Your message dated Fri, 25 Apr 2025 21:51:50 +0000
with message-id <e1u8qxa-006ghn...@fasolo.debian.org>
and subject line Bug#1077054: fixed in zip 3.0-15
has caused the Debian Bug report #1077054,
regarding Charset conversion fails when zip is built with _FORTIFY_SOURCE
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zip
Version: 3.0-14
Severity: minor
Tags: patch
If zip 3.0-14 is built with _FORTIFY_SOURCE=3 (GCC 14.1, glibc 2.40),
this can happen when compressing a file with non-ASCII characters in its
UTF-8 name:
$ echo -n "There’s a Baby in the House.flac" | od -c
0000000 T h e r e 342 200 231 s a B a b y
0000020 i n t h e H o u s e . f l
0000040 a c
$ zip /tmp/t.zip "There’s a Baby in the House.flac"
*** buffer overflow detected ***: terminated
The problem is in local_to_wide_string, where mbstowcs is being run with
the UTF-8 source length rather than the widechar destination length --
this correctly trips a fortify error because GCC 14 can infer the actual
size of the destination.
I've attached a patch.
Thanks,
--
Adam Sampson <a...@offog.org> <http://offog.org/>
Avoid buffer overflow in local_to_wide_string.
The main problem here, which FORTIFY_SOURCE detects at runtime, was that
mbstowcs's size argument should be the size of the destination, not the
size of the source.
The two lines that add a terminating \0 were incorrect too. For the
first one, mbstowcs has either run out of space (in which case wsize
will be outside the bounds of the array), or it's succeeded (in which
case it's written the \0 itself). For the second one, the loop test will
have copied the \0 from the source string already.
--- zip-3.0-14/fileio.c 2008-05-29 01:13:24.000000000 +0100
+++ zip-3.0-14/fileio.c 2024-07-25 15:31:12.946353616 +0100
@@ -3487,7 +3487,7 @@
zwchar *local_to_wide_string(local_string)
char *local_string;
{
- int wsize;
+ size_t wsize, n;
wchar_t *wc_string;
zwchar *wide_string;
@@ -3502,15 +3502,18 @@
if ((wc_string = (wchar_t *)malloc((wsize + 1) * sizeof(wchar_t))) == NULL) {
ZIPERR(ZE_MEM, "local_to_wide_string");
}
- wsize = mbstowcs(wc_string, local_string, strlen(local_string) + 1);
- wc_string[wsize] = (wchar_t) 0;
+ n = mbstowcs(wc_string, local_string, wsize + 1);
+ if (n != wsize) {
+ ZIPERR(ZE_LOGIC, "mbstowcs");
+ }
/* in case wchar_t is not zwchar */
if ((wide_string = (zwchar *)malloc((wsize + 1) * sizeof(zwchar))) == NULL) {
ZIPERR(ZE_MEM, "local_to_wide_string");
}
- for (wsize = 0; (wide_string[wsize] = (zwchar)wc_string[wsize]); wsize++) ;
- wide_string[wsize] = (zwchar)0;
+ for (n = 0; n < wsize + 1; n++) {
+ wide_string[n] = (zwchar)wc_string[n];
+ }
free(wc_string);
return wide_string;
--- End Message ---
--- Begin Message ---
Source: zip
Source-Version: 3.0-15
Done: Santiago Vila <sanv...@debian.org>
We believe that the bug you reported is fixed in the latest version of
zip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanv...@debian.org> (supplier of updated zip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Apr 2025 22:55:00 +0200
Source: zip
Architecture: source
Version: 3.0-15
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanv...@debian.org>
Changed-By: Santiago Vila <sanv...@debian.org>
Closes: 903196 1005943 1077054 1092811 1093629
Changes:
zip (3.0-15) unstable; urgency=medium
.
* Add debian/source/lintian-overrides for *.a files.
* Fix manpage typo: RISC OS/2 -> OS/2. Closes: #1092811.
* Fix buffer overflow when filename contains unicode characters.
Closes: #1077054, #1093629.
* Fix buffer overflow when using '-T -TT'. Closes: #903196, #1093629.
This is CVE-2018-13410. CVE note: Negligible security impact, would
involve that a untrusted party controls the -TT value.
* Fix symlink update detection. Closes: #1005943.
* Add Vcs-Git and Vcs-Browser fields.
* Update Standards-Version.
* Add debian/salsa-ci.yml.
Checksums-Sha1:
cc6549439ec4ab30e1a04729cc3d0fb22b648ba7 1439 zip_3.0-15.dsc
f98e04fd7b5cb0162d921f516358ac507814d7c2 10692 zip_3.0-15.debian.tar.xz
74fd1a949eebf70dfc6d69c172e0a4a8d844368f 4918 zip_3.0-15_source.buildinfo
Checksums-Sha256:
1cee3f25b904023d12c46e55628a79328ce21e47e32737358b3cd99233b5bc6d 1439
zip_3.0-15.dsc
6dc1711c67640e8d1dee867ff53e84387ddb980c40885bd088ac98c330bffce9 10692
zip_3.0-15.debian.tar.xz
2223f20d91ef323d639954d89994f3368083df343189323a836b73094599de61 4918
zip_3.0-15_source.buildinfo
Files:
8ac72e7c3b11ac827f0b1e1cb58770da 1439 utils optional zip_3.0-15.dsc
99f46dbcd62fa7f4a8b49236fa695376 10692 utils optional zip_3.0-15.debian.tar.xz
4ee7d2f6b3a9e09e49c3030aa5dbe046 4918 utils optional
zip_3.0-15_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmgMAPAACgkQQc5/C58b
izKmRAf+Py7ur++p7Taeb7rOFu6l3/KPznjjW7eRsmixHVCmB33hqPPsXN+T1vwA
JM1mOJFw4igiRs4JMGIzaFXrw0mwXBoEUMW/0g6PiTiR3seWak73qbard1RmgjAQ
+DJ0Wd77WY7CpoQWPEF4oORDs5Ia77bfrdzHJxTJHVjwgxzWzJUXB1kg0r+shtW2
eFIYayFpVJydFEmCRzlC1oQrelhSmSMPiv1kXBtKzCURNuioowiW8Gh0fZsIq8KD
fPMF+cfKJeLYs+vgBmoZGQzXoZkBSylMdEjLL0K1rTdzh51948ZzzgnPzWxmExua
MZTPBG8EOBXUmZ2MHrvKt1NcK/5QcQ==
=9sE8
-----END PGP SIGNATURE-----
pgpC3TDO56nSI.pgp
Description: PGP signature
--- End Message ---
