Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <[email protected]>
Fixed: 6.0-26
Hello,
details are at https://security-tracker.debian.org/tracker/CVE-2022-0530
stretch and buster segfault:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
error: zipfile probably corrupt (segmentation violation)
bullseye errors out without valgrind issues reported:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥:
mismatching "local" filename
(mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q),
continuing with "central" filename version
skipping:
mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥
unable to get password
The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.
I'm attaching a proposed patch that adds the missing error handling.
Enrico
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unzip depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
unzip recommends no packages.
Versions of packages unzip suggests:
ii zip 3.0-12
-- no debconf information
diff --git a/fileio.c b/fileio.c
index 6290824..77e4b5f 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type
error code */
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
+ if (fn == NULL)
+ return PK_ERR;
+
/* make sure filename is short enough */
if (strlen(fn) >= FILNAMSIZ) {
fn[FILNAMSIZ - 1] = '\0';
diff --git a/process.c b/process.c
index d2a846e..715bc0f 100644
--- a/process.c
+++ b/process.c
@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (wide == NULL)
+ return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;
