Your message dated Tue, 02 Aug 2022 17:22:16 +0000 with message-id <e1oivay-00boa5...@fasolo.debian.org> and subject line Bug#1010355: fixed in unzip 6.0-27 has caused the Debian Bug report #1010355, regarding unzip: CVE-2022-0529 CVE-2022-0530 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: unzip Version: 6.0-21+deb9u2 Severity: serious Tags: security upstream patch X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Fixed: 6.0-26 Hello, details are at https://security-tracker.debian.org/tracker/CVE-2022-0530 stretch and buster segfault: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: zipfile probably corrupt (segmentation violation) bullseye errors out without valgrind issues reported: $ unzip testcase-0530 Archive: testcase-0530 warning [testcase-0530]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [testcase-0530]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥: mismatching "local" filename (mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q), continuing with "central" filename version skipping: mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥 unable to get password The main issue here seems to be at utf8_to_local_string, defined in process.c:2606, which doesn't check the result of utf8_to_wide_string for a NULL value. I'm attaching a proposed patch that adds the missing error handling. Enrico -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unzip depends on: ii libbz2-1.0 1.0.8-4 ii libc6 2.31-13+deb11u3 unzip recommends no packages. Versions of packages unzip suggests: ii zip 3.0-12 -- no debconf informationdiff --git a/fileio.c b/fileio.c index 6290824..77e4b5f 100644 --- a/fileio.c +++ b/fileio.c @@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ /* convert UTF-8 to local character set */ fn = utf8_to_local_string(G.unipath_filename, G.unicode_escape_all); + if (fn == NULL) + return PK_ERR; + /* make sure filename is short enough */ if (strlen(fn) >= FILNAMSIZ) { fn[FILNAMSIZ - 1] = '\0'; diff --git a/process.c b/process.c index d2a846e..715bc0f 100644 --- a/process.c +++ b/process.c @@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) int escape_all; { zwchar *wide = utf8_to_wide_string(utf8_string); + if (wide == NULL) + return NULL; char *loc = wide_to_local_string(wide, escape_all); free(wide); return loc;
--- End Message ---
--- Begin Message ---Source: unzip Source-Version: 6.0-27 Done: Santiago Vila <sanv...@debian.org> We believe that the bug you reported is fixed in the latest version of unzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Santiago Vila <sanv...@debian.org> (supplier of updated unzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 02 Aug 2022 19:05:00 +0200 Source: unzip Architecture: source Version: 6.0-27 Distribution: unstable Urgency: medium Maintainer: Santiago Vila <sanv...@debian.org> Changed-By: Santiago Vila <sanv...@debian.org> Closes: 1010355 Changes: unzip (6.0-27) unstable; urgency=medium . * Apply upstream patch for CVE-2022-0529 and CVE-2022-0530. - Fix null pointer dereference on invalid UTF-8 input. - Fix wide string conversion in process.c. Closes: #1010355. Checksums-Sha1: d075f9b62c6033a4e1724239d305ea56f4f13d3f 1351 unzip_6.0-27.dsc b525844c96ffa0705f8dfc741f89a51976b1d3ed 24980 unzip_6.0-27.debian.tar.xz 0d2533950c468fec6bd633b444b9a4ee7b4b9846 5240 unzip_6.0-27_source.buildinfo Checksums-Sha256: e8cfa689ee6b99aefaec32985dee849d4b3308d9ae1f01ca36bea5f496cb8f1d 1351 unzip_6.0-27.dsc 67bde7c71d52afd61aa936d4415c8d12fd90ca26e9637a3cd67cae9b71298c12 24980 unzip_6.0-27.debian.tar.xz 3b4f31ae7eccea9a5b92cb7ac548777b5d9568af3de00697104d9a5a3542dbaf 5240 unzip_6.0-27_source.buildinfo Files: 9f047f40b1a89f90507e6754a805639a 1351 utils optional unzip_6.0-27.dsc 637ad38fe0455dbabd7e2b21659a5224 24980 utils optional unzip_6.0-27.debian.tar.xz cebc74e9e7a066a46b7da3fa00b85743 5240 utils optional unzip_6.0-27_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmLpWpEACgkQQc5/C58b izIy+gf9Fsqk02iUU6+SKHJYfXi8twiJAl60Fx6psPecErSgUO5PTArEnNiJDrkX gxOLw9wkEH+jE4TdB+feMtIj2/SP5BrAY8Nlb5b6Vm8z9i77Qwc6Ju6phNywK7qO Vv6GkgwzD4q4o2By0dT1hG+dqmNWa8hZ/ieJKmHqDOadTpCFczW6dSxgOLZKIKUi k73VzsJBbXqnUjLrqyvG+CwlC+qfKX0DekhCCgSi2Lrj+P7Fc7zDdcBeqAzSzxbE nfEWBXybRrnKW+rakpom2vYFfJEedJIsEnc7nnwpbAQ5bgHXdututeil/9k1K2DI /cDRcnUs9cxhcLSuvMbPXDl5/Ni+Ig== =2kmb -----END PGP SIGNATURE-----
--- End Message ---
