Debian Bug report logs -
#1010355
CVE-2022-0530: null pointer dereference on invalid UTF-8 input
Reported by: Enrico Zini <enrico@debian.org>
Date: Fri, 29 Apr 2022 11:39:02 UTC
Severity: serious
Tags: patch, security, upstream
Found in version unzip/6.0-21+deb9u2
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#1010355; Package unzip.
(Fri, 29 Apr 2022 11:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Enrico Zini <enrico@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Santiago Vila <sanvila@debian.org>.
(Fri, 29 Apr 2022 11:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: unzip
Version: 6.0-21+deb9u2
Severity: serious
Tags: security upstream patch
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Fixed: 6.0-26
Hello,
details are at https://security-tracker.debian.org/tracker/CVE-2022-0530
stretch and buster segfault:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
error: zipfile probably corrupt (segmentation violation)
bullseye errors out without valgrind issues reported:
$ unzip testcase-0530
Archive: testcase-0530
warning [testcase-0530]: 16 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [testcase-0530]: reported length of central directory is
-16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥: mismatching "local" filename (mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b6881PK^G^HQ�V�^Q),
continuing with "central" filename version
skipping: mp/zip-unzip-0/7/source/workdir/������6a9f01ad36a4ac3b68815bf6f83b3ff_inpu㉴�����瑥 unable to get password
The main issue here seems to be at utf8_to_local_string, defined in
process.c:2606, which doesn't check the result of utf8_to_wide_string
for a NULL value.
I'm attaching a proposed patch that adds the missing error handling.
Enrico
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unzip depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-13+deb11u3
unzip recommends no packages.
Versions of packages unzip suggests:
ii zip 3.0-12
-- no debconf information
[CVE-2022-0530.patch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#1010355; Package unzip.
(Fri, 29 Apr 2022 11:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Fri, 29 Apr 2022 11:48:02 GMT) (full text, mbox, link).
Message #10 received at 1010355@bugs.debian.org (full text, mbox, reply):
El 29/4/22 a las 13:27, Enrico Zini escribió:
> Package: unzip
> Version: 6.0-21+deb9u2
> Severity: serious
> Tags: security upstream patch
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Thanks for the report. I would have preferred to reopen the already
existing one, but nevermind (I asked security team a few weeks ago if
there was already a CVE for this but got no reply).
I'll make uploads for stretch and bullseye.
Thanks.
Information forwarded
to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#1010355; Package unzip.
(Fri, 29 Apr 2022 12:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Enrico Zini <enrico@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(Fri, 29 Apr 2022 12:33:02 GMT) (full text, mbox, link).
Message #15 received at 1010355@bugs.debian.org (full text, mbox, reply):
notfixed 6.0-26
Correction: the issue also affects 6.0-26, but is only reproducible
after export LANG=C
Enrico
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 29 13:11:25 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon