From 9025bd4759405556e9daf8c5fd01fdbb1fd4d8a5 Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Tue, 2 Sep 2025 18:50:33 +0800 Subject: [PATCH] [CVE] CVE-2022-0529 to #23704 add patch to fix CVE-2022-0529 Project: TC2024080204 Signed-off-by: tomcruiseqi --- 33-bugfix-for-CVE-2022-0529.patch | 104 ++++++++++++++++++++++++++++++ unzip.spec | 6 +- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 33-bugfix-for-CVE-2022-0529.patch diff --git a/33-bugfix-for-CVE-2022-0529.patch b/33-bugfix-for-CVE-2022-0529.patch new file mode 100644 index 0000000..ea26df0 --- /dev/null +++ b/33-bugfix-for-CVE-2022-0529.patch @@ -0,0 +1,104 @@ +From 8b40e8021a98728b5889516af308dd52378c964c Mon Sep 17 00:00:00 2001 +From: Lv Ying +Date: Wed, 23 Feb 2022 09:32:21 +0800 +Subject: [PATCH 2/2] fix CVE-2022-0529 Heap out-of-bound writes and reads + during conversion of wide string to local string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-0529 discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2051402 +CVE can be reproduced: +$ unset LANG +$ valgrind ./unzip ./unzip_03/testcase +valgrind will detect Heap out-of-bound writes and reads just as bugzilla discussed + +This is because wide_to_escape_string returns a string that represents a wide char +not in local char set, is longer than MAX_ESCAPE_BYTES(8). Actually, MAX_ESCAPE_BYTES +max is 10, for example, 4-byte wide character '#L02020276' is 10 bytes long, not +including the terminating null character. So strcat(buffer, escape_string) will cause +Heap out-of-bound writes. + +By default, the OS vendor sets the LANG environment variable. valgrind tests this POC +will get another memory error. +$ export | grep LANG +declare -x LANG="en_US.UTF-8" +$ valgrind ./unzip ./unzip_03/testcase + +Archive: unzip_03/testcase +warning [unzip_03/testcase]: 303 extra bytes at beginning or within zipfile + (attempting to process anyway) +error [unzip_03/testcase]: reported length of central directory is + -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 + zipfile?). Compensating... +==15725== Conditional jump or move depends on uninitialised value(s) +==15725== at 0x4903169: __wcsnlen_sse4_1 (strlen.S:186) +==15725== by 0x48F3D61: wcsrtombs (wcsrtombs.c:104) +==15725== by 0x488B9A0: wcstombs (wcstombs.c:34) +==15725== by 0x407279: wcstombs (stdlib.h:154) +==15725== by 0x407279: fnfilter.constprop.2 (extract.c:2946) +==15725== by 0x4076A5: store_info (extract.c:1155) +==15725== by 0x40AFF4: extract_or_test_files (extract.c:782) +==15725== by 0x41586C: do_seekable (process.c:994) +==15725== by 0x4167EE: process_zipfiles (process.c:401) +==15725== by 0x40449B: unzip (unzip.c:1280) +==15725== by 0x4874B26: (below main) (libc-start.c:308) +==15725== + skipping: ??????????????????????????????????????????????????????????????????????????ı need PK compat. v4.6 (can do v4.5) +==15725== +==15725== HEAP SUMMARY: +==15725== in use at exit: 0 bytes in 0 blocks +==15725== total heap usage: 37 allocs, 37 frees, 90,739 bytes allocated +==15725== +==15725== All heap blocks were freed -- no leaks are possible +==15725== +==15725== For counts of detected and suppressed errors, rerun with: -v +==15725== Use --track-origins=yes to see where uninitialised values come from +==15725== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) + +This is because wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1) in fnfilter +use wrong n parameter which stands for At most n bytes are written to dest. +When LANG environment variable is set, MB_CUR_MAX = 6, so wcstombs will writes more +bytes over dest(newraw). + +Signed-off-by: Lv Ying +--- + extract.c | 4 ++-- + process.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/extract.c b/extract.c +index f0e8217..3f6e14d 100644 +--- a/extract.c ++++ b/extract.c +@@ -2856,12 +2856,12 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */ + if (wslen != (size_t)-1) + { + /* Apparently valid Unicode. Allocate wide-char storage. */ +- wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t)); ++ wstring = (wchar_t *)calloc((wslen + 1), sizeof(wchar_t)); + if (wstring == NULL) { + strcpy( (char *)space, raw); + return (char *)space; + } +- wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t)); ++ wostring = (wchar_t *)calloc(2 * (wslen + 1), sizeof(wchar_t)); + if (wostring == NULL) { + free(wstring); + strcpy( (char *)space, raw); +diff --git a/process.c b/process.c +index 5cba073..3e7fcb3 100644 +--- a/process.c ++++ b/process.c +@@ -2395,7 +2395,7 @@ char *local_to_utf8_string(local_string) + */ + + /* set this to the max bytes an escape can be */ +-#define MAX_ESCAPE_BYTES 8 ++#define MAX_ESCAPE_BYTES 10 + + char *wide_to_escape_string(wide_char) + zwchar wide_char; +-- +2.27.0 + diff --git a/unzip.spec b/unzip.spec index 5901be8..aaacc81 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 Name: unzip Epoch: 1 @@ -68,6 +68,7 @@ Patch30: 0030-unzip-zipbomb-part5.patch Patch31: 0031-unzip-zipbomb-part6.patch Patch32: 0032-unzip-zipbomb-switch.patch +Patch33: 33-bugfix-for-CVE-2022-0529.patch BuildRequires: make BuildRequires: bzip2-devel, gcc @@ -113,6 +114,9 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_ %doc README BUGS %changelog +* Tue Sep 02 2025 tomcruiseqi - 1:6.0-4 +- Fix CVE-2022-0529 + * Wed Oct 26 2022 Jing Zhang - 1:6.0-3 - add fixes for CVE and bugs -- Gitee