Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Am Thu, Jun 30, 2022 at 02:16:55PM +0200 schrieb Santiago Vila:
> Dear Steven and Mark:
>
> I plan to apply the attached patches (from Enrico Zini) to fix CVE-2022-0529
> and CVE-2022-0530 in Debian unzip, but before doing so I would like to have
> some feedback from upstream (i.e. you) or either from the Security Team
> (also in CC).
>
> Details about the bug here:
>
> https://bugs.debian.org/1010355
>
> The test cases triggering the bug are here:
>
> https://github.com/ByteHackr/unzip_poc
Hi,
note that we need some additional clarification on what the scope of
CVE-2022-0529 and CVE-2022-0530 is. Both originated from Red Hat Bugzilla:
---
https://bugzilla.redhat.com/show_bug.cgi?id=2051395 is the public reference
for CVE-2022-0530 and this links to a private Red Hat bug
SIGSEGV during the conversion of an utf-8 string to a local string:
https://bugzilla.redhat.com/show_bug.cgi?id=2048569
---
https://bugzilla.redhat.com/show_bug.cgi?id=2051402 is the public reference
for CVE-2022-0529 and this links to a different private Red Hat bug:
Heap out-of-bound writes and reads during conversion of wide string to local
string
https://bugzilla.redhat.com/show_bug.cgi?id=2048572
---
The description of the CVE-2022-0529 Red Hat bugzilla entry indicates there is
more than the two proposed patches fix, the two patches don't address any
OOB heap write.
I'm adding the Red Hat engineer who created the bugs to CC, Sandipan Roy.
@Sandipan, the unzip upstream authors are CCed to this mail to land fixes
for the unzip vulnerabilities you found. Would it be possible to open up
bz#2048572 and bz#2048569 with the full details of these security
vulnerabilities
so that upstream can review/merge the patches and clarify the status of
CVE-2022-0529?
Cheers,
Moritz
> Thanks.
> From: Enrico Zini
> Subject: Fix wide string conversion
> Bug-Debian: https://bugs.debian.org/1010355
> X-Debian-version: 6.0-27
>
> --- a/process.c
> +++ b/process.c
> @@ -2507,13 +2507,15 @@
>char buf[9];
>char *buffer = NULL;
>char *local_string = NULL;
> + size_t buffer_size;
>
>for (wsize = 0; wide_string[wsize]; wsize++) ;
>
>if (max_bytes < MAX_ESCAPE_BYTES)
> max_bytes = MAX_ESCAPE_BYTES;
>
> - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
> + buffer_size = wsize * max_bytes + 1;
> + if ((buffer = (char *)malloc(buffer_size)) == NULL) {
> return NULL;
>}
>
> @@ -2552,7 +2554,11 @@
>/* no MB for this wide */
> /* use escape for wide character */
> char *escape_string = wide_to_escape_string(wide_string[i]);
> -strcat(buffer, escape_string);
> +size_t buffer_len = strlen(buffer);
> +size_t escape_string_len = strlen(escape_string);
> +if (buffer_len + escape_string_len + 1 > buffer_size)
> + escape_string_len = buffer_size - buffer_len - 1;
> +strncat(buffer, escape_string, escape_string_len);
> free(escape_string);
> }
>}
> From: Enrico Zini
> Subject: Fix null pointer dereference on invalid UTF-8 input
> Bug-Debian: https://bugs.debian.org/1010355
> X-Debian-version: 6.0-27
>
> --- a/fileio.c
> +++ b/fileio.c
> @@ -2361,6 +2361,9 @@
>/* convert UTF-8 to local character set */
>fn = utf8_to_local_string(G.unipath_filename,
> G.unicode_escape_all);
> + if (fn == NULL)
> +return PK_ERR;
> +
>/* make sure filename is short enough */
>if (strlen(fn) >= FILNAMSIZ) {
> fn[FILNAMSIZ - 1] = '\0';
> --- a/process.c
> +++ b/process.c
> @@ -2611,6 +2611,8 @@
>int escape_all;
> {
>zwchar *wide = utf8_to_wide_string(utf8_string);
> + if (wide == NULL)
> +return NULL;
>char *loc = wide_to_local_string(wide, escape_all);
>free(wide);
>return loc;
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Dear Steven and Mark:
I plan to apply the attached patches (from Enrico Zini) to fix
CVE-2022-0529 and CVE-2022-0530 in Debian unzip, but before doing so I
would like to have some feedback from upstream (i.e. you) or either from
the Security Team (also in CC).
Details about the bug here:
https://bugs.debian.org/1010355
The test cases triggering the bug are here:
https://github.com/ByteHackr/unzip_poc
Thanks.From: Enrico Zini
Subject: Fix wide string conversion
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27
--- a/process.c
+++ b/process.c
@@ -2507,13 +2507,15 @@
char buf[9];
char *buffer = NULL;
char *local_string = NULL;
+ size_t buffer_size;
for (wsize = 0; wide_string[wsize]; wsize++) ;
if (max_bytes < MAX_ESCAPE_BYTES)
max_bytes = MAX_ESCAPE_BYTES;
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+ buffer_size = wsize * max_bytes + 1;
+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
return NULL;
}
@@ -2552,7 +2554,11 @@
/* no MB for this wide */
/* use escape for wide character */
char *escape_string = wide_to_escape_string(wide_string[i]);
-strcat(buffer, escape_string);
+size_t buffer_len = strlen(buffer);
+size_t escape_string_len = strlen(escape_string);
+if (buffer_len + escape_string_len + 1 > buffer_size)
+ escape_string_len = buffer_size - buffer_len - 1;
+strncat(buffer, escape_string, escape_string_len);
free(escape_string);
}
}
From: Enrico Zini
Subject: Fix null pointer dereference on invalid UTF-8 input
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
+ if (fn == NULL)
+return PK_ERR;
+
/* make sure filename is short enough */
if (strlen(fn) >= FILNAMSIZ) {
fn[FILNAMSIZ - 1] = '\0';
--- a/process.c
+++ b/process.c
@@ -2611,6 +2611,8 @@
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (wide == NULL)
+return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
On Tue, Jun 14, 2022 at 07:06:37PM +0200, Santiago Vila wrote:
> But the github repository containing the test cases, namely this:
> https://github.com/ByteHackr/unzip_poc
> contains a test case for yet another problem called CVE-2022-0529
> which I would like to fix as well.
Hello Steven and Santiago,
I'm attaching a proposed patch to fix CVE-2022-0529.
Enrico
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini
diff --git a/process.c b/process.c
index d2a846e..99b9c7b 100644
--- a/process.c
+++ b/process.c
@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
char buf[9];
char *buffer = NULL;
char *local_string = NULL;
+ size_t buffer_size;
for (wsize = 0; wide_string[wsize]; wsize++) ;
if (max_bytes < MAX_ESCAPE_BYTES)
max_bytes = MAX_ESCAPE_BYTES;
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+ buffer_size = wsize * max_bytes + 1;
+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
return NULL;
}
@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
/* no MB for this wide */
/* use escape for wide character */
char *escape_string = wide_to_escape_string(wide_string[i]);
-strcat(buffer, escape_string);
+size_t buffer_len = strlen(buffer);
+size_t escape_string_len = strlen(escape_string);
+if (buffer_len + escape_string_len + 1 > buffer_size)
+ escape_string_len = buffer_size - buffer_len - 1;
+strncat(buffer, escape_string, escape_string_len);
free(escape_string);
}
}
signature.asc
Description: PGP signature
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Hello.
I received this from the Debian bug system.
There are actually two problems here. One of them is CVE-2022-0530
which is what the reported bug is about. For that I have the proposed
patch by Enrico Zini which seems to fix the issue.
But the github repository containing the test cases, namely this:
https://github.com/ByteHackr/unzip_poc
contains a test case for yet another problem called CVE-2022-0529
which I would like to fix as well.
This is what I've done to reproduce the bug:
export LC_ALL=C
cd CVE-2022-0529
unzip testcase
and I get this:
Archive: testcase
warning [testcase]: 303 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase]: reported length of central directory is
-303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
double free or corruption (out)
Any help will be appreciated.
Thanks.
Forwarded Message
Subject: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid
UTF-8 input
Date: Fri, 29 Apr 2022 13:27:33 +0200
From: Enrico Zini
Reply-To: Enrico Zini , 1010...@bugs.debian.org
To: Debian Bug Tracking System
Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team
Fixed: 6.0-26
Hello,
details are at https://security-tracker.debian.org/tracker/CVE-2022-0530
stretch and buster segfault:
$ unzip testcase-0530 Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
error: zipfile probably corrupt (segmentation violation)
bullseye errors out without valgrind issues reported:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
mp/zip-unzip-0/7/source/workdir
/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥: mismatching
"local" filename
(mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q),
continuing with "central" filename version
skipping: mp/zip-unzip-0/7/source/workdir
/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥 unable to get password
The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.
I'm attaching a proposed patch that adds the missing error handling.
Enrico
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unzip depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
unzip recommends no packages.
Versions of packages unzip suggests:
ii zip 3.0-12
-- no debconf informationdiff --git a/fileio.c b/fileio.c
index 6290824..77e4b5f 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type
error code */
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
+ if (fn == NULL)
+return PK_ERR;
+
/* make sure filename is short enough */
if (strlen(fn) >= FILNAMSIZ) {
fn[FILNAMSIZ - 1] = '\0';
diff --git a/process.c b/process.c
index d2a846e..715bc0f 100644
--- a/process.c
+++ b/process.c
@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (wide == NULL)
+return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Hello Stephen.
Can you take a look at this? The Debian version of procmail in unstable
has a patch for this which I took from git, and I was planning to just
apply it to bullseye and buster, but apparently it's not enough to fix
the issue.
Thanks.
Mensaje reenviado
Asunto: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid
UTF-8 input
Resent-Date: Fri, 29 Apr 2022 11:39:02 +
Resent-From: Enrico Zini
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: t...@security.debian.org, Santiago Vila
Fecha: Fri, 29 Apr 2022 13:27:33 +0200
De: Enrico Zini
Responder a: Enrico Zini , 1010...@bugs.debian.org
Para: Debian Bug Tracking System
Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team
Fixed: 6.0-26
Hello,
details are at https://security-tracker.debian.org/tracker/CVE-2022-0530
stretch and buster segfault:
$ unzip testcase-0530 Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
error: zipfile probably corrupt (segmentation violation)
bullseye errors out without valgrind issues reported:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
mp/zip-unzip-0/7/source/workdir
/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥: mismatching
"local" filename
(mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q),
continuing with "central" filename version
skipping: mp/zip-unzip-0/7/source/workdir
/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥 unable to get password
The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.
I'm attaching a proposed patch that adds the missing error handling.
Enrico
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unzip depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
unzip recommends no packages.
Versions of packages unzip suggests:
ii zip 3.0-12
-- no debconf informationdiff --git a/fileio.c b/fileio.c
index 6290824..77e4b5f 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type
error code */
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
+ if (fn == NULL)
+return PK_ERR;
+
/* make sure filename is short enough */
if (strlen(fn) >= FILNAMSIZ) {
fn[FILNAMSIZ - 1] = '\0';
diff --git a/process.c b/process.c
index d2a846e..715bc0f 100644
--- a/process.c
+++ b/process.c
@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (wide == NULL)
+return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;
Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
notfixed 6.0-26 Correction: the issue also affects 6.0-26, but is only reproducible after export LANG=C Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini
Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
El 29/4/22 a las 13:27, Enrico Zini escribió: Package: unzip Version: 6.0-21+deb9u2 Severity: serious Tags: security upstream patch X-Debbugs-Cc: Debian Security Team Thanks for the report. I would have preferred to reopen the already existing one, but nevermind (I asked security team a few weeks ago if there was already a CVE for this but got no reply). I'll make uploads for stretch and bullseye. Thanks.
Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team
Fixed: 6.0-26
Hello,
details are at https://security-tracker.debian.org/tracker/CVE-2022-0530
stretch and buster segfault:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
error: zipfile probably corrupt (segmentation violation)
bullseye errors out without valgrind issues reported:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥:
mismatching "local" filename
(mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q),
continuing with "central" filename version
skipping:
mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥
unable to get password
The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.
I'm attaching a proposed patch that adds the missing error handling.
Enrico
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unzip depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
unzip recommends no packages.
Versions of packages unzip suggests:
ii zip 3.0-12
-- no debconf information
diff --git a/fileio.c b/fileio.c
index 6290824..77e4b5f 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type
error code */
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
+ if (fn == NULL)
+return PK_ERR;
+
/* make sure filename is short enough */
if (strlen(fn) >= FILNAMSIZ) {
fn[FILNAMSIZ - 1] = '\0';
diff --git a/process.c b/process.c
index d2a846e..715bc0f 100644
--- a/process.c
+++ b/process.c
@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (wide == NULL)
+return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;
