Bug#1010355: marked as forwarded (CVE-2022-0530: null pointer dereference on invalid UTF-8 input)

Tue, 14 Jun 2022 10:09:19 -0700 

Your message dated Tue, 14 Jun 2022 19:06:37 +0200
with message-id <98742dec-d0de-d79e-9447-070f83709...@unex.es>
has caused the   report #1010355,
regarding CVE-2022-0530: null pointer dereference on invalid UTF-8 input
to be marked as having been forwarded to the upstream software
author(s) "Steven M. Schweda" <s...@antinode.info>

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1010355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Hello.

I received this from the Debian bug system.

There are actually two problems here. One of them is CVE-2022-0530
which is what the reported bug is about. For that I have the proposed patch by Enrico Zini which seems to fix the issue. 

But the github repository containing the test cases, namely this:

https://github.com/ByteHackr/unzip_poc

contains a test case for yet another problem called CVE-2022-0529
which I would like to fix as well.

This is what I've done to reproduce the bug:

export LC_ALL=C
cd CVE-2022-0529
unzip testcase

and I get this:

Archive:  testcase
warning [testcase]:  303 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [testcase]:  reported length of central directory is
  -303 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
double free or corruption (out)

Any help will be appreciated.

Thanks.

-------- Forwarded Message --------
Subject: Bug#1010355: CVE-2022-0530: null pointer dereference on invalid UTF-8 input 
Date: Fri, 29 Apr 2022 13:27:33 +0200
From: Enrico Zini <enr...@debian.org>
Reply-To: Enrico Zini <enr...@debian.org>, 1010...@bugs.debian.org
To: Debian Bug Tracking System <sub...@bugs.debian.org>

Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Fixed: 6.0-26

Hello,

details are at https://security-tracker.debian.org/tracker/CVE-2022-0530

stretch and buster segfault:

  $ unzip testcase-0530   Archive:  testcase-0530
  warning [testcase-0530]:  16 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  error [testcase-0530]:  reported length of central directory is
    -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
    zipfile?).  Compensating...
  error:  zipfile probably corrupt (segmentation violation)

bullseye errors out without valgrind issues reported:

  $ unzip testcase-0530
  Archive:  testcase-0530
  warning [testcase-0530]:  16 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  error [testcase-0530]:  reported length of central directory is
    -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
    zipfile?).  Compensating...
mp/zip-unzip-0/7/source/workdir /������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥: mismatching "local" filename (mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q), 
           continuing with "central" filename version
skipping: mp/zip-unzip-0/7/source/workdir /������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥 unable to get password 

The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.

I'm attaching a proposed patch that adds the missing error handling.


Enrico


-- System Information:
Debian Release: 11.3
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en 
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages unzip depends on:
ii  libbz2-1.0  1.0.8-4
ii  libc6       2.31-13+deb11u3

unzip recommends no packages.

Versions of packages unzip suggests:
ii  zip  3.0-12

-- no debconf information
diff --git a/fileio.c b/fileio.c
index 6290824..77e4b5f 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option)   /* return PK-type 
error code */
                   /* convert UTF-8 to local character set */
                   fn = utf8_to_local_string(G.unipath_filename,
                                             G.unicode_escape_all);
+                  if (fn == NULL)
+                    return PK_ERR;
+
                   /* make sure filename is short enough */
                   if (strlen(fn) >= FILNAMSIZ) {
                     fn[FILNAMSIZ - 1] = '\0';
diff --git a/process.c b/process.c
index d2a846e..715bc0f 100644
--- a/process.c
+++ b/process.c
@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
   int escape_all;
 {
   zwchar *wide = utf8_to_wide_string(utf8_string);
+  if (wide == NULL)
+    return NULL;
   char *loc = wide_to_local_string(wide, escape_all);
   free(wide);
   return loc;

--- End Message ---

Reply via email to