56c6248863f84ad2a71c6302ddc9c1448639f00 24996 
unzip_6.0-26+deb11u1.debian.tar.xz
 cd0d087820a17c05f3bd635d41358a79987f78c0b281837a2d5e5c5a9c0b4560 5509 
unzip_6.0-26+deb11u1_source.buildinfo
Files:
 eebc91d07f521e9e78bd75f4c329bc62 1383 utils optional unzip_6.0-26+deb11u1.dsc
 73d14ef2cf5e0360478f6b9502acfffa 24996 utils optional 
unzip_6.0-26+deb11u1.debian.tar.xz
 1db6e4b7218b77a4827789ce82e98a54 5509 utils optional 
unzip_6.0-26+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmLu/WwACgkQQc5/C58b
izIiYgf/YCvh8QGtsCajsMEcXbbXkBOo3PzbSooLvIgv/X9duLh2GWQoeaTCc9KN
iJMZ741W364da2fnfNqO3OtMOBFWoChZ1jhD+OewFgEMLf8yyEnA6tutAeN6Mn41
WGhNXaEBVnn3kHkPnGvsQ8hzhte/EeyramagqdXfOQhbUmgach3oxlQ48BuvuBeL
n5Pu2pafe04zmVWZn/+2tpmcuoWxNKDgyX7iHrkNGIWqM9ZZb40cFL4O2DnlDr7f
yNTISWk5z+6KpjPsdUqjORmf4EXNzbyGrJWRXhZGVVHmMKcf7USX8Bw3W1qiRS16
fGuPwPYr39Ygivzn6g4MaPF27tL7vg==
=KglM
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to