diff --git a/CVE-2022-0529.patch b/CVE-2022-0529.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a03ede0b11574fbae6ee7bb2eb004b938087338 --- /dev/null +++ b/CVE-2022-0529.patch @@ -0,0 +1,104 @@ +From 8b40e8021a98728b5889516af308dd52378c964c Mon Sep 17 00:00:00 2001 +From: Lv Ying +Date: Wed, 23 Feb 2022 09:32:21 +0800 +Subject: [PATCH 2/2] fix CVE-2022-0529 Heap out-of-bound writes and reads + during conversion of wide string to local string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-0529 discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2051402 +CVE can be reproduced: +$ unset LANG +$ valgrind ./unzip ./unzip_03/testcase +valgrind will detect Heap out-of-bound writes and reads just as bugzilla discussed + +This is because wide_to_escape_string returns a string that represents a wide char +not in local char set, is longer than MAX_ESCAPE_BYTES(8). Actually, MAX_ESCAPE_BYTES +max is 10, for example, 4-byte wide character '#L02020276' is 10 bytes long, not +including the terminating null character. So strcat(buffer, escape_string) will cause +Heap out-of-bound writes. + +By default, the OS vendor sets the LANG environment variable. valgrind tests this POC +will get another memory error. +$ export | grep LANG +declare -x LANG="en_US.UTF-8" +$ valgrind ./unzip ./unzip_03/testcase + +Archive: unzip_03/testcase +warning [unzip_03/testcase]: 303 extra bytes at beginning or within zipfile + (attempting to process anyway) +error [unzip_03/testcase]: reported length of central directory is + -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 + zipfile?). Compensating... +==15725== Conditional jump or move depends on uninitialised value(s) +==15725== at 0x4903169: __wcsnlen_sse4_1 (strlen.S:186) +==15725== by 0x48F3D61: wcsrtombs (wcsrtombs.c:104) +==15725== by 0x488B9A0: wcstombs (wcstombs.c:34) +==15725== by 0x407279: wcstombs (stdlib.h:154) +==15725== by 0x407279: fnfilter.constprop.2 (extract.c:2946) +==15725== by 0x4076A5: store_info (extract.c:1155) +==15725== by 0x40AFF4: extract_or_test_files (extract.c:782) +==15725== by 0x41586C: do_seekable (process.c:994) +==15725== by 0x4167EE: process_zipfiles (process.c:401) +==15725== by 0x40449B: unzip (unzip.c:1280) +==15725== by 0x4874B26: (below main) (libc-start.c:308) +==15725== + skipping: ??????????????????????????????????????????????????????????????????????????ı need PK compat. v4.6 (can do v4.5) +==15725== +==15725== HEAP SUMMARY: +==15725== in use at exit: 0 bytes in 0 blocks +==15725== total heap usage: 37 allocs, 37 frees, 90,739 bytes allocated +==15725== +==15725== All heap blocks were freed -- no leaks are possible +==15725== +==15725== For counts of detected and suppressed errors, rerun with: -v +==15725== Use --track-origins=yes to see where uninitialised values come from +==15725== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) + +This is because wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1) in fnfilter +use wrong n parameter which stands for At most n bytes are written to dest. +When LANG environment variable is set, MB_CUR_MAX = 6, so wcstombs will writes more +bytes over dest(newraw). + +Signed-off-by: Lv Ying +--- + extract.c | 4 ++-- + process.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/extract.c b/extract.c +index f0e8217..3f6e14d 100644 +--- a/extract.c ++++ b/extract.c +@@ -2856,12 +2856,12 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */ + if (wslen != (size_t)-1) + { + /* Apparently valid Unicode. Allocate wide-char storage. */ +- wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t)); ++ wstring = (wchar_t *)calloc((wslen + 1), sizeof(wchar_t)); + if (wstring == NULL) { + strcpy( (char *)space, raw); + return (char *)space; + } +- wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t)); ++ wostring = (wchar_t *)calloc(2 * (wslen + 1), sizeof(wchar_t)); + if (wostring == NULL) { + free(wstring); + strcpy( (char *)space, raw); +diff --git a/process.c b/process.c +index 5cba073..3e7fcb3 100644 +--- a/process.c ++++ b/process.c +@@ -2395,7 +2395,7 @@ char *local_to_utf8_string(local_string) + */ + + /* set this to the max bytes an escape can be */ +-#define MAX_ESCAPE_BYTES 8 ++#define MAX_ESCAPE_BYTES 10 + + char *wide_to_escape_string(wide_char) + zwchar wide_char; +-- +2.27.0 + diff --git a/CVE-2022-0530.patch b/CVE-2022-0530.patch new file mode 100644 index 0000000000000000000000000000000000000000..46a81b58d25751fd0df7a2888773b05b2019a733 --- /dev/null +++ b/CVE-2022-0530.patch @@ -0,0 +1,61 @@ +From 4d9e8cd35d59f05f75cb2d8f05c6e4c9277dcf9c Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Tue, 22 Feb 2022 21:04:25 +0000 +Subject: [PATCH 1/2] Fix CVE-2022-0530 + +Signed-off-by: Zhipeng Xie +--- + fileio.c | 20 +++++++++++++------- + process.c | 2 ++ + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/fileio.c b/fileio.c +index cf995a9..e237272 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2360,16 +2360,22 @@ int do_string(__G__ length, option) /* return PK-type error code */ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); +- /* make sure filename is short enough */ +- if (strlen(fn) >= FILNAMSIZ) { +- fn[FILNAMSIZ - 1] = '\0'; ++ if (!fn) { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(UFilenameTooLongTrunc))); ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); + error = PK_WARN; ++ } else { ++ /* make sure filename is short enough */ ++ if (strlen(fn) >= FILNAMSIZ) { ++ fn[FILNAMSIZ - 1] = '\0'; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(UFilenameTooLongTrunc))); ++ error = PK_WARN; ++ } ++ /* replace filename with converted UTF-8 */ ++ strcpy(G.filename, fn); ++ free(fn); + } +- /* replace filename with converted UTF-8 */ +- strcpy(G.filename, fn); +- free(fn); + } + # endif /* UNICODE_WCHAR */ + if (G.unipath_filename != G.filename_full) +diff --git a/process.c b/process.c +index 46abce2..5cba073 100644 +--- a/process.c ++++ b/process.c +@@ -2597,6 +2597,8 @@ char *utf8_to_local_string(utf8_string, escape_all) + int escape_all; + { + zwchar *wide = utf8_to_wide_string(utf8_string); ++ if (!wide) ++ return NULL; + char *loc = wide_to_local_string(wide, escape_all); + free(wide); + return loc; +-- +2.27.0 + diff --git a/unzip.spec b/unzip.spec index 86ebf2e1f5627cfe6f55b3689d66b5452376e986..a0024d460c24a43ef71017efbc3754099ec61048 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,6 +1,6 @@ Name: unzip Version: 6.0 -Release: 45 +Release: 46 Summary: A utility for unpacking zip files License: BSD URL: http://www.info-zip.org/UnZip.html @@ -35,7 +35,8 @@ Patch6001: CVE-2019-13232-pre.patch Patch6002: CVE-2019-13232.patch Patch6003: CVE-2019-13232-fur1.patch Patch9000: CVE-2019-13232-fur2.patch - +Patch9001: CVE-2022-0530.patch +Patch9002: CVE-2022-0529.patch BuildRequires: bzip2-devel @@ -70,6 +71,9 @@ Package help includes man pages for unzip. %{_mandir}/man1/* %changelog +* Wed Feb 23 2022 tianwei - 6.0-46 +- fix CVE-2022-0529 CVE-2022-0530 + * Mon Mar 2 2020 openEuler Buildteam - 6.0-45 - delete garbled characters