Accepting request 1005199 from home:dspinella:branches:Archiving

- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string to a local string (CVE-2022-0530, bsc#1196177) * CVE-2022-0530.patch - Fix CVE-2022-0529, Heap out-of-bound writes and reads during conversion of wide string to local string (CVE-2022-0529, bsc#1196180) * CVE-2022-0529.patch OBS-URL: https://build.opensuse.org/request/show/1005199 OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=58
2022-09-21 12:52:47 +00:00 · 2022-09-21 12:52:47 +00:00 · d7c16d7fbb
commit d7c16d7fbb
parent dd23dcea8b
5 changed files with 83 additions and 2 deletions
--- a/CVE-2022-0529.patch
+++ b/CVE-2022-0529.patch
@ -0,0 +1,37 @@
+From: Enrico Zini <enrico@debian.org>
+Subject: Fix wide string conversion
+Bug-Debian: https://bugs.debian.org/1010355
+X-Debian-version: 6.0-27
+
+--- a/process.c
+++ b/process.c
+@@ -2507,13 +2507,15 @@
+   char buf[9];
+   char *buffer = NULL;
+   char *local_string = NULL;
+  size_t buffer_size;
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+ 
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+  buffer_size = wsize * max_bytes + 1;
+  if ((buffer = (char *)malloc(buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2552,7 +2554,11 @@
+       /* no MB for this wide */
+         /* use escape for wide character */
+         char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
+        size_t buffer_len = strlen(buffer);
+        size_t escape_string_len = strlen(escape_string);
+        if (buffer_len + escape_string_len + 1 > buffer_size)
+          escape_string_len = buffer_size - buffer_len - 1;
+        strncat(buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
--- a/CVE-2022-0530.patch
+++ b/CVE-2022-0530.patch
@ -0,0 +1,28 @@
+From: Enrico Zini <enrico@debian.org>
+Subject: Fix null pointer dereference on invalid UTF-8 input
+Bug-Debian: https://bugs.debian.org/1010355
+X-Debian-version: 6.0-27
+
+--- a/fileio.c
+++ b/fileio.c
+@@ -2361,6 +2361,9 @@
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+                  if (fn == NULL)
+                    return PK_ERR;
+
+                   /* make sure filename is short enough */
+                   if (strlen(fn) >= FILNAMSIZ) {
+                     fn[FILNAMSIZ - 1] = '\0';
+--- a/process.c
+++ b/process.c
+@@ -2611,6 +2611,8 @@
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
+  if (wide == NULL)
+    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
--- a/unzip-rcc.spec
+++ b/unzip-rcc.spec
@ -1,7 +1,7 @@
 #
 # spec file for package unzip-rcc
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
--- a/unzip.changes
+++ b/unzip.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Sep 21 09:27:59 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
+  to a local string (CVE-2022-0530, bsc#1196177)
+  * CVE-2022-0530.patch
+- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
+  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
+  * CVE-2022-0529.patch
+
 -------------------------------------------------------------------
 Thu Sep  9 11:30:06 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

--- a/unzip.spec
+++ b/unzip.spec
@ -1,7 +1,7 @@
 #
 # spec file for package unzip
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -61,6 +61,10 @@ Patch20:        Fix-CVE-2014-9636-unzip-buffer-overflow.patch
 Patch21:        unzip60-total_disks_zero.patch
 Patch22:        unzip60-cfactorstr_overflow.patch
 Patch23:        unzip-initialize-the-symlink-flag.patch
+# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0530 bsc#1196177
+Patch24:        CVE-2022-0530.patch
+# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0529 bsc#1196180
+Patch25:        CVE-2022-0529.patch
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
 Recommends:     %{_name}-doc
@ -109,6 +113,8 @@ functionality. This version can also extract encrypted archives.
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
+%patch25 -p1

 %build
 export RPM_OPT_FLAGS="%{optflags} \