Am Thu, Jun 30, 2022 at 02:16:55PM +0200 schrieb Santiago Vila: > Dear Steven and Mark: > > I plan to apply the attached patches (from Enrico Zini) to fix CVE-2022-0529 > and CVE-2022-0530 in Debian unzip, but before doing so I would like to have > some feedback from upstream (i.e. you) or either from the Security Team > (also in CC). > > Details about the bug here: > > https://bugs.debian.org/1010355 > > The test cases triggering the bug are here: > > https://github.com/ByteHackr/unzip_poc
Hi, note that we need some additional clarification on what the scope of CVE-2022-0529 and CVE-2022-0530 is. Both originated from Red Hat Bugzilla: ----------------------------------------------------------------------- https://bugzilla.redhat.com/show_bug.cgi?id=2051395 is the public reference for CVE-2022-0530 and this links to a private Red Hat bug SIGSEGV during the conversion of an utf-8 string to a local string: https://bugzilla.redhat.com/show_bug.cgi?id=2048569 ----------------------------------------------------------------------- https://bugzilla.redhat.com/show_bug.cgi?id=2051402 is the public reference for CVE-2022-0529 and this links to a different private Red Hat bug: Heap out-of-bound writes and reads during conversion of wide string to local string https://bugzilla.redhat.com/show_bug.cgi?id=2048572 ----------------------------------------------------------------------- The description of the CVE-2022-0529 Red Hat bugzilla entry indicates there is more than the two proposed patches fix, the two patches don't address any OOB heap write. I'm adding the Red Hat engineer who created the bugs to CC, Sandipan Roy. @Sandipan, the unzip upstream authors are CCed to this mail to land fixes for the unzip vulnerabilities you found. Would it be possible to open up bz#2048572 and bz#2048569 with the full details of these security vulnerabilities so that upstream can review/merge the patches and clarify the status of CVE-2022-0529? Cheers, Moritz > Thanks. > From: Enrico Zini <enr...@debian.org> > Subject: Fix wide string conversion > Bug-Debian: https://bugs.debian.org/1010355 > X-Debian-version: 6.0-27 > > --- a/process.c > +++ b/process.c > @@ -2507,13 +2507,15 @@ > char buf[9]; > char *buffer = NULL; > char *local_string = NULL; > + size_t buffer_size; > > for (wsize = 0; wide_string[wsize]; wsize++) ; > > if (max_bytes < MAX_ESCAPE_BYTES) > max_bytes = MAX_ESCAPE_BYTES; > > - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { > + buffer_size = wsize * max_bytes + 1; > + if ((buffer = (char *)malloc(buffer_size)) == NULL) { > return NULL; > } > > @@ -2552,7 +2554,11 @@ > /* no MB for this wide */ > /* use escape for wide character */ > char *escape_string = wide_to_escape_string(wide_string[i]); > - strcat(buffer, escape_string); > + size_t buffer_len = strlen(buffer); > + size_t escape_string_len = strlen(escape_string); > + if (buffer_len + escape_string_len + 1 > buffer_size) > + escape_string_len = buffer_size - buffer_len - 1; > + strncat(buffer, escape_string, escape_string_len); > free(escape_string); > } > } > From: Enrico Zini <enr...@debian.org> > Subject: Fix null pointer dereference on invalid UTF-8 input > Bug-Debian: https://bugs.debian.org/1010355 > X-Debian-version: 6.0-27 > > --- a/fileio.c > +++ b/fileio.c > @@ -2361,6 +2361,9 @@ > /* convert UTF-8 to local character set */ > fn = utf8_to_local_string(G.unipath_filename, > G.unicode_escape_all); > + if (fn == NULL) > + return PK_ERR; > + > /* make sure filename is short enough */ > if (strlen(fn) >= FILNAMSIZ) { > fn[FILNAMSIZ - 1] = '\0'; > --- a/process.c > +++ b/process.c > @@ -2611,6 +2611,8 @@ > int escape_all; > { > zwchar *wide = utf8_to_wide_string(utf8_string); > + if (wide == NULL) > + return NULL; > char *loc = wide_to_local_string(wide, escape_all); > free(wide); > return loc;
