Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Am Thu, Jun 30, 2022 at 02:16:55PM +0200 schrieb Santiago Vila: > Dear Steven and Mark: > > I plan to apply the attached patches (from Enrico Zini) to fix CVE-2022-0529 > and CVE-2022-0530 in Debian unzip, but before doing so I would like to have > some feedback from upstream (i.e. you) or either from the Security Team > (also in CC). > > Details about the bug here: > > https://bugs.debian.org/1010355 > > The test cases triggering the bug are here: > > https://github.com/ByteHackr/unzip_poc Hi, note that we need some additional clarification on what the scope of CVE-2022-0529 and CVE-2022-0530 is. Both originated from Red Hat Bugzilla: --- https://bugzilla.redhat.com/show_bug.cgi?id=2051395 is the public reference for CVE-2022-0530 and this links to a private Red Hat bug SIGSEGV during the conversion of an utf-8 string to a local string: https://bugzilla.redhat.com/show_bug.cgi?id=2048569 --- https://bugzilla.redhat.com/show_bug.cgi?id=2051402 is the public reference for CVE-2022-0529 and this links to a different private Red Hat bug: Heap out-of-bound writes and reads during conversion of wide string to local string https://bugzilla.redhat.com/show_bug.cgi?id=2048572 --- The description of the CVE-2022-0529 Red Hat bugzilla entry indicates there is more than the two proposed patches fix, the two patches don't address any OOB heap write. I'm adding the Red Hat engineer who created the bugs to CC, Sandipan Roy. @Sandipan, the unzip upstream authors are CCed to this mail to land fixes for the unzip vulnerabilities you found. Would it be possible to open up bz#2048572 and bz#2048569 with the full details of these security vulnerabilities so that upstream can review/merge the patches and clarify the status of CVE-2022-0529? Cheers, Moritz > Thanks. > From: Enrico Zini > Subject: Fix wide string conversion > Bug-Debian: https://bugs.debian.org/1010355 > X-Debian-version: 6.0-27 > > --- a/process.c > +++ b/process.c > @@ -2507,13 +2507,15 @@ >char buf[9]; >char *buffer = NULL; >char *local_string = NULL; > + size_t buffer_size; > >for (wsize = 0; wide_string[wsize]; wsize++) ; > >if (max_bytes < MAX_ESCAPE_BYTES) > max_bytes = MAX_ESCAPE_BYTES; > > - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { > + buffer_size = wsize * max_bytes + 1; > + if ((buffer = (char *)malloc(buffer_size)) == NULL) { > return NULL; >} > > @@ -2552,7 +2554,11 @@ >/* no MB for this wide */ > /* use escape for wide character */ > char *escape_string = wide_to_escape_string(wide_string[i]); > -strcat(buffer, escape_string); > +size_t buffer_len = strlen(buffer); > +size_t escape_string_len = strlen(escape_string); > +if (buffer_len + escape_string_len + 1 > buffer_size) > + escape_string_len = buffer_size - buffer_len - 1; > +strncat(buffer, escape_string, escape_string_len); > free(escape_string); > } >} > From: Enrico Zini > Subject: Fix null pointer dereference on invalid UTF-8 input > Bug-Debian: https://bugs.debian.org/1010355 > X-Debian-version: 6.0-27 > > --- a/fileio.c > +++ b/fileio.c > @@ -2361,6 +2361,9 @@ >/* convert UTF-8 to local character set */ >fn = utf8_to_local_string(G.unipath_filename, > G.unicode_escape_all); > + if (fn == NULL) > +return PK_ERR; > + >/* make sure filename is short enough */ >if (strlen(fn) >= FILNAMSIZ) { > fn[FILNAMSIZ - 1] = '\0'; > --- a/process.c > +++ b/process.c > @@ -2611,6 +2611,8 @@ >int escape_all; > { >zwchar *wide = utf8_to_wide_string(utf8_string); > + if (wide == NULL) > +return NULL; >char *loc = wide_to_local_string(wide, escape_all); >free(wide); >return loc;
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Dear Steven and Mark: I plan to apply the attached patches (from Enrico Zini) to fix CVE-2022-0529 and CVE-2022-0530 in Debian unzip, but before doing so I would like to have some feedback from upstream (i.e. you) or either from the Security Team (also in CC). Details about the bug here: https://bugs.debian.org/1010355 The test cases triggering the bug are here: https://github.com/ByteHackr/unzip_poc Thanks.From: Enrico Zini Subject: Fix wide string conversion Bug-Debian: https://bugs.debian.org/1010355 X-Debian-version: 6.0-27 --- a/process.c +++ b/process.c @@ -2507,13 +2507,15 @@ char buf[9]; char *buffer = NULL; char *local_string = NULL; + size_t buffer_size; for (wsize = 0; wide_string[wsize]; wsize++) ; if (max_bytes < MAX_ESCAPE_BYTES) max_bytes = MAX_ESCAPE_BYTES; - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { + buffer_size = wsize * max_bytes + 1; + if ((buffer = (char *)malloc(buffer_size)) == NULL) { return NULL; } @@ -2552,7 +2554,11 @@ /* no MB for this wide */ /* use escape for wide character */ char *escape_string = wide_to_escape_string(wide_string[i]); -strcat(buffer, escape_string); +size_t buffer_len = strlen(buffer); +size_t escape_string_len = strlen(escape_string); +if (buffer_len + escape_string_len + 1 > buffer_size) + escape_string_len = buffer_size - buffer_len - 1; +strncat(buffer, escape_string, escape_string_len); free(escape_string); } } From: Enrico Zini Subject: Fix null pointer dereference on invalid UTF-8 input Bug-Debian: https://bugs.debian.org/1010355 X-Debian-version: 6.0-27 --- a/fileio.c +++ b/fileio.c @@ -2361,6 +2361,9 @@ /* convert UTF-8 to local character set */ fn = utf8_to_local_string(G.unipath_filename, G.unicode_escape_all); + if (fn == NULL) +return PK_ERR; + /* make sure filename is short enough */ if (strlen(fn) >= FILNAMSIZ) { fn[FILNAMSIZ - 1] = '\0'; --- a/process.c +++ b/process.c @@ -2611,6 +2611,8 @@ int escape_all; { zwchar *wide = utf8_to_wide_string(utf8_string); + if (wide == NULL) +return NULL; char *loc = wide_to_local_string(wide, escape_all); free(wide); return loc;
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
On Tue, Jun 14, 2022 at 07:06:37PM +0200, Santiago Vila wrote: > But the github repository containing the test cases, namely this: > https://github.com/ByteHackr/unzip_poc > contains a test case for yet another problem called CVE-2022-0529 > which I would like to fix as well. Hello Steven and Santiago, I'm attaching a proposed patch to fix CVE-2022-0529. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini diff --git a/process.c b/process.c index d2a846e..99b9c7b 100644 --- a/process.c +++ b/process.c @@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) char buf[9]; char *buffer = NULL; char *local_string = NULL; + size_t buffer_size; for (wsize = 0; wide_string[wsize]; wsize++) ; if (max_bytes < MAX_ESCAPE_BYTES) max_bytes = MAX_ESCAPE_BYTES; - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { + buffer_size = wsize * max_bytes + 1; + if ((buffer = (char *)malloc(buffer_size)) == NULL) { return NULL; } @@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) /* no MB for this wide */ /* use escape for wide character */ char *escape_string = wide_to_escape_string(wide_string[i]); -strcat(buffer, escape_string); +size_t buffer_len = strlen(buffer); +size_t escape_string_len = strlen(escape_string); +if (buffer_len + escape_string_len + 1 > buffer_size) + escape_string_len = buffer_size - buffer_len - 1; +strncat(buffer, escape_string, escape_string_len); free(escape_string); } } signature.asc Description: PGP signature
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Hello. I received this from the Debian bug system. There are actually two problems here. One of them is CVE-2022-0530 which is what the reported bug is about. For that I have the proposed patch by Enrico Zini which seems to fix the issue. But the github repository containing the test cases, namely this: https://github.com/ByteHackr/unzip_poc contains a test case for yet another problem called CVE-2022-0529 which I would like to fix as well. This is what I've done to reproduce the bug: export LC_ALL=C cd CVE-2022-0529 unzip testcase and I get this: Archive: testcase warning [testcase]: 303 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase]: reported length of central directory is -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... double free or corruption (out) Any help will be appreciated. Thanks. Forwarded Message Subject: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input Date: Fri, 29 Apr 2022 13:27:33 +0200 From: Enrico Zini Reply-To: Enrico Zini , 1010...@bugs.debian.org To: Debian Bug Tracking System Package: unzip Version: 6.0-21+deb9u2 Severity: serious Tags: security upstream patch X-Debbugs-Cc: Debian Security Team Fixed: 6.0-26 Hello, details are at https://security-tracker.debian.org/tracker/CVE-2022-0530 stretch and buster segfault: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: zipfile probably corrupt (segmentation violation) bullseye errors out without valgrind issues reported: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... mp/zip-unzip-0/7/source/workdir /��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥: mismatching "local" filename (mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q), continuing with "central" filename version skipping: mp/zip-unzip-0/7/source/workdir /��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥 unable to get password The main issue here seems to be at utf8_to_local_string, defined in process.c:2606, which doesn't check the result of utf8_to_wide_string for a NULL value. I'm attaching a proposed patch that adds the missing error handling. Enrico -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unzip depends on: ii libbz2-1.0 1.0.8-4 ii libc6 2.31-13+deb11u3 unzip recommends no packages. Versions of packages unzip suggests: ii zip 3.0-12 -- no debconf informationdiff --git a/fileio.c b/fileio.c index 6290824..77e4b5f 100644 --- a/fileio.c +++ b/fileio.c @@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ /* convert UTF-8 to local character set */ fn = utf8_to_local_string(G.unipath_filename, G.unicode_escape_all); + if (fn == NULL) +return PK_ERR; + /* make sure filename is short enough */ if (strlen(fn) >= FILNAMSIZ) { fn[FILNAMSIZ - 1] = '\0'; diff --git a/process.c b/process.c index d2a846e..715bc0f 100644 --- a/process.c +++ b/process.c @@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) int escape_all; { zwchar *wide = utf8_to_wide_string(utf8_string); + if (wide == NULL) +return NULL; char *loc = wide_to_local_string(wide, escape_all); free(wide); return loc;
Bug#1010355: Fwd: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Hello Stephen. Can you take a look at this? The Debian version of procmail in unstable has a patch for this which I took from git, and I was planning to just apply it to bullseye and buster, but apparently it's not enough to fix the issue. Thanks. Mensaje reenviado Asunto: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input Resent-Date: Fri, 29 Apr 2022 11:39:02 + Resent-From: Enrico Zini Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: t...@security.debian.org, Santiago Vila Fecha: Fri, 29 Apr 2022 13:27:33 +0200 De: Enrico Zini Responder a: Enrico Zini , 1010...@bugs.debian.org Para: Debian Bug Tracking System Package: unzip Version: 6.0-21+deb9u2 Severity: serious Tags: security upstream patch X-Debbugs-Cc: Debian Security Team Fixed: 6.0-26 Hello, details are at https://security-tracker.debian.org/tracker/CVE-2022-0530 stretch and buster segfault: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: zipfile probably corrupt (segmentation violation) bullseye errors out without valgrind issues reported: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... mp/zip-unzip-0/7/source/workdir /��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥: mismatching "local" filename (mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q), continuing with "central" filename version skipping: mp/zip-unzip-0/7/source/workdir /��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥 unable to get password The main issue here seems to be at utf8_to_local_string, defined in process.c:2606, which doesn't check the result of utf8_to_wide_string for a NULL value. I'm attaching a proposed patch that adds the missing error handling. Enrico -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unzip depends on: ii libbz2-1.0 1.0.8-4 ii libc6 2.31-13+deb11u3 unzip recommends no packages. Versions of packages unzip suggests: ii zip 3.0-12 -- no debconf informationdiff --git a/fileio.c b/fileio.c index 6290824..77e4b5f 100644 --- a/fileio.c +++ b/fileio.c @@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ /* convert UTF-8 to local character set */ fn = utf8_to_local_string(G.unipath_filename, G.unicode_escape_all); + if (fn == NULL) +return PK_ERR; + /* make sure filename is short enough */ if (strlen(fn) >= FILNAMSIZ) { fn[FILNAMSIZ - 1] = '\0'; diff --git a/process.c b/process.c index d2a846e..715bc0f 100644 --- a/process.c +++ b/process.c @@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) int escape_all; { zwchar *wide = utf8_to_wide_string(utf8_string); + if (wide == NULL) +return NULL; char *loc = wide_to_local_string(wide, escape_all); free(wide); return loc;
Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
notfixed 6.0-26 Correction: the issue also affects 6.0-26, but is only reproducible after export LANG=C Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini
Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
El 29/4/22 a las 13:27, Enrico Zini escribió: Package: unzip Version: 6.0-21+deb9u2 Severity: serious Tags: security upstream patch X-Debbugs-Cc: Debian Security Team Thanks for the report. I would have preferred to reopen the already existing one, but nevermind (I asked security team a few weeks ago if there was already a CVE for this but got no reply). I'll make uploads for stretch and bullseye. Thanks.
Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Package: unzip Version: 6.0-21+deb9u2 Severity: serious Tags: security upstream patch X-Debbugs-Cc: Debian Security Team Fixed: 6.0-26 Hello, details are at https://security-tracker.debian.org/tracker/CVE-2022-0530 stretch and buster segfault: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: zipfile probably corrupt (segmentation violation) bullseye errors out without valgrind issues reported: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥: mismatching "local" filename (mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q), continuing with "central" filename version skipping: mp/zip-unzip-0/7/source/workdir/��6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�瑥 unable to get password The main issue here seems to be at utf8_to_local_string, defined in process.c:2606, which doesn't check the result of utf8_to_wide_string for a NULL value. I'm attaching a proposed patch that adds the missing error handling. Enrico -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unzip depends on: ii libbz2-1.0 1.0.8-4 ii libc6 2.31-13+deb11u3 unzip recommends no packages. Versions of packages unzip suggests: ii zip 3.0-12 -- no debconf information diff --git a/fileio.c b/fileio.c index 6290824..77e4b5f 100644 --- a/fileio.c +++ b/fileio.c @@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ /* convert UTF-8 to local character set */ fn = utf8_to_local_string(G.unipath_filename, G.unicode_escape_all); + if (fn == NULL) +return PK_ERR; + /* make sure filename is short enough */ if (strlen(fn) >= FILNAMSIZ) { fn[FILNAMSIZ - 1] = '\0'; diff --git a/process.c b/process.c index d2a846e..715bc0f 100644 --- a/process.c +++ b/process.c @@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) int escape_all; { zwchar *wide = utf8_to_wide_string(utf8_string); + if (wide == NULL) +return NULL; char *loc = wide_to_local_string(wide, escape_all); free(wide); return loc;