Dear Steven and Mark:I plan to apply the attached patches (from Enrico Zini) to fix CVE-2022-0529 and CVE-2022-0530 in Debian unzip, but before doing so I would like to have some feedback from upstream (i.e. you) or either from the Security Team (also in CC).
Details about the bug here: https://bugs.debian.org/1010355 The test cases triggering the bug are here: https://github.com/ByteHackr/unzip_poc Thanks.
From: Enrico Zini <enr...@debian.org> Subject: Fix wide string conversion Bug-Debian: https://bugs.debian.org/1010355 X-Debian-version: 6.0-27 --- a/process.c +++ b/process.c @@ -2507,13 +2507,15 @@ char buf[9]; char *buffer = NULL; char *local_string = NULL; + size_t buffer_size; for (wsize = 0; wide_string[wsize]; wsize++) ; if (max_bytes < MAX_ESCAPE_BYTES) max_bytes = MAX_ESCAPE_BYTES; - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { + buffer_size = wsize * max_bytes + 1; + if ((buffer = (char *)malloc(buffer_size)) == NULL) { return NULL; } @@ -2552,7 +2554,11 @@ /* no MB for this wide */ /* use escape for wide character */ char *escape_string = wide_to_escape_string(wide_string[i]); - strcat(buffer, escape_string); + size_t buffer_len = strlen(buffer); + size_t escape_string_len = strlen(escape_string); + if (buffer_len + escape_string_len + 1 > buffer_size) + escape_string_len = buffer_size - buffer_len - 1; + strncat(buffer, escape_string, escape_string_len); free(escape_string); } }
From: Enrico Zini <enr...@debian.org> Subject: Fix null pointer dereference on invalid UTF-8 input Bug-Debian: https://bugs.debian.org/1010355 X-Debian-version: 6.0-27 --- a/fileio.c +++ b/fileio.c @@ -2361,6 +2361,9 @@ /* convert UTF-8 to local character set */ fn = utf8_to_local_string(G.unipath_filename, G.unicode_escape_all); + if (fn == NULL) + return PK_ERR; + /* make sure filename is short enough */ if (strlen(fn) >= FILNAMSIZ) { fn[FILNAMSIZ - 1] = '\0'; --- a/process.c +++ b/process.c @@ -2611,6 +2611,8 @@ int escape_all; { zwchar *wide = utf8_to_wide_string(utf8_string); + if (wide == NULL) + return NULL; char *loc = wide_to_local_string(wide, escape_all); free(wide); return loc;